I'm trying to restrict permission to only have access to use the context cache.
When I look at the API/code documentation I see perms for some calls like this:
That tells me UpdateCacheConfig calls requires the aiplatform.cacheConfigs.update
permission.
But annoyingly everything under GenAiCacheService says nothing about what IAM perms are required to make the API requests:
What permissions are relevant here for GenAiCacheService access?
Have not confirmed it works yet, but I was able to create a custom role with the following, undocumented perms and bind to project: ["aiplatform.cachedContents.create", "aiplatform.cachedContents.update", "aiplatform.cachedContents.delete"]
If it works I'll update as answer.
Well despite it being undocumented these perms are valid and I was able to create a custom role.
Working terraform code for illustrative purposes:
resource "google_organization_iam_custom_role" "vertex_cache_access" {
org_id = "xxx"
role_id = "myrole"
title = "My Role"
description = "Context cache access. See: https://cloud.google.com/vertex-ai/generative-ai/docs/context-cache/context-cache-overview"
permissions = ["aiplatform.cachedContents.create", "aiplatform.cachedContents.update", "aiplatform.cachedContents.delete"]
}
I created this role, applied it to a project binding and confirmed it allowed a gsa to CRUD the cache.