VertexAI Gemini

Introduction

Google provides several types of authentication to interact with VertexAI:

• Private key exchange (not recommended)

• Using the Google Cloud CLI

• Configuring a Workload Identity Federation (WIF)

The solution we recommend is the third option. However, this configuration requires certain prerequisites that will not be covered in this documentation, namely:

• Creating a service account with the necessary permissions to access the LLM

• Creating an OIDC, which will be configured in the WIF provider

Creating a Workload Identity Federation (WIF)

To begin, go to the IAM & Admin > Workload Identity Federation menu :

You will arrive on an interface listing the Workload Identity Pools. You need to add one by clicking the Create Pool button at the top of the screen.

Then fill in the name and description. Keep the name aside; it will be used for the configuration on the BMS External Content side.

Click Continue. You will then access the settings for the provider to add to the identity pool. Dydu supports providers of type OIDC. Select OpenID Connect (OIDC) from the list, then give it a name that will be needed for configuration on the BMS side.

Now, you need to configure the OIDC with the one you previously set up. Fill in the provider ID (clientId), issuer, and the JWK file in JSON format if you have configured it on your side. Use the URL “https://.../.well-known/openid-configuration” to configure this part more easily.

Then, you must choose the value for the audience, which will be required in the token issued by your OIDC. This value must be present in the aud claim of the issued token. For example :

Finally, complete the attribute mapping to finish configuring the provider for your identity pool. Save your changes, then go to the Information page for the newly created pool (<pool_name>).

Click the Grant Access button, then select Grant access via service account impersonation. Select your service account from the list, then complete the mapping.

Click Save. A new window will open to configure your application. Select the provider from the list, fill in the required information, then click Hide. Downloading the configuration is not necessary for the next steps.

The configuration on the Google Cloud side is now complete.

WIF configuration on the BMS side

Once on the BMS, click on Content > External Content. In the configuration area LLM Parameter Summary, click Edit, then select VertexAI Gemini from the list of LLM model types.

Then click on Configure in the Provider configuration section. A new window will open as a popup. You will need to configure the call to your OIDC's /token endpoint. This call must be a POST and should contain only headers and URL-encoded parameters.

You have two options:

• Fill in all the information manually

• Paste a CURL request in the lower area: the entire configuration will be set up automatically

Once the configuration is complete, you can click outside this window. The configuration button has been renamed, and you will see the CURL request when you hover over it. Fill in the models from step 3 according to the ones you want to use. You are now at the final step.

Here is where to find the required information on Google Cloud:

• Project number: Click the three horizontal bars at the top left, then go to Cloud Overview > Dashboard. Take note of the project number.

• Region to use: Refer to the Google Cloud documentation.

• WIF pool ID: This is the value in the Identifier column next to the pool you created in the initial steps.

• Provider ID: From your pool, click Edit on your provider’s row, then take the value from the Identifier field.

• Service account email: This information is found on the service accounts screen. Copy the email of the one with permissions to access VertexAI, then enter it in the field.

The configuration is complete!