Add required permissions to access the JupyterLab notebooks for the Rad Lab modules

[seanpoulter-foci]

Outcome

We should be able to provide an end-to-end demo of the Rad Lab modules, and open the notebook without errors.

Problem

We can create instances of the Rad Lab module templates 🎉

These Entities have links to View Managed Notebooks on Google Cloud.

View Managed Notebooks on Google Cloud

If we follow the link we'll be able to open the JupyterLab notebook:

This results in a permissions error:

Technical Notes

The docs for the Data Science and GenAI Rad Lab modules state:

When deploying in an existing project, ensure the identity has the following permissions on the project:

• roles/compute.admin
• roles/resourcemanager.projectIamAdmin
• roles/iam.serviceAccountAdmin
• roles/storage.admin
• roles/notebooks.admin

[blastdan]

The rad-lab module provides the rights required to anyone in the trusted_users or trusted_groups.

resource "google_project_iam_member" "role_notebooks_admin" {
  for_each = toset(concat(formatlist("user:%s", var.trusted_users), formatlist("group:%s", var.trusted_groups)))
  project  = local.project.project_id
  member   = each.value
  role     = "roles/notebooks.admin"
}

local.proejct.project_id will be the project_prefix when the create_project is set to false.

project = (var.create_project
    ? try(module.project_radlab_ds_analytics.0, null)
    : try(data.google_project.existing_project.0, null)
  )

All that needs to be done is to set the trusted_users in the composition. I think this can be done with a varmap

varmap:
      account:
        region: us-west-1
        owners:
        - example-owner-1
        - example-owner-2

So we don't have to fight with the transformations.

[blastdan]

Here is the link to the roles/notebook.admin permissions

https://cloud.google.com/iam/docs/understanding-roles#ai-notebooks-roles

[seanpoulter-foci]

Thanks Dan. Setting the trusted_users in the Workspace manifest from k9s resolves the error.