Configure Gemini Enterprise
This article describes how to configure Gemini Enterprise so that ADK agents can use delegated authorization using AAAuth.
Before you begin
To follow the instructions in this guide, you need the following:
- A Gemini Enterprise app
- An ADK agent registration to configure authorization for
The instructions in this article only apply to ADK agents running on Agent Engine and don't apply to A2A agents.
Create an authorization resource
To let Gemini Enterprise agents use AAAuth for delegated authorization, create an authorization resource:
- Open a bash or PowerShell prompt
-
Authenticate gcloud:
gcloud auth login -
Initialize the following variables:
GE_PROJECT_ID=project-id SERVICE=service CLIENT_ID=client-id CLIENT_SECRET=client-secret$GeProjectId = "project-id" $Service = "service" $ClientId = "client-id" $ClientSecret = "client-secret"Replace the following:
project-id: project ID of your Gemini Enterprise project. This might be different from the project you deployed AAAuth to.service: the domain name of the Cloud Run service -- for example,service-xxxxxx-as.a.run.app.
Replace
client-idandclient-secretdepending on your identity provider :client-id: the client ID that you created when you deployed AAAuth.client-secret: the client secret that you created when you deployed AAAuth.
client-id: the client ID of the Entra App registration used by your workforce identity provider.client-secret: the client secret that you created when you deployed AAAuth.
-
Initialize another variable that selects the authorizer for AAAuth to use.
AUTHORIZER=google-identity$Authorizer = "google-identity"AUTHORIZER=entra-delegated$Authorizer = "entra-delegated" -
Create the authorization resource:
curl -s -X POST "https://discoveryengine.googleapis.com/v1alpha/projects/$GE_PROJECT_ID/locations/global/authorizations?authorizationId=aaauth-$AUTHORIZER" \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json" \ -H "X-Goog-User-Project: $GE_PROJECT_ID" \ -d @- <<EOF { "displayName": "AAAuth", "serverSideOauth2": { "clientId": "$CLIENT_ID", "clientSecret": "$CLIENT_SECRET", "tokenUri": "https://$SERVICE/$AUTHORIZER/token", "authorizationUri": "https://$SERVICE/$AUTHORIZER/authorize" } } EOFInvoke-RestMethod ` -Uri "https://discoveryengine.googleapis.com/v1alpha/projects/$GeProjectId/locations/global/authorizations?authorizationId=aaauth-$Authorizer" ` -Method POST ` -Headers @{ "Authorization" = "Bearer $(gcloud auth print-access-token)" "Content-Type" = "application/json" "X-Goog-User-Project" = "$GeProjectId" } ` -Body (@{ "displayName" = "AAAuth" "serverSideOauth2" = @{ "clientId" = "$ClientId" "clientSecret" = "$ClientSecret" "tokenUri" = "https://$Service/$Authorizer/token" "authorizationUri" = "https://$Service/$Authorizer/authorize" } } | ConvertTo-Json -Depth 2)
Enable delegated authorization for an agent
To let an agent use AAAuth for authorization, do the following:
- Open a bash or PowerShell prompt
-
Authenticate gcloud:
gcloud auth login -
Initialize the following variables:
GE_PROJECT_ID=project-id GE_PROJECT_NUMBER=project-number SERVICE=service ENGINE=engine AGENT=agent$GeProjectId = "project-id" $GeProjectNumber = "project-number" $Service = "service" $Engine = "engine" $Agent = "agent"Replace the following:
project-id: the project ID of your Gemini Enterprise project.project-number: the project number of your Gemini Enterprise project.engine: the ID of your Gemini Enterprise app.agent: the ID of the Gemini Enterprise agent.
You can find the ID of your Gemini Enterprise app by using the following command:
curl -s -X GET \ "https://discoveryengine.googleapis.com/v1alpha/projects/$GE_PROJECT_ID/locations/global/collections/default_collection/engines" \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json" \ -H "X-Goog-User-Project: $GE_PROJECT_ID" | \ jq -r '.engines[] | {displayName: .displayName, id: (.name | split("/") | last)}'$Engines = Invoke-RestMethod ` -Uri "https://discoveryengine.googleapis.com/v1alpha/projects/$GeProjectId/locations/global/collections/default_collection/engines" ` -Method Get ` -Headers @{ "Authorization" = "Bearer $(gcloud auth print-access-token)" "Content-Type" = "application/json" "X-Goog-User-Project" = "$GeProjectId" } $Engines.engines | Select-Object displayName, @{Name='id'; Expression={$_.name.Split('/')[-1]}}You can find the ID of your agents by using the following command:
curl -s -X GET "https://discoveryengine.googleapis.com/v1alpha/projects/$GE_PROJECT_ID/locations/global/collections/default_collection/engines/$ENGINE/assistants/default_assistant/agents" \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json" \ -H "X-Goog-User-Project: $GE_PROJECT_ID" | \ jq -r ' .agents[] | [ .displayName, (.name | split("/") | last), (.authorizationConfig.toolAuthorizations // [] | join(", ")) ]'$Agents = Invoke-RestMethod ` -Uri "https://discoveryengine.googleapis.com/v1alpha/projects/$GE_PROJECT_ID/locations/global/collections/default_collection/engines/$Engine/assistants/default_assistant/agents" ` -Method Get ` -Headers @{ "Authorization" = "Bearer $(gcloud auth print-access-token)" "Content-Type" = "application/json" "X-Goog-User-Project" = "$GeProjectId" } $Agents.agents| Select-Object ` displayName, @{Name='id'; Expression={$_.name.Split('/')[-1]}}, @{Name='toolAuthorizations'; Expression={ if ($_.authorizationConfig.toolAuthorizations) { $_.authorizationConfig.toolAuthorizations -join ", " } else { "" } }} | Format-Table -AutoSize -
Select the authorizer for AAAuth to use.
AUTHORIZER=google-identity$Authorizer = "google-identity"AUTHORIZER=entra-delegated$Authorizer = "entra-delegated" -
Link the agent to the authorization resource:
Note
The command replaces existing authorization configuration for the agent.
curl -s -X PATCH "https://discoveryengine.googleapis.com/v1alpha/projects/$GE_PROJECT_ID/locations/global/collections/default_collection/engines/$ENGINE/assistants/default_assistant/agents/$AGENT?updateMask=authorizationConfig" \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json" \ -H "X-Goog-User-Project: $GE_PROJECT_ID" \ -d @- <<EOF { "authorizationConfig": { "toolAuthorizations": [ "projects/$GE_PROJECT_NUMBER/locations/global/authorizations/aaauth-$AUTHORIZER" ] } } EOFInvoke-RestMethod ` -Uri "https://discoveryengine.googleapis.com/v1alpha/projects/$GE_PROJECT_ID/locations/global/collections/default_collection/engines/$Engine/assistants/default_assistant/agents/$($Agent)?updateMask=authorizationConfig" ` -Method PATCH ` -Headers @{ "Authorization" = "Bearer $(gcloud auth print-access-token)" "Content-Type" = "application/json" "X-Goog-User-Project" = "$GeProjectId" } ` -Body (@{ "authorizationConfig" = @{ toolAuthorizations = @( "projects/$GeProjectNumber/locations/global/authorizations/aaauth-$Authorizer") } } | ConvertTo-Json -Depth 3)
What's next
Update your ADK agent to use delegated credentials.