Set up a project for Vertex AI

This page contains the tasks you must complete on Google Distributed Cloud (GDC) air-gapped to have your project ready to run Vertex AI services. The page also provides instructions on configuring the gdcloud CLI in your development environment. Complete the following steps on the project where you want to implement Vertex AI for your machine learning (ML) models and artificial intelligence (AI) applications.

If you lack the necessary permissions, ask your administrator to set up the project on your behalf.

Ask an administrator to set up a project for you

Most tasks to set up a project require platform administrator access. This section describes how an administrator obtains the roles to set up a project to implement Vertex AI.

An administrator must take the following steps to set up a project for you to run Vertex AI services on the project namespace:

  1. Determine a meaningful project name and project ID to identify the project. If you are part of an organization or plan to create multiple projects, consider what naming conventions and entities are recognized on Distributed Cloud. For more information, see Resource hierarchy.

  2. Ask your Organization IAM Admin to grant you the following roles to set up a project:

    • To create a project, obtain the Project Creator (project-creator) role.
    • To create a billing account, obtain the Organization Billing Account Administrator (organization-billing-account-admin) role.
    • To create service accounts, obtain the Project IAM Admin (project-iam-admin) role.

    For information about these roles, see Predefined role descriptions. To learn how to grant permissions to a subject, see Grant and revoke access.

  3. Set up a project by following the instructions in this document.

Before you begin

Follow these steps before setting up a project for Vertex AI on Distributed Cloud:

  1. To create a project, ask your Organization IAM Admin to grant you the Project Creator (project-creator) role.
  2. Create a project to group your Vertex AI services together.
  3. Ensure that billing is enabled for your Distributed Cloud project.

Install the gdcloud CLI

To activate Distributed Cloud services and gain access to tools and components, install the gdcloud CLI.

Follow these steps to install the gdcloud CLI and manage the required components:

  1. Download the gdcloud CLI.

  2. Initialize the gdcloud CLI:

    gdcloud init

    For more information, see Install the gdcloud CLI.

  3. Install your required components:

    gdcloud components install COMPONENT_ID

    Replace COMPONENT_ID with the name of the component you want to install.

    For more information, see Manage gdcloud CLI components.

  4. Authenticate with gdcloud CLI:

    gdcloud auth login

    For more information about how to authenticate with your configured identity provider and get a kubeconfig file for your user identity and cluster, see the gdcloud CLI authentication.

Set up service accounts

Service accounts, also referred to as service identities, play a crucial role in managing your Vertex AI services. They are the accounts that your workloads use to access Vertex AI services and make authorized API calls programmatically. For example, service accounts can manage your Vertex AI Workbench notebook to transcribe audio files using the Speech-to-Text API. Similar to a user account, service accounts can be granted permissions and roles, providing a secure and controlled environment, but they can't sign in like a human user.

You can set up service accounts for Vertex AI services by specifying the name of your service account, your project ID, and the name of a JSON file for key pairs.

Follow these steps to set up service accounts using the gdcloud CLI:

  1. To create service accounts, ask your Project IAM Admin to grant you the Project IAM Admin (project-iam-admin) role. Users with access to service accounts can access all service accounts within a project.

  2. Create a service account:

    gdcloud iam service-accounts create SERVICE_ACCOUNT --project=PROJECT_ID

    Replace the following:

    • SERVICE_ACCOUNT: the name of the service account. The name must be unique within the project namespace.
    • PROJECT_ID: the project ID where you want to create the service account. If gdcloud init is already set, then you can omit the --project flag.

  3. Create the application default credentials JSON file and the public and private key pairs:

    gdcloud iam service-accounts keys create APPLICATION_DEFAULT_CREDENTIALS_FILENAME \
    --project=PROJECT_ID \
    --iam-account=SERVICE_ACCOUNT \
    --ca-cert-path=CA_CERTIFICATE_PATH

    Replace the following:

    • APPLICATION_DEFAULT_CREDENTIALS_FILENAME: the name of the JSON file, for example, my-service-key.json.
    • PROJECT_ID: the project to create the key for.
    • SERVICE_ACCOUNT: the name of the service account to add the key for.
    • CA_CERTIFICATE_PATH: an optional flag for the path to the certificate authority (CA) certificate that verifies the authentication endpoint. If you don't specify this path, the system CA certificates are used. You must install the CA in the system CA certificates.

    Distributed Cloud adds the public key to the service account keys you use to verify the JSON web tokens (JWT) the private key signs. The private key is written to the application default credentials JSON file.

  4. Grant the service account access to project resources by assigning a role binding. The name of the role depends on the Vertex AI service you want to use the service account for.

    gdcloud iam service-accounts add-iam-policy-binding \
    --project=PROJECT_ID \
    --iam-account=SERVICE_ACCOUNT \
    --role=ROLE

    Replace the following:

    • PROJECT_ID: the project to create the role binding in.
    • SERVICE_ACCOUNT: the name of the service account to use.

    • ROLE: the predefined role to assign to the service account. Specify roles in the format role/name where role is the Kubernetes type, such as Roleor ProjectRole, and name is the name of the predefined role. For example, the following are roles that you can assign to service accounts to use Vertex AI pre-trained APIs:

      • To assign the AI OCR Developer (ai-ocr-developer) role, set the role torole/ai-ocr-developer.
      • To assign the AI Speech Developer (ai-speech-developer) role, set the role torole/ai-speech-developer.
      • To assign the AI Translation Developer (ai-translation-developer) role, set the role torole/ai-translation-developer.

To learn more about how to create a service account, assign role bindings to it, and create and add key pairs, see Manage service accounts.