google-cloud-platformgoogle-cloud-vertex-ai

What IAM permission is required to use Vertex AI's CachedContent resource?


I'm trying to restrict permission to only have access to use the context cache.

When I look at the API/code documentation I see perms for some calls like this: enter image description here

That tells me UpdateCacheConfig calls requires the aiplatform.cacheConfigs.update permission.

But annoyingly everything under GenAiCacheService says nothing about what IAM perms are required to make the API requests: enter image description here

What permissions are relevant here for GenAiCacheService access?

Edit

Have not confirmed it works yet, but I was able to create a custom role with the following, undocumented perms and bind to project: ["aiplatform.cachedContents.create", "aiplatform.cachedContents.update", "aiplatform.cachedContents.delete"]

If it works I'll update as answer.


Solution

  • Well despite it being undocumented these perms are valid and I was able to create a custom role.

    Working terraform code for illustrative purposes:

    resource "google_organization_iam_custom_role" "vertex_cache_access" {
      org_id      = "xxx"
      role_id     = "myrole"
      title       = "My Role"
      description = "Context cache access. See: https://cloud.google.com/vertex-ai/generative-ai/docs/context-cache/context-cache-overview"
      permissions = ["aiplatform.cachedContents.create", "aiplatform.cachedContents.update", "aiplatform.cachedContents.delete"]
    }
    

    I created this role, applied it to a project binding and confirmed it allowed a gsa to CRUD the cache.