Manage access to an instance's JupyterLab interface

This page describes how to grant access to the JupyterLab interfaceof a Vertex AI Workbench instance.

You control access to a Vertex AI Workbench instance'sJupyterLab interface through the instance's access mode.You set a JupyterLab access mode when you createa Vertex AI Workbench instance.The access mode can't be changed after the notebook is created.

The JupyterLab access mode determines who can usethe instance's JupyterLab interface.The access mode also determines which credentials are used whenyour instance interacts with other Google Cloud services.

Access limitations

Granting a principal access toa Vertex AI Workbench instance's JupyterLab interfacedoesn't grant access to the instance itself. For example,to start, stop, or reset an instance, you must grant the principalaccess to perform those operations by setting anIAM policy on the instance.To grant access to the Vertex AI Workbench instance,seeManage access toa Vertex AI Workbench instance.

JupyterLab access modes

Vertex AI Workbench instances support thefollowing access modes:

  • Single user only: TheSingle user only access modegrants access only to the user that you specify.

  • Service account: TheService account access modegrants access to a service account. You can grant access to one or moreusers through this service account.

Note: To grant access to the instance through the single user option or the service account, you must use an individual's user account email address. Group access is not supported.

Single user only

When you create a Vertex AI Workbench instancewithSingle user only access, you specify a user account.The specified user account is the only user with access tothe JupyterLab interface. If the specified user is not the creator of theinstance, you must grant the specified user theService Account User role(roles/iam.serviceAccountUser) on the instance's service account. If theinstance needs to access other Google Cloud resources, thisservice accountmust also have access to those Google Cloud resources.

Note: When you create a Vertex AI Workbench instancewithSingle user only access, your instance completes the boot processusing the Compute Engine default service account.Your specified user account can access the instance after the boot processis finished.

Grant access to a single user

To grant access to a single user, complete the following steps.

  1. Createa Vertex AI Workbench instancewith the following specifications:

    1. In theCreate instance dialog, intheIAM and security section, select theSingle user only access mode.

    2. In theUser email field, enter the user account that you wantto grant access.

  2. Complete the rest of the dialog, and then clickCreate.

Service account

When you create a Vertex AI Workbench instancewithService account access, you specify a service account. Ifthe instance needs to accessother Google resources, this service account must have access to thoseGoogle resources also.

When you specify a service account,choose one of the following:

  • Select the Compute Engine default service account.
  • Specify a custom service account. The custom service account must bein the same project as your Vertex AI Workbench instance.To create the instance, you must havetheiam.serviceAccounts.actAs permission on the service account.

To grant access to users through a service account,you grant theiam.serviceAccounts.actAs permission onthe specified service account for each user who needsto access JupyterLab.

Grant access to multiple users through a service account

  1. Createa Vertex AI Workbench instancewith the following specifications:

    1. In theCreate instance dialog, intheIAM and security section, select theService account access mode.

    2. Choose the Compute Engine default service accountor acustomservice account.

      • To use the Compute Engine default service account,selectUse Compute Engine default service account.

      • To use a custom service account, clearUse Compute Engine default service account, and then,in theService account email field, enteryour custom service account email address.

  2. Complete the rest of the dialog, and then clickCreate.

  3. For each user who needs to access JupyterLab,grant theiam.serviceAccounts.actAs permission on yourservice account.

Access mode metadata

The access mode that you configure duringVertex AI Workbench instance creationis stored in the notebook metadata.

When you select theSingle user only access mode,Vertex AI Workbench stores a value forproxy-mode andproxy-user-mail.The following are examples of single user access metadata entries:

  • proxy-mode=mail
  • proxy-user-mail=user@example.com

When you select theService account access mode, Vertex AI Workbenchstores aproxy-mode=service_account metadata entry.

Caution: Changing the access mode metadata is not supported and can make theJupyterLab interface inaccessible.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.