Deploy AI Agent Authenticator

This article describes how you can deploy the AI Agent Authenticator (AAAuth) by using Terraform.

Before you begin

To follow the instructions in this guide, you need the following:

• Google Cloud project to deploy the application in. We recommend creating a dedicated project for deploying AAAuth.

If you're using Gemini Enterprise with workforce identity federation and Microsoft Entra , you also need:

• Permission to modify the Entra App registration used by workforce identity federation.

Deploying AAAuth requires the following billable components of Google Cloud:

• Cloud Run
• Artifact Registry

Prepare the deployment

To prepare the deployment, do the following:

1. Select or create a Google Cloud project to deploy the application in. We recommend creating a dedicated project for deploying AAAuth.

   Open Project selector

2. Enable billing for your project.

   Open Billing

3. Open Cloud Shell.

   Open Cloud Shell

4. Set an environment variable to contain your project ID:

   export PROJECT_ID=project-id
   

   Replace project-id with the ID of your project.

5. Set another environment variable to contain your preferred region:

   export REGION=region
   

   Replace region with a region that supports Cloud Run and Compute Engine, for example us-central1.

6. Authorize gcloud:

   gcloud auth login
   

   You can skip this step if you're using Cloud Shell.

7. Authorize terraform:

   gcloud auth application-default login &&
   gcloud auth application-default set-quota-project $PROJECT_ID
   

   You can skip this step if you're using Cloud Shell.

8. Clone the AAAuth Git repository and switch to the latest branch:

   git clone https://github.com/GoogleCloudPlatform/iam-federation-tools.git
   cd iam-federation-tools/aaauth
   git checkout latest
   

You're now ready to deploy AAAuth to Cloud Run.

Deploy AAAuth to Cloud Run

To deploy AAAuth to Cloud Run by using Terraform, do the following:

1. Change to the terraform directory:

   cd terraform
   

2. Create a file named terraform.tfvars and configure it depending on the identity provider you use for Gemini Enterprise:

   Google IdentityEntra

   cat << EOF > terraform.tfvars
   project_id = "$PROJECT_ID"
   region = "$REGION"
   EOF
   

   cat << EOF > terraform.tfvars
   project_id = "$PROJECT_ID"
   region = "$REGION"
   entra_tenant = "TENANT"
   entra_provider = "PROVIDER"
   EOF
   

   Open the file terraform.tfvars and replace the following:

   • TENANT: the ID of your Entra tenant, in the format 00000000-0000-0000-0000-000000000000.

   • PROVIDER: resource name of your workforce identity provider, in the format locations/global/workforcePools/POOL/providers/PROVIDER.

     This must be the same workforce identity provider as the one you use for Gemini Enterprise.

3. Set up authentication for Artifact Registry:

   gcloud auth configure-docker $REGION-docker.pkg.dev
   

4. Initialize Terraform:

   terraform init
   

5. Apply the configuration:

   terraform apply -var-file=terraform.tfvars
   

   When the deployment completes, terraform outputs the URL of the Cloud Run service. Note down this URL, you'll need it later.

AAAuth is now deployed, but you still need to configure your identity provider.

Configure your identity provider

Configure your identity provider so that AAAuth can authenticate users. The steps differ depending on the identity provider you use for Gemini Enterprise:

Google IdentityEntra

If you've configured Gemini Enterprise to use Google Identity, you must create an OAuth consent screen and client ID:

1. In the Cloud Console, go to APIs & Services > Credentials.

2. Click Configure consent screen > Get started and configure the following settings:

   • App name: Enter a name such as AI Agent Authenticator.
   • User support email: Select an email address.
   • Audience: Internal.
   • Contact Information: Enter an email address.

   Then click Create.

3. Click Create OAuth client

4. Select Web application and configure the following settings:

   • Name: Enter a name such as AI Agent Authenticator.

   • Authorized redirect URIs:

     https://SERVICE/google-identity/continue
     

     Replace SERVICE with the domain name of the Cloud Run service -- for example, service-xxxxxx-as.a.run.app.

5. Click Create.

   Note down the client ID and the client secret, you'll need it later.

6. Click OK.

If you've configured Gemini Enterprise to use workforce identity federation with Microsoft Entra, you must update the App registration used by your workforce identity provider.

1. In the Entra admin center, open the App registration used by your workforce identity provider.
2. Go to Authentication.
3. Click Add redirect URI.

4. Select Web and enter the following URI:

   https://SERVICE/entra-delegated/continue
   

   Replace SERVICE with the domain name of the Cloud Run service -- for example, service-xxxxxx-as.a.run.app.

5. Click Configure.

6. Go to Certificates and secrets.

7. Click New client secret and add an additional secret.

   Note down the secret, you need it when you configure Gemini Enterprise.

What's next

Configure Gemini Enterprise so that it can use AAAuth.