---
title: Google Vertex AI
description: Configure the Advanced Identity Cloud Google Vertex AI application template to discover and govern AI agents hosted in Google Vertex AI
component: pingoneaic
page_id: pingoneaic:app-management:applications-agent-governance/google-vertex-ai
canonical_url: https://docs.pingidentity.com/pingoneaic/app-management/applications-agent-governance/google-vertex-ai.html
llms_txt: https://docs.pingidentity.com/pingoneaic/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
section_ids:
  prerequisites-aic: Prerequisites in Advanced Identity Cloud
  prerequisites-google-vertex-ai: Prerequisites in Google Vertex AI
  register-the-application: Register the application
  configure-the-provisioner: Configure the provisioner
  configure-provisioning-and-reconciliation-resources: Configure provisioning and reconciliation resources
---

# Google Vertex AI

The Google Vertex AI application automatically discovers the AI agents you created in Google Dialogflow CX and Vertex AI Agent Engine. Once discovered, the platform gives you complete visibility into their core components:

* **Capabilities:** Associated tools, knowledge bases, and guardrails.

* **Security and access:** Execution credentials and IAM-based identity bindings.

The application combines identity creation and governance using separate reconciliation processes. A reconciliation on the Account provisioner object type creates and updates agent identities, and a reconciliation on the Agent Tool provisioner object type updates agent tools and entitlements.

## Prerequisites in Advanced Identity Cloud

Before using the Google Vertex AI application, ensure you've taken these actions:

* Purchased the Agent Governance add-on capability for Advanced Identity Cloud.

* Modified the user managed object with a `custom_iga_identity_type` property in the Alpha realm. Learn more in [Create the identity type](../../identity-governance/administration/iga-agent-governance.html#create-the-identity-type).

* Obtained the Google Vertex AI connector JAR file. This isn't available to download from Backstage yet, but is available from your Ping Identity representative.

## Prerequisites in Google Vertex AI

Before you can use the application, you must configure a Google Cloud service account with the appropriate IAM roles. You need a Google Cloud subscription to complete this procedure:

1. Sign on to the Google Cloud console as an administrative user.

2. Navigate to IAM & Admin > Service Accounts and create a new service account (or choose an existing principal) to act as the connector identity.

3. Grant the service account the following standard IAM roles at the project level to enable resource discovery:

   * **Dialogflow Reader** (`roles/dialogflow.reader`)

   * **Vertex AI Viewer** (`roles/aiplatform.viewer`)

4. (Optional) If your environment requires organization-wide asset discovery, ensure the service account principal is also granted the following specific permission:

   * `cloudasset.assets.searchAllResources`

5. Configure your chosen authentication method to capture the runtime credentials:

   * **For Workload Identity**: Bind the Google Cloud service account to your local environment infrastructure or Kubernetes service account.

   * **For Explicit Keys**: Select the service account, navigate to the Keys tab, select Add Key > Create new key, and choose JSON format. Download and securely save the key file. You will need this configuration data to set up the provisioner.

## Register the application

1. In the Advanced Identity Cloud admin console, go to [icon: apps, set=material, size=inline] Applications, and click [icon: grid_view, set=material, size=inline] Browse App Catalog.

2. In the Browse App Catalog modal, select an application, and click Next.

3. Review the Application Integration information, and click Next.

4. In the Application Details window, specify the name, description, application owners, and logo for the application.

5. Leave the Authoritative checkbox unselected.

6. Click Create Application.

## Configure the provisioner

1. In the Advanced Identity Cloud admin console, go to [icon: apps, set=material, size=inline] Applications.

2. Click the application you just registered to open the application details page.

3. Click the Provisioning tab, then compare the message displayed with these options:

   * You haven't set up provisioning yet\
     This message indicates that Advanced Identity Cloud has found a connector server with a compatible connector installed, but you haven't set up provisioning yet. In this case, click Set up Provisioning to set up provisioning for the application.

   * No Connector Servers available\
     This message indicates that Advanced Identity Cloud either can't find a connector server to use for provisioning or that it can find a connector server but it doesn't have a compatible connector installed for this application.

     > **Collapse: Show guidance**
     >
     > * If you haven't set up a connector server:
     >
     >   1. [Register a remote server](../../identities/sync-identities.html#task-1-register-a-remote-server)
     >
     >   2. (Optional) [Reset the client secret](../../identities/sync-identities.html#task-2-reset-the-client-secret)
     >
     >   3. [Download a remote server](../../identities/sync-identities.html#task-3-download-a-remote-server)
     >
     >   4. Add the Google Vertex AI connector JAR file to the remote server's connectors folder.
     >
     >   5. [Configure the remote server](../../identities/sync-identities.html#task-5-configure-a-remote-server)
     >
     >   6. Refresh the Google Vertex AI application page in your browser, then begin step 3 again.
     >
     > * If you've already set up a connector server:
     >
     >   1. Add the Google Vertex AI connector JAR file to the remote server's connectors folder, then restart the connector server.
     >
     >   2. Refresh the Google Vertex AI application page in your browser, then begin step 3 again.

