Connect to Google Cloud Platform (GCP)
Learn how to configure your GCP project to trust Vercel's OpenID Connect (OIDC) Identity Provider (IdP).Secure backend access with OIDC federation is available on all plans
To understand how GCP supports OIDC through Workload Identity Federation, consult the GCP documentation.
- Navigate to the Google Cloud Console
- Navigate to IAM & Admin then Workload Identity Federation
- Click on Create Pool
- Enter a name for the pool, e.g.
Vercel
- Enter an ID for the pool, e.g.
vercel
and click Continue
- Enter a name for the pool, e.g.
- Select
OpenID Connect (OIDC)
from the provider types - Enter a name for the provider, e.g.
Vercel
- Enter an ID for the provider, e.g.
vercel
- Enter the Issuer URL, the URL will depend on the issuer mode setting:
- Team:
https://oidc.vercel.com/[TEAM_SLUG]
, replacing[TEAM_SLUG]
with the path from your Vercel team URL - Global:
https://oidc.vercel.com
- Team:
- Leave JWK file (JSON) empty
- Select
Allowed audiences
from "Audience" - Enter
https://vercel.com/[TEAM_SLUG]
in the "Audience 1" field and click "Continue"
- Select
- Assign the
google.subject
mapping toassertion.sub
- Click Save
- Assign the
- Copy the IAM Principal from the pool details page from the previous step. It should look like
principal://iam.googleapis.com/projects/012345678901/locations/global/workloadIdentityPools/vercel/subject/SUBJECT_ATTRIBUTE_VALUE
- Navigate to IAM & Admin then Service Accounts
- Click on Create Service Account
- Copy the IAM Principal from the pool details page from the previous step. It should look like
- Enter a name for the service account, e.g.
Vercel
. - Enter an ID for the service account, e.g.
vercel
and click Create and continue.
- Enter a name for the service account, e.g.
- Select a role or roles for the service account, e.g.
Storage Object Admin
. - Click Continue.
- Select a role or roles for the service account, e.g.
- Paste in the IAM Principal copied from the pool details page in the Service account users role field.
- Replace
SUBJECT_ATTRIBUTE_VALUE
withowner:[VERCEL_TEAM]:project:[PROJECT_NAME]:environment:[ENVIRONMENT]
. e.g.principal://iam.googleapis.com/projects/012345678901/locations/global/workloadIdentityPools/vercel/subject/owner:acme:project:my-project:environment:production
. - You can add multiple principals to this field, add a principal for each project and environment you want to grant access to.
- Replace
- Click Done.
- Paste in the IAM Principal copied from the pool details page in the Service account users role field.
Once you have configured your GCP project with OIDC access, gather the following values from the Google Cloud Console:
Value Location Environment Variable Example Project ID IAM & Admin -> Settings GCP_PROJECT_ID
my-project-123456
Project Number IAM & Admin -> Settings GCP_PROJECT_NUMBER
1234567890
Service Account Email IAM & Admin -> Service Accounts GCP_SERVICE_ACCOUNT_EMAIL
vercel@my-project-123456.iam.gserviceaccount.com
Workload Identity Pool ID IAM & Admin -> Workload Identity Federation -> Pools GCP_WORKLOAD_IDENTITY_POOL_ID
vercel
Workload Identity Pool Provider ID IAM & Admin -> Workload Identity Federation -> Pools -> Providers GCP_WORKLOAD_IDENTITY_POOL_PROVIDER_ID
vercel
Then, declare them as environment variables in your Vercel project.
You are now ready to connect to your GCP resource from your project's code. Review the example below.
In the following example, you create a Vercel function in the Vercel project where you have defined the GCP account environment variables. The function will connect to GCP using OIDC and use a specific resource provided by Google Cloud services.
Install the following packages:
pnpm i google-auth-library @ai-sdk/google-vertex ai @vercel/functions
In the API route for this function, use the following code to perform the following tasks:
- Use
google-auth-library
to create an External Account Client - Use it to authenticate with Google Cloud Services
- Use Vertex AI with Google Vertex Provider to generate text from a prompt
import { getVercelOidcToken } from '@vercel/functions/oidc';
import { ExternalAccountClient } from 'google-auth-library';
import { createVertex } from '@ai-sdk/google-vertex';
import { generateText } from 'ai';
const GCP_PROJECT_ID = process.env.GCP_PROJECT_ID;
const GCP_PROJECT_NUMBER = process.env.GCP_PROJECT_NUMBER;
const GCP_SERVICE_ACCOUNT_EMAIL = process.env.GCP_SERVICE_ACCOUNT_EMAIL;
const GCP_WORKLOAD_IDENTITY_POOL_ID = process.env.GCP_WORKLOAD_IDENTITY_POOL_ID;
const GCP_WORKLOAD_IDENTITY_POOL_PROVIDER_ID =
process.env.GCP_WORKLOAD_IDENTITY_POOL_PROVIDER_ID;
// Initialize the External Account Client
const authClient = ExternalAccountClient.fromJSON({
type: 'external_account',
audience: `//iam.googleapis.com/projects/${GCP_PROJECT_NUMBER}/locations/global/workloadIdentityPools/${GCP_WORKLOAD_IDENTITY_POOL_ID}/providers/${GCP_WORKLOAD_IDENTITY_POOL_PROVIDER_ID}`,
subject_token_type: 'urn:ietf:params:oauth:token-type:jwt',
token_url: 'https://sts.googleapis.com/v1/token',
service_account_impersonation_url: `https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/${GCP_SERVICE_ACCOUNT_EMAIL}:generateAccessToken`,
subject_token_supplier: {
// Use the Vercel OIDC token as the subject token
getSubjectToken: getVercelOidcToken,
},
});
const vertex = createVertex({
project: GCP_PROJECT_ID,
location: 'us-central1',
googleAuthOptions: {
authClient,
projectId: GCP_PROJECT_ID,
},
});
// Export the route handler
export const GET = async (req: Request) => {
const result = generateText({
model: vertex('gemini-1.5-flash'),
prompt: 'Write a vegetarian lasagna recipe for 4 people.',
});
return Response.json(result);
};
Was this helpful?