What IAM permission is required to use Vertex AI's CachedContent resource?
I'm trying to restrict permission to only have access to use the context cache.
When I look at the API/code documentation I see perms for some calls like this:
That tells me UpdateCacheConfig calls requires the aiplatform.cacheConfigs.update permission.
But annoyingly everything under GenAiCacheService says nothing about what IAM perms are required to make the API requests:
What permissions are relevant here for GenAiCacheService access?
Edit
Have not confirmed it works yet, but I was able to create a custom role with the following, undocumented perms and bind to project: ["aiplatform.cachedContents.create", "aiplatform.cachedContents.update", "aiplatform.cachedContents.delete"]
If it works I'll update as answer.
Well despite it being undocumented these perms are valid and I was able to create a custom role.
Working terraform code for illustrative purposes:
resource "google_organization_iam_custom_role" "vertex_cache_access" {
org_id = "xxx"
role_id = "myrole"
title = "My Role"
description = "Context cache access. See: https://cloud.google.com/vertex-ai/generative-ai/docs/context-cache/context-cache-overview"
permissions = ["aiplatform.cachedContents.create", "aiplatform.cachedContents.update", "aiplatform.cachedContents.delete"]
}
I created this role, applied it to a project binding and confirmed it allowed a gsa to CRUD the cache.
- oauth 2 parameters can only have a single value: scope
- Correct use of gcloud --sort-by combined with --limit
- App attestation failed with Firebase App check in release on Android
- Why doesn't the offline cloud firestore documentation have code for offline query indexes for flutter?
- _CHANGE_TYPE not working when streaming Google Big Query rows from Pub/Sub
- Migrating from legacy Google FCM to HTTP v1 for push notifications
- Google OAuth 2 Error 400: redirect_uri_mismatch but redirect uri is compliant and already registered in Google Cloud Console
- Can we update a field due to its value without reading it in firebase?
- Use process.env variables inside next.config.js
- What is the best practice for decoding Firestore documents in a listener for Swift 5?
- How to install Google Cloud SDK app-engine-python on Debian 12?
- Bigquery service account restricted to a dataset
- Gcloud Pub/Sub: Total timeout of API google.pubsub.v1.Publisher exceeded 60000 milliseconds before any response was received
- Keep getting the error Google Sign-In Error: PlatformException(sign_in_failed, com.google.android.gms.common.api.ApiException: 10: , null, null)
- Error 400 invalid JSON Payload Unknown name generationConfig on an AI API Curl command
- How to access cloud run environment variables in Dockerfile
- Error 400: Invalid JSON payload received when calling Google Generative Language API
- GCP Bucket Permissions by Prefix
- database connection URI string for GCP cloudsql postgres database?
- Who control Google Cloud platform filtering?
- gcloud cli command create eventarc errors
- Is there a way to block HTTP on GCP AppEngine
- How to generate GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET without a domain?
- How to change the source GitHub repository for a deployed project on Google Cloud Run?
- Not able to access Nexus console on my Ubuntu VM instance in GCP
- VertexAI Tabular AutoML rejecting rows containing nulls
- How to access Google Cloud Speech-to-text v2 API through HTTP/REST
- Importing a Model with Scikit Learn on Vertex
- Is there a simple way to host a JSON document you can read and update in Google Cloud Platform?
- how can I get my gcloud user creds into a container securely and use them to impersonate a service account when testing locally?