Connect to Google Cloud Platform (GCP)

Learn how to configure your GCP project to trust Vercel's OpenID Connect (OIDC) Identity Provider (IdP).

Table of Contents

Secure backend access with OIDC federation is available on all plans

To understand how GCP supports OIDC through Workload Identity Federation, consult the GCP documentation.

Configure your GCP project

Configure a Workload Identity Federation
1. Navigate to the Google Cloud Console
2. Navigate to IAM & Admin then Workload Identity Federation
3. Click on Create Pool
Create an identity pool
1. Enter a name for the pool, e.g. Vercel
2. Enter an ID for the pool, e.g. vercel and click Continue
Add a provider to the identity pool
1. Select OpenID Connect (OIDC) from the provider types
2. Enter a name for the provider, e.g. Vercel
3. Enter an ID for the provider, e.g. vercel
4. Enter the Issuer URL, the URL will depend on the issuer mode setting:
  - Team: https://oidc.vercel.com/[TEAM_SLUG], replacing [TEAM_SLUG] with the path from your Vercel team URL
  - Global: https://oidc.vercel.com
5. Leave JWK file (JSON) empty
6. Select Allowed audiences from "Audience"
7. Enter https://vercel.com/[TEAM_SLUG] in the "Audience 1" field and click "Continue"
Configure the provider attributes
1. Assign the google.subject mapping to assertion.sub
2. Click Save
Create a service account
1. Copy the IAM Principal from the pool details page from the previous step. It should look like principal://iam.googleapis.com/projects/012345678901/locations/global/workloadIdentityPools/vercel/subject/SUBJECT_ATTRIBUTE_VALUE
2. Navigate to IAM & Admin then Service Accounts
3. Click on Create Service Account
Enter the service account details
1. Enter a name for the service account, e.g. Vercel.
2. Enter an ID for the service account, e.g. vercel and click Create and continue.
Grant the service account access to the project
1. Select a role or roles for the service account, e.g. Storage Object Admin.
2. Click Continue.
Grant users access to the service account
1. Paste in the IAM Principal copied from the pool details page in the Service account users role field.
  - Replace SUBJECT_ATTRIBUTE_VALUE with owner:[VERCEL_TEAM]:project:[PROJECT_NAME]:environment:[ENVIRONMENT]. e.g. principal://iam.googleapis.com/projects/012345678901/locations/global/workloadIdentityPools/vercel/subject/owner:acme:project:my-project:environment:production.
  - You can add multiple principals to this field, add a principal for each project and environment you want to grant access to.
2. Click Done.

Define GCP account values as environment variables

Once you have configured your GCP project with OIDC access, gather the following values from the Google Cloud Console:

Value	Location	Environment Variable	Example
Project ID	IAM & Admin -> Settings	`GCP_PROJECT_ID`	`my-project-123456`
Project Number	IAM & Admin -> Settings	`GCP_PROJECT_NUMBER`	`1234567890`
Service Account Email	IAM & Admin -> Service Accounts	`GCP_SERVICE_ACCOUNT_EMAIL`	`vercel@my-project-123456.iam.gserviceaccount.com`
Workload Identity Pool ID	IAM & Admin -> Workload Identity Federation -> Pools	`GCP_WORKLOAD_IDENTITY_POOL_ID`	`vercel`
Workload Identity Pool Provider ID	IAM & Admin -> Workload Identity Federation -> Pools -> Providers	`GCP_WORKLOAD_IDENTITY_POOL_PROVIDER_ID`	`vercel`

Then, declare them as environment variables in your Vercel project.

You are now ready to connect to your GCP resource from your project's code. Review the example below.

In the following example, you create a Vercel function in the Vercel project where you have defined the GCP account environment variables. The function will connect to GCP using OIDC and use a specific resource provided by Google Cloud services.

Return GCP Vertex AI generated text

Install the following packages:

pnpm

yarn

npm

pnpm i google-auth-library @ai-sdk/google-vertex ai @vercel/functions

In the API route for this function, use the following code to perform the following tasks:

Use google-auth-library to create an External Account Client
Use it to authenticate with Google Cloud Services
Use Vertex AI with Google Vertex Provider to generate text from a prompt

/api/gcp-vertex-ai/route.ts

import { getVercelOidcToken } from '@vercel/functions/oidc';
import { ExternalAccountClient } from 'google-auth-library';
import { createVertex } from '@ai-sdk/google-vertex';
import { generateText } from 'ai';
 
const GCP_PROJECT_ID = process.env.GCP_PROJECT_ID;
const GCP_PROJECT_NUMBER = process.env.GCP_PROJECT_NUMBER;
const GCP_SERVICE_ACCOUNT_EMAIL = process.env.GCP_SERVICE_ACCOUNT_EMAIL;
const GCP_WORKLOAD_IDENTITY_POOL_ID = process.env.GCP_WORKLOAD_IDENTITY_POOL_ID;
const GCP_WORKLOAD_IDENTITY_POOL_PROVIDER_ID =
  process.env.GCP_WORKLOAD_IDENTITY_POOL_PROVIDER_ID;
 
// Initialize the External Account Client
const authClient = ExternalAccountClient.fromJSON({
  type: 'external_account',
  audience: `//iam.googleapis.com/projects/${GCP_PROJECT_NUMBER}/locations/global/workloadIdentityPools/${GCP_WORKLOAD_IDENTITY_POOL_ID}/providers/${GCP_WORKLOAD_IDENTITY_POOL_PROVIDER_ID}`,
  subject_token_type: 'urn:ietf:params:oauth:token-type:jwt',
  token_url: 'https://sts.googleapis.com/v1/token',
  service_account_impersonation_url: `https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/${GCP_SERVICE_ACCOUNT_EMAIL}:generateAccessToken`,
  subject_token_supplier: {
    // Use the Vercel OIDC token as the subject token
    getSubjectToken: getVercelOidcToken,
  },
});
 
const vertex = createVertex({
  project: GCP_PROJECT_ID,
  location: 'us-central1',
  googleAuthOptions: {
    authClient,
    projectId: GCP_PROJECT_ID,
  },
});
 
// Export the route handler
export const GET = async (req: Request) => {
  const result = generateText({
    model: vertex('gemini-1.5-flash'),
    prompt: 'Write a vegetarian lasagna recipe for 4 people.',
  });
  return Response.json(result);
};

Last updated on October 23, 2024

Connect to Amazon Web Services (AWS)

Connect to Microsoft Azure

Was this helpful?