# VertexAI Gemini

## **Introduction**

Google provides several types of authentication to interact with VertexAI:

* **Private key exchange** (not recommended)
* **Using the Google Cloud CLI**
* **Configuring a Workload Identity Federation (WIF)**

The solution we recommend is the third option.\
However, this configuration requires certain prerequisites that will not be covered in this documentation, namely:

* [Creating a **service account**](https://cloud.google.com/iam/docs/service-accounts-create) with the necessary permissions to access the LLM
* Creating an **OIDC**, which will be configured in the WIF provider

## **Creating a Workload Identity Federation (WIF)**

To begin, go to the **IAM & Admin > Workload Identity Federation** menu : 

<figure><img src="https://264031769-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPMvi3Izk7dvjl9HitZpp%2Fuploads%2Fetq7Foj1ey3NV87AcIVP%2Fimage.png?alt=media&#x26;token=7123d64a-fe53-417b-a901-bc8568e46383" alt=""><figcaption></figcaption></figure>

You will arrive on an interface listing the **Workload Identity Pools**.\
You need to add one by clicking the **Create Pool** button at the top of the screen.

<figure><img src="https://264031769-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPMvi3Izk7dvjl9HitZpp%2Fuploads%2FVKjoz7zEXegIbnrMfghq%2Fimage.png?alt=media&#x26;token=2207777f-2448-416d-ae00-1154fcdaf8ec" alt=""><figcaption></figcaption></figure>

Then fill in the **name** and **description**.\
Keep the name aside; it will be used for the configuration on the BMS External Content side.

<figure><img src="https://264031769-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPMvi3Izk7dvjl9HitZpp%2Fuploads%2FWBkQhLGF7Uy60NWdsM0u%2Fimage.png?alt=media&#x26;token=1077644f-2d4b-45c4-8620-1db7acc382b7" alt="" width="285"><figcaption></figcaption></figure>

Click **Continue**. You will then access the settings for the provider to add to the identity pool. **Dydu supports providers of type OIDC**.\
Select **OpenID Connect (OIDC)** from the list, then give it a **name** that will be needed for configuration on the BMS side.

Now, you need to configure the OIDC with the one you previously set up.\
Fill in the **provider ID** (clientId), **issuer**, and the **JWK file** in JSON format if you have configured it on your side.\
Use the URL “<https://.../.well-known/openid-configuration”> to configure this part more easily.

Then, you must choose the value for the **audience**, which will be required in the token issued by your OIDC. This value must be present in the **aud** claim of the issued token. For example :

<figure><img src="https://264031769-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPMvi3Izk7dvjl9HitZpp%2Fuploads%2FzhSSAXQA26o2DkxKUcYN%2Fimage.png?alt=media&#x26;token=228ed76d-7377-4de8-a85b-451af63e6529" alt=""><figcaption></figcaption></figure>

Finally, complete the **attribute mapping** to finish configuring the provider for your identity pool.\
Save your changes, then go to the **Information** page for the newly created pool (**\<pool\_name>**).

Click the **Grant Access** button, then select **Grant access via service account impersonation**.\
Select your **service account** from the list, then complete the mapping.

<figure><img src="https://264031769-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPMvi3Izk7dvjl9HitZpp%2Fuploads%2Fy23rDuqcrJ6yc1085c4x%2Fimage.png?alt=media&#x26;token=4b940ecd-6fc3-4ac9-98c4-c19ae870ee55" alt=""><figcaption></figcaption></figure>

Click **Save**. A new window will open to configure your application.\
Select the **provider** from the list, fill in the required information, then click **Hide**.\
Downloading the configuration is not necessary for the next steps.

<figure><img src="https://264031769-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPMvi3Izk7dvjl9HitZpp%2Fuploads%2F75GWy4b2jd7uQtVp2Vkp%2Fimage.png?alt=media&#x26;token=0eb8146f-6fff-4e57-a72d-152b7659cbe2" alt="" width="308"><figcaption></figcaption></figure>

The configuration on the **Google Cloud side** is now complete.

## **WIF configuration on the BMS side**

Once on the **BMS**, click on **Content > External Content**.\
In the configuration area **LLM Parameter Summary**, click **Edit**, then select **VertexAI Gemini** from the list of LLM model types.

<figure><img src="https://264031769-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPMvi3Izk7dvjl9HitZpp%2Fuploads%2FNOkP4ZeMaJkbHX0uTJYV%2Fimage.png?alt=media&#x26;token=fbd25ce2-95c0-45d5-b3c5-b6eb3bbe3ab3" alt=""><figcaption></figcaption></figure>

Then click on **Configure** in the **Provider configuration** section.\
A new window will open as a popup.\
You will need to configure the call to your OIDC's **/token endpoint**.\
This call must be a **POST** and should contain only **headers** and **URL-encoded parameters**.

<figure><img src="https://264031769-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPMvi3Izk7dvjl9HitZpp%2Fuploads%2F2YkTvUSe8rG7s18SCGxc%2Fimage.png?alt=media&#x26;token=0562a3ac-4c77-4873-b1c1-8e0002836f01" alt=""><figcaption></figcaption></figure>

You have two options:

* **Fill in all the information manually**
* **Paste a CURL request in the lower area**: the entire configuration will be set up automatically

<figure><img src="https://264031769-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPMvi3Izk7dvjl9HitZpp%2Fuploads%2FdWLUfMOUhSOxRnqLd6Zj%2Fimage.png?alt=media&#x26;token=e3016020-f463-4f0a-8384-7541f8973f55" alt=""><figcaption></figcaption></figure>

Once the configuration is complete, you can click outside this window.\
The configuration button has been renamed, and you will see the CURL request when you hover over it.\
Fill in the models from step 3 according to the ones you want to use.\
You are now at the final step.

<figure><img src="https://264031769-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPMvi3Izk7dvjl9HitZpp%2Fuploads%2FBAJVNa4DnPEp8YguHr9q%2Fimage.png?alt=media&#x26;token=8dfb4e78-4fbc-4b45-ae4c-0daa400f33b4" alt=""><figcaption></figcaption></figure>

Here is where to find the required information on **Google Cloud**:

* **Project number:** Click the three horizontal bars at the top left, then go to **Cloud Overview > Dashboard**. Take note of the project number.

<figure><img src="https://264031769-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPMvi3Izk7dvjl9HitZpp%2Fuploads%2FBzhLL92yTpVA5bYdinNK%2Fimage.png?alt=media&#x26;token=1745ce44-3a5d-4810-aaee-fb3902797955" alt=""><figcaption></figcaption></figure>

* **Region to use:** Refer to the Google Cloud documentation.
* **WIF pool ID:** This is the value in the **Identifier** column next to the pool you created in the initial steps.

<figure><img src="https://264031769-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPMvi3Izk7dvjl9HitZpp%2Fuploads%2FhUeiddMBR98ZNgfOAycN%2Fimage.png?alt=media&#x26;token=df48647b-583c-4811-a53b-1f18f33306bb" alt=""><figcaption></figcaption></figure>

* **Provider ID:** From your pool, click **Edit** on your provider’s row, then take the value from the **Identifier** field.

<figure><img src="https://264031769-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPMvi3Izk7dvjl9HitZpp%2Fuploads%2F91aFBRKyClLxJwpQtVh7%2Fimage.png?alt=media&#x26;token=73a2852c-6cbd-4db1-8ce9-0157d1c78898" alt="" width="414"><figcaption></figcaption></figure>

* **Service account email:** This information is found on the service accounts screen. Copy the email of the one with permissions to access VertexAI, then enter it in the field.

The configuration is complete!