I have created a notebook instance in Google Cloud AI Platform.
I must be missing something super obvious, but could someone tell me how to give a user account permission to access to JupyterLab. I can access it myself in my google account but other users cannot, even with Compute Engine Admin set.
When the user clicks on "Open Jupyter Lab" on the instance, a 403 appears.
Thanks,
Currently, the only role accepted to access an AI Platform Notebook is the project Editor role; therefore, you must grant this role to the users who want to access your Jupyter Notebook.
Additionally, there is a Feature Request filed with the AI Platform team requesting more granular/restrictive permissions to access an AI Platform Notebook.
It seems like iam.serviceAccountUser in combination with compute.admin is sufficient now.
I was able to create a no permission service account and then use that to create a new AI Platform Notebook instance. Please ensure that [notebooks.googleapis.com] API is enabled on your project. Once the notebook is created , you can visit the JupyterLab URL. When you try to do any operation from the JupyterLab console, it gives error because the service account doesn't have any permission. You can now associate the required roles/permission to the service account that would be needed to perform your data science application like GCS Read/Write , BQ Read/Write etc.
If you want to share the URL with team member without they accessing the AI Platform Notebook Page, you can do so by associating "iam.serviceAccounts.actAs" permission to the service account.
