You can share the assets or compute quota of your Earth Engine enabled project with other Earth Engine users at the project level. An Earth Engine enabled project has the Earth Engine API enabled and an assets folder as described on Set up your Earth Engine enabled Cloud Project page. Earth Engine assets or compute can be shared with another user or group of users. If you want to share with a group of users, Create a new Google Group and note its email (available from the About link on the group page). This page describes how to provide access to resources, for either an individual or group. See also the Roles and Permissions page for details on the specific set of permissions and roles required for different activities.
Earth Engine Service Usage
To use the Earth Engine API on a Cloud Project, the API must be enabled on the project (see
this
page for instructions), and the user must have at least the permissions in the
Earth Engine Resource Viewer role (learn more about
predefined
Earth Engine IAM Roles). Additionally, the user must have at least
serviceusage.services.use permission on the project. That permission
can be can be provided through the project Owner or Editor roles, or through the specific
Service
Usage Consumer role. The Code Editor will show an error if the user does not have
required Earth Engine permissions and Service Usage permissions on the selected project.
Assets
Asset level permissions
There are several options to update permissions at the asset level.
- Use the Assets Manager in the Code Editor.
- Use the Earth Engine command line.
- Use a client library, for example,
ee.data.setAssetAcl(). - Or call the REST API directly.
Project level asset permissions
Sharing at the project level sets permissions on all assets in your Earth Engine enabled Cloud Project at once.
You can share assets at the project level by assigning the appropriate Identity and Access Management (IAM) role on your project's IAM admin page. There are Predefined Earth Engine IAM Roles for sharing Earth Engine assets and resources. See Understanding Roles for a more general overview of IAM roles.
When another user attempts to access one of your assets, permissions are first checked at the asset level. If permissions have not been set at the asset level or the check fails (i.e. no access), permissions will be checked at the project level.
Setting project level permissions
To set permissions at the project level, assign a project IAM role to a user or group of users:
-
Open the IAM page in the Google Cloud console
Open the IAM Page
Or hold the pointer over your project name on the Assets tab of the Code Editor and click the icon. - Click select a project and choose your project (you should already be there if you opened the IAM page from the Code Editor).
- Click ADD at the top and add the individual or group email as the new member, or click the icon next to the existing member in the project.
- In the Role drop down search for the Earth Engine Resource role you want to grant. See Predefined Earth Engine IAM Roles for details.
- Click the SAVE button.
VPC Service Controls
Earth Engine supports VPC Service Controls, a Google Cloud security feature which helps users secure their resources and mitigate data exfiltration risk. Adding resources to a VPC service perimeter allow for more control over data read and write operations.
Learn more about VPC-SC features and configuration.
Limitations
Enabling VPC Service Controls for your resources comes with a few limitations, for which we provided example workarounds:
| Limitation | Example alternative |
|---|---|
| Code Editor is not supported and VPC Service Controls won't allow using it with resources and clients inside a service perimeter. |
Use
Earth Engine Python API together with
the geemap library.
|
| Legacy assets are not protected by VPC Service Controls. | Use assets stored in Cloud projects. |
| Export to Google Drive is not supported by VPC Service Controls. |
|
| Earth Engine Apps are not supported for resources and clients inside a service parimeter. | No workaround available. |
Using Earth Engine with resources inside a secured VPC service perimeter is only available for Professional and Premium pricing plans. Trying to use Earth Engine API with a VPC-SC secured project associated with a Basic pricing plan will result in an error. To learn more about Earth Engine pricing visit official documentation.
More information about VPC Service Controls and its limitations can be found in Supported products and limitations.