fix: use aiplatform.user role for agent identity IAM permissions (#727)

eliasecchig · web-flow · commit 890b7dcd2a15 · 2026-01-21T23:15:53.000+01:00
Update agent identity setup to grant roles/aiplatform.user instead of
roles/aiplatform.expressUser. The user role provides broader access to
Vertex AI services including model prediction capabilities, while
expressUser is limited to simplified Express Mode features with API keys.
diff --git a/agent_starter_pack/deployment_targets/agent_engine/python/{{cookiecutter.agent_directory}}/app_utils/deploy.py b/agent_starter_pack/deployment_targets/agent_engine/python/{{cookiecutter.agent_directory}}/app_utils/deploy.py
@@ -148,7 +148,7 @@ def setup_agent_identity(client: Any, project: str, display_name: str) -> Any:
     )
 
     roles = [
-        "roles/aiplatform.expressUser",
+        "roles/aiplatform.user",
         "roles/serviceusage.serviceUsageConsumer",
         "roles/browser",
         "roles/cloudapiregistry.viewer",

Original file line number	Diff line number	Diff line change
`@@ -148,7 +148,7 @@ def setup_agent_identity(client: Any, project: str, display_name: str) -> Any:`
`148`	`148`	`)`
`149`	`149`
`150`	`150`	`roles = [`
`151`		`- "roles/aiplatform.expressUser",`
	`151`	`+ "roles/aiplatform.user",`
`152`	`152`	`"roles/serviceusage.serviceUsageConsumer",`
`153`	`153`	`"roles/browser",`
`154`	`154`	`"roles/cloudapiregistry.viewer",`