How-to

Connect to Google Cloud Platform (GCP)

Learn how to configure your GCP project to trust Vercel's OpenID Connect (OIDC) Identity Provider (IdP).
Table of Contents

Secure backend access with OIDC federation is available on all plans

To understand how GCP supports OIDC through Workload Identity Federation, consult the GCP documentation.

    1. Navigate to the Google Cloud Console
    2. Navigate to IAM & Admin then Workload Identity Federation
    3. Click on Create Pool
    1. Enter a name for the pool, e.g. Vercel
    2. Enter an ID for the pool, e.g. vercel and click Continue
    1. Select OpenID Connect (OIDC) from the provider types
    2. Enter a name for the provider, e.g. Vercel
    3. Enter an ID for the provider, e.g. vercel
    4. Enter the Issuer URL, the URL will depend on the issuer mode setting:
      • Team: https://oidc.vercel.com/[TEAM_SLUG], replacing [TEAM_SLUG] with the path from your Vercel team URL
      • Global: https://oidc.vercel.com
    5. Leave JWK file (JSON) empty
    6. Select Allowed audiences from "Audience"
    7. Enter https://vercel.com/[TEAM_SLUG] in the "Audience 1" field and click "Continue"
    1. Assign the google.subject mapping to assertion.sub
    2. Click Save
    1. Copy the IAM Principal from the pool details page from the previous step. It should look like principal://iam.googleapis.com/projects/012345678901/locations/global/workloadIdentityPools/vercel/subject/SUBJECT_ATTRIBUTE_VALUE
    2. Navigate to IAM & Admin then Service Accounts
    3. Click on Create Service Account
    1. Enter a name for the service account, e.g. Vercel.
    2. Enter an ID for the service account, e.g. vercel and click Create and continue.
    1. Select a role or roles for the service account, e.g. Storage Object Admin.
    2. Click Continue.
    1. Paste in the IAM Principal copied from the pool details page in the Service account users role field.
      • Replace SUBJECT_ATTRIBUTE_VALUE with owner:[VERCEL_TEAM]:project:[PROJECT_NAME]:environment:[ENVIRONMENT]. e.g. principal://iam.googleapis.com/projects/012345678901/locations/global/workloadIdentityPools/vercel/subject/owner:acme:project:my-project:environment:production.
      • You can add multiple principals to this field, add a principal for each project and environment you want to grant access to.
    2. Click Done.
  1. Once you have configured your GCP project with OIDC access, gather the following values from the Google Cloud Console:

    ValueLocationEnvironment VariableExample
    Project IDIAM & Admin -> SettingsGCP_PROJECT_IDmy-project-123456
    Project NumberIAM & Admin -> SettingsGCP_PROJECT_NUMBER1234567890
    Service Account EmailIAM & Admin -> Service AccountsGCP_SERVICE_ACCOUNT_EMAILvercel@my-project-123456.iam.gserviceaccount.com
    Workload Identity Pool IDIAM & Admin -> Workload Identity Federation -> PoolsGCP_WORKLOAD_IDENTITY_POOL_IDvercel
    Workload Identity Pool Provider IDIAM & Admin -> Workload Identity Federation -> Pools -> ProvidersGCP_WORKLOAD_IDENTITY_POOL_PROVIDER_IDvercel

    Then, declare them as environment variables in your Vercel project.

    You are now ready to connect to your GCP resource from your project's code. Review the example below.

In the following example, you create a Vercel function in the Vercel project where you have defined the GCP account environment variables. The function will connect to GCP using OIDC and use a specific resource provided by Google Cloud services.

Install the following packages:

pnpm
yarn
npm
pnpm i google-auth-library @ai-sdk/google-vertex ai @vercel/functions

In the API route for this function, use the following code to perform the following tasks:

  • Use google-auth-library to create an External Account Client
  • Use it to authenticate with Google Cloud Services
  • Use Vertex AI with Google Vertex Provider to generate text from a prompt
/api/gcp-vertex-ai/route.ts
import { getVercelOidcToken } from '@vercel/functions/oidc';
import { ExternalAccountClient } from 'google-auth-library';
import { createVertex } from '@ai-sdk/google-vertex';
import { generateText } from 'ai';
 
const GCP_PROJECT_ID = process.env.GCP_PROJECT_ID;
const GCP_PROJECT_NUMBER = process.env.GCP_PROJECT_NUMBER;
const GCP_SERVICE_ACCOUNT_EMAIL = process.env.GCP_SERVICE_ACCOUNT_EMAIL;
const GCP_WORKLOAD_IDENTITY_POOL_ID = process.env.GCP_WORKLOAD_IDENTITY_POOL_ID;
const GCP_WORKLOAD_IDENTITY_POOL_PROVIDER_ID =
  process.env.GCP_WORKLOAD_IDENTITY_POOL_PROVIDER_ID;
 
// Initialize the External Account Client
const authClient = ExternalAccountClient.fromJSON({
  type: 'external_account',
  audience: `//iam.googleapis.com/projects/${GCP_PROJECT_NUMBER}/locations/global/workloadIdentityPools/${GCP_WORKLOAD_IDENTITY_POOL_ID}/providers/${GCP_WORKLOAD_IDENTITY_POOL_PROVIDER_ID}`,
  subject_token_type: 'urn:ietf:params:oauth:token-type:jwt',
  token_url: 'https://sts.googleapis.com/v1/token',
  service_account_impersonation_url: `https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/${GCP_SERVICE_ACCOUNT_EMAIL}:generateAccessToken`,
  subject_token_supplier: {
    // Use the Vercel OIDC token as the subject token
    getSubjectToken: getVercelOidcToken,
  },
});
 
const vertex = createVertex({
  project: GCP_PROJECT_ID,
  location: 'us-central1',
  googleAuthOptions: {
    authClient,
    projectId: GCP_PROJECT_ID,
  },
});
 
// Export the route handler
export const GET = async (req: Request) => {
  const result = generateText({
    model: vertex('gemini-1.5-flash'),
    prompt: 'Write a vegetarian lasagna recipe for 4 people.',
  });
  return Response.json(result);
};
Last updated on October 23, 2024