Quick Answer
Error 1152 is a strict Identity and Access Management (IAM) rejection. It occurs when the authenticated service account or user identity attempts to execute a Gemini model inference without the required Vertex AI User role. Resolve this by navigating to your GCP IAM & Admin dashboard and assigning the roles/aiplatform.user permission to the executing identity.
Security perimeters are vital for cloud-based AI infrastructure. When you encounter Error 1152, the system successfully identified who you are, but determined you are not on the guest list for the specific action requested. Unlike Error 1100 which often deals with quotas or API key expiration, 1152 is purely about Role-Based Access Control (RBAC).
Core Mechanics of Error 1152
Enterprise AI deployments isolate resources to prevent lateral movement in the event of a breach. If a developer provisions a new service account for a web application but forgets to grant it AI platform access, the API gateway will immediately return code 1152 upon the first prompt request.
- Missing Roles: The identity is missing roles/aiplatform.user or a custom role with equivalent endpoint permissions.
- Cross-Project Boundaries: The identity resides in Project A, but is attempting to invoke a Gemini endpoint hosted in Project B without cross-project IAM bindings.
- VPC Service Controls: Network perimeters are blocking the identity from accessing the API, even if IAM roles are technically correct.
Step-by-Step IAM Remediation
To safely restore access without violating principle-of-least-privilege, follow these structured deployment commands or UI steps.
| Environment | Action Required | Target Outcome |
|---|---|---|
| GCP Console UI | Go to IAM > Edit Principal > Add “Vertex AI User” | Immediate UI access granted. |
| gCloud CLI | gcloud projects add-iam-policy-binding… | Programmatic policy update. |
| Terraform | Add google_project_iam_member resource | Infrastructure as Code alignment. |
Architectural Best Practices
Do not attempt to fix Error 1152 by assigning Owner or Editor roles to your service account. This expands the attack surface unnecessarily. Always use predefined AI roles. If your application starts encountering throttling after fixing the permissions, refer to our Error 1153 documentation to optimize payload throughput.
TL;DR
Error 1152 is an IAM authorization failure. Ensure that the service account or API key executing the Gemini request possesses the specific Vertex AI User role within the target Google Cloud project to immediately bypass this access restriction.
