Gen AI module - roles and api

[speralta-burwood]

Is your feature request related to a problem? Please describe.
I am trying to deploy the RADLAB Gen AI module. I have to add additional roles in order to follow the demo : https://github.com/GoogleCloudPlatform/generative-ai/tree/main/gen-app-builder/search-web-app. I also need to enable additional api's

Describe the solution you'd like
A clear and concise description of what you want to happen.

Can we have additional roles to the notebook roles? or maybe add a variable that can concat and add these roles.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Related feature requests
n/a

Priority
N/a

Labels
n/a

[github-actions]

Thank you for raising the request! RAD Lab admins have been notified.

[guptamukul-google]

@Mona19 can you please review this ?

[speralta-burwood]

Hello, I was trying to follow the Gen AI – app builder repository directions: https://github.com/GoogleCloudPlatform/generative-ai/tree/main/gen-app-builder. Specifically this demo: https://github.com/GoogleCloudPlatform/generative-ai/tree/main/gen-app-builder/search-web-app I may be doing it wrong, because it would still require me to sign up for the trusted tester program when trying to enable Gen App AI. Currently trying to explore the module and what is deployed in it. It seems similar to the Data Science module, except the git repository being cloned is with Gen AI. Best, Sean Peralta BASEcamp Associate ***@***.*** From: Mukul Gupta ***@***.***> Sent: Friday, August 18, 2023 11:45 AM To: GoogleCloudPlatform/rad-lab ***@***.***> Cc: Sean Peralta ***@***.***>; Author ***@***.***> Subject: Re: [GoogleCloudPlatform/rad-lab] Gen AI module - roles and api (Issue #166) Hello Sean! Thank you for reaching out. Regarding roles, following the principle of least privilege we have provided roles/notebooks.admin role to all the trusted_users and trusted_group in iam.tf<https://github.com/GoogleCloudPlatform/rad-lab/blob/f2c196d8c031ce44ffb81ea5e691b670ba43a217/modules/gen_ai/iam.tf#L18> and when they connect the Workbench jupyter notebook configured as part of the module they automatically get below roles which iare configured to the ServiceAccount, associated to the Workbench notebook: "roles/compute.instanceAdmin" "roles/notebooks.admin" "roles/bigquery.user" "roles/storage.admin" "roles/iam.serviceAccountUser" "roles/serviceusage.serviceUsageConsumer" "roles/aiplatform.user" This means that the trusted_users or trusted_groups have IAM permissions to connect to GenAI apis when coming form the Workbench notebook where the Workbench SA<https://github.com/GoogleCloudPlatform/rad-lab/blob/f2c196d8c031ce44ffb81ea5e691b670ba43a217/modules/gen_ai/main.tf#L161> is connected. Above mentioned is the current expected behaviour. Can you please share what were you expecting to see or have ? Regarding apis, we are enabling below apis which are required to play around the notebooks which come as part of the Google Cloud Generative AI<https://github.com/GoogleCloudPlatform/generative-ai> repository. "aiplatform.googleapis.com", "artifactregistry.googleapis.com", "bigquery.googleapis.com", "bigquerymigration.googleapis.com", "bigquerystorage.googleapis.com", "cloudresourcemanager.googleapis.com", "compute.googleapis.com", "dataflow.googleapis.com", "deploymentmanager.googleapis.com", "logging.googleapis.com", "notebooks.googleapis.com", "visionai.googleapis.com" Can you please share what part of the product where you working on and what APIs did you enable for the same ? === CC: @Mona19<https://github.com/Mona19> — Reply to this email directly, view it on GitHub<#166 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/A26N4IPMZ5YGTCLJOUGXSSTXV6LZFANCNFSM6AAAAAA3VVRXOA>. You are receiving this because you authored the thread.Message ID: ***@***.******@***.***>>

[Mona19]

Gen app search is not yet available without Sign Up today. I would request you to wait till the product goes GA.

[speralta-burwood]

Hello, the Product is now GA. Are you able to activate the proper api's and grant the proper permissions for the service: Search and Conversation?

[speralta-burwood]

Also, Service Usage API needs to be enabled as I am getting an error on one of the gen ai notebookjs. Or have the service account permission to enable the API

[speralta-burwood]

Looking for an update.

1. can we enable serviceusage api and assign the notebook-sa the service usage admin role?
2. enable discovery engine api and assign the notebook-sa discovery engine admin role?

The notebooks in the git repo need these to function.