I'm setting up data scientists with AI Platform Notebook instances. For each one I set the "Access to Jupter Lab" permission to "Single user only". By default the instance will have the permissions of the default gce service account. I think that also even GCP Python client libraries used in a Jupyter notebook (e.g. the Python BigQuery library) are automatically set up with the default gce service account - is this correct?
The permissions on my default compute engine service account are very broad, I would like to create a new service account with much more restricted permissions, e.g. only access to BigQuery, and only read write to certain datasets. How can I set up or change the notebook instances to only have the permissions of this new service account? Is it possible? Also noting whether or not I'm able to access the instances shell, given the permission is set to "Single user only".
0
votes
1 Answers
0
votes
You should frist create a custom service account with your desired permissions. If you want to grant permissions to specific datasets you can do that from bigquery by adding this particular service account.
Once your service account has all the permissions set you can specify that service account when creating a notebook instance: