TechQA.

How can we disable the "Open Jupyterlab" button (proxy) on GCP Vertex AI Workbenches?

193 views Asked by At

On our platform (GCP) we do not use external IPs and our users connect to their notebooks using ssh from their local machine. We want to disable the "Open JupyterLab" button found in the GCP console. From my understanding this service works with the use of the Inverting Proxy Server & Inverting Proxy Agent (see here).

There seems to be an option to pass no_proxy_access as true when creating a workbench (see here), but our users create the workbench themselves.

Is there a configuration we can place at a higher level to disable the proxy on all workbenches and what IAM permissions are needed to access to the proxy?

google-cloud-platform jupyter-notebook google-cloud-vertex-ai gcp-ai-platform-notebook
Original Q&A
1

There are 1 answers

1
gogasca On BEST ANSWER

The "Open JupyterLab" button is enabled when user configure Proxy access and this options shows up in Google Cloud Console when there is a valid "proxy-url" metadata key in Notebook instance (GCE metadata)

  • In User Managed Notebooks anybody accessing Notebook via Proxy URL requires Service Account User role (ActAs permission) over the Service Account attached to the VM.

  • In Google Cloud GCE VM SSH access can be controlled by:

    • OS Login
    • Manual SSH Keys

https://cloud.google.com/compute/docs/instances/ssh

OS login is enabled by default for Notebooks and require Service Account User role over the VM.

https://cloud.google.com/compute/docs/instances/access-overview

If you want to disable OS login, you need to overwrite values

  • enable-oslogin: False
  • block-project-ssh-keys: False

In summary:

  1. You need Service Account User to access Proxy URL or SSH. If you remove this role/permission you lose access to both: "Open Jupyter Lab" and SSH.

  2. You can remove Service Account User role to VM and have user use Manual SSH Keys

  3. Yoo can try to use post-startup-script and remove proxy-url metadata value automatically, this will disable Open Jupyter Lab button

post_startup_script

https://cloud.google.com/vertex-ai/docs/workbench/reference/rpc/google.cloud.notebooks.v1#google.cloud.notebooks.v1.Instance

In summary, looks like there is no specific feature to control this option.

Have you tried blocking by DNS name? *.notebooks.googleusercontent.com domains

In the future, custom Org Policies may be a good fit, there is a new feature (that we are not integrated yet) for custom Org policies.

https://cloud.google.com/resource-manager/docs/organization-policy/custom-constraint-supported-services

Related Questions in GOOGLE-CLOUD-PLATFORM

Related Questions in JUPYTER-NOTEBOOK

Related Questions in GOOGLE-CLOUD-VERTEX-AI

Related Questions in GCP-AI-PLATFORM-NOTEBOOK

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions