IssueTracker

We enabled AI Platform Notebooks in the listed project for our analysts to use. we would be keen to limit what extra permissions they may gain by changing from the default service account. Currently there are area's in the project they do not see and as such we don't want to grant them access to a service account that has editor access.

As the service account is not editable and AI Platform Notebooks uses the default service account (which has editor access) we weren't particularly interested in:
1) as reducing those permissions could cause problems elsewhere.
2) granting iam.serviceAccounts.actAs to the users.

We were also interested in what a user needs to create a new notebook themselves and to solve that we created a new custom role with:
- "compute.instances.create"
- "compute.instances.stop"
- "compute.instances.start"
- "compute.instances.delete"
- "compute.instances.list"
- "compute.instances.get"
- "compute.projects.get"
- "resourcemanager.projects.get"
and we noticed the VM's are started by the users themselves.

We would like to alter the service account of the AI Notebook service account. This will allow us to fine tune access within the project; i.e. you can create a Read Only dataset or bucket for group 1 but group 2 can write to it.
The current set up actually enables the user to write to a dataset we had previously locked down to RO and we're relying on them to not realize they can write to it/choose not to. There is some authorized views which does add some protection.

Secondly we would like to ask that the location is added to the main option page rather than the 'customise' page. For ease many users will just set the name and go resulting in compute engines spinning up in the US which is against our policy.