4. In the Connect to Google Vertex AI modal, enter the following information:

   * Project ID: Enter your GCP project ID. For example, `finance-ai-agents-prod`.

   * Location: Enter your GCP location. For example, `us-central1`, `europe-west3`, or `australia-southeast1`.

   * Agent API Flavor: Choose one of the following options for agent discovery based on how your assistants are built in Google Cloud:

     * Select `Dialogflow CX` for visual, state-based conversational virtual agents.

     * Select `Vertex AI Agent Engine` for code-first programmatic agent frameworks.

     * Select `Both` to discover a hybrid deployment of both styles.

   * Complete the following fields according to your chosen authentication method:

     * Use Workload Identity: Select this checkbox to allow the application to automatically discover identity tokens from the environment using Application Default Credentials (ADC). To use this option, ensure your runtime environment is properly bound to a Google Cloud service account with the necessary Vertex AI permissions.

     * Service Account Key JSON: Use this field to provide the JSON key for a GCP service account with the necessary permissions to access the Vertex AI API.

   * Scan Offline Inventory: Select to enable scanning of offline inventory for identity bindings, service accounts, connections, and tool credentials.

   * GCS Identity Bindings URL: Specify the storage path to the JSON or CSV file containing IAM role mappings and identity bindings for your agents. The application reads this file during discovery to audit which user identities, groups, or external principals are authorized to invoke each agent. The GCS URL might look like `gs://<your-bucket-name>/agent-identity-bindings.json`.

   * GCS Service Accounts URL: Specify the storage path to the file containing the Google Cloud service accounts associated with your agent fleet. This allows the application to discover and catalog the underlying infrastructure identities that your agents use to interact with downstream GCP services. The GCS URL might look like `gs://<your-bucket-name>/agent-service-accounts.json`.

   * GCS Tool Credentials URL: Specify the storage path to the file or bucket location where third-party API keys and external credentials used by the agents' tools are cataloged. The application reads this data to flag and monitor unsecured secrets or external authentication paths mapped to your agents. The GCS URL might look like `gs://<your-bucket-name>/agent-tool-credentials.json`.

5. (Optional) Click Show advanced settings to set any of the following options:

   > **Collapse: Show advanced settings options**
   >
   > **Application specific settings**
   >
   > | Option             | Description                                                                          |
   > | ------------------ | ------------------------------------------------------------------------------------ |
   > | Exclude Unmodified | Select this option to synchronize only the modified properties on a target resource. |
   >
   > **Pool configuration**
   >
   > | Field                                   | Description                                                                                                                                                                           |
   > | --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   > | Max idle and active container instances | The maximum number of idle and active container instances. The default value is `10`.                                                                                                 |
   > | Max Idle Connector Instances            | The maximum number of idle connector instances. The default value is `10`.                                                                                                            |
   > | Set Timeout Period                      | Select to enable a timeout period for the connection. After enabling, configure the following:- Timeout period (ms): The timeout period in milliseconds.                              |
   > | Set Minimum Idle Time                   | Select to set a minimum time (in milliseconds) before an idle object is removed. After enabling, configure the following:- Min idle time (ms): The minimum idle time in milliseconds. |
   > | Min Idle Instances                      | The minimum number of idle connector instances.                                                                                                                                       |
   >
   > **Result Handler configuration**
   >
   > | Field                                                                   | Description                                                                       |
   > | ----------------------------------------------------------------------- | --------------------------------------------------------------------------------- |
   > | Enable for connectors with the attribute normalizer interface           | Enables the attribute normalizer interface for supported connectors.              |
   > | Enable local filtering/search features                                  | Enables local filtering and search capabilities.                                  |
   > | Enable case insensitive filter                                          | Configures filters to ignore case sensitivity.                                    |
   > | Enable configuration of search attributes; disable for local connectors | Enables search attribute configuration. Disable this option for local connectors. |
   >
   > 1. In the Operation Timeouts (ms) area, select the operations to enforce timeouts on and enter the duration in milliseconds.
   >
   >    Available operations include Create, Validate, Test, Enable a Script on the Connector, Schema, Delete, Update, Sync, Authenticate, Get, Enable a Script on the Target, and Search.
   >
   > 2. In the Operation Rate Limits area, select the operations to enforce rate limits on.
   >
   >    You can enforce limits on specific operations, including Create, Validate, Test, Script on Connector, Schema, Delete, Update, Sync, Authenticate, Get, Script on Target, and Search.
   >
   >    For each selected operation, configure the following fields:
   >
   >    | Field           | Description                        |
   >    | --------------- | ---------------------------------- |
   >    | Request Limit   | Requests allowed over time.        |
   >    | Request Period  | Limit resets after this time (ms). |
   >    | Request Timeout | Time before exception thrown (ms). |

6. Click Connect.

7. Verify that the status shows Connected.

## Configure provisioning and reconciliation resources

To configure provisioning and reconciliation resources, follow the instructions in [Onboard AI agents](../../identity-governance/administration/iga-agent-governance.html#onboard-ai-agents) in the Agent Governance documentation.
