プロジェクトを設定するほとんどのタスクには、プラットフォーム管理者権限が必要です。管理者は、プロジェクトを識別するために、わかりやすいプロジェクト名とプロジェクト ID を決める必要があります。組織に属している場合や、複数のプロジェクトを作成する予定がある場合は、Distributed Cloud で認識される命名規則とエンティティを検討します。詳細については、リソース階層をご覧ください。
必要な権限がない場合は、管理者に依頼してプロジェクトを設定してもらいます。
このドキュメントの手順に沿ってプロジェクトを設定します。
始める前に
プロジェクトの作成とサービス アカウントの構成に必要な権限を取得するには、組織の IAM 管理者またはプロジェクトの IAM 管理者に、プロジェクトの Namespace で次のロールを付与するよう依頼します。
構成済みの ID プロバイダで認証し、ユーザー ID と Kubernetes クラスタの kubeconfig ファイルを取得する方法については、gdcloud CLI 認証をご覧ください。
サービス アカウントを設定する
サービス アカウント(サービス ID とも呼ばれます)は、Vertex AI サービスの管理において重要な役割を果たします。これらは、ワークロードが Vertex AI サービスと AI モデルにアクセスし、承認された API 呼び出しをプログラムで行うために使用するアカウントです。たとえば、サービス アカウントは、Vertex AI Workbench ノートブックを管理して、Speech-to-Text API を使用して音声ファイルを文字変換できます。ユーザー アカウントと同様に、サービス アカウントには権限とロールを付与して、安全で制御された環境を提供できますが、人間のユーザーのようにログインすることはできません。
サービス アカウントの名前、プロジェクト ID、キーペアの JSON ファイルの名前を指定して、Vertex AI サービスのサービス アカウントを設定できます。
[[["わかりやすい","easyToUnderstand","thumb-up"],["問題の解決に役立った","solvedMyProblem","thumb-up"],["その他","otherUp","thumb-up"]],[["わかりにくい","hardToUnderstand","thumb-down"],["情報またはサンプルコードが不正確","incorrectInformationOrSampleCode","thumb-down"],["必要な情報 / サンプルがない","missingTheInformationSamplesINeed","thumb-down"],["翻訳に関する問題","translationIssue","thumb-down"],["その他","otherDown","thumb-down"]],["最終更新日 2025-09-04 UTC。"],[[["\u003cp\u003eThis guide outlines the necessary steps to prepare a project on Google Distributed Cloud (GDC) air-gapped for running Vertex AI services.\u003c/p\u003e\n"],["\u003cp\u003eYou'll need to install the gdcloud CLI to interact with Distributed Cloud services and manage required components.\u003c/p\u003e\n"],["\u003cp\u003eSetting up service accounts is crucial for managing Vertex AI services and allowing your workloads to programmatically access them through authorized API calls.\u003c/p\u003e\n"],["\u003cp\u003eTo complete these tasks, you will likely need the Project Creator (\u003ccode\u003eproject-creator\u003c/code\u003e) and Project IAM Admin (\u003ccode\u003eproject-iam-admin\u003c/code\u003e) roles, otherwise an admin will need to set up the project for you.\u003c/p\u003e\n"],["\u003cp\u003eYou will also need to set up billing for the project on Distributed Cloud to track the costs for your projects.\u003c/p\u003e\n"]]],[],null,["# Set up a project for Vertex AI\n\nThis page guides you through how to set up a project to run Vertex AI services on Google Distributed Cloud (GDC) air-gapped. It includes steps for configuring your development environment with the gdcloud CLI, the trust bundle certificate authority (CA), and your service accounts, so you can begin integrating machine learning into your applications and workflows.\n\nThis page is for application developers within application operator groups who are responsible for optimizing air-gapped applications and workflows with AI features. For more information, see [Audiences for GDC air-gapped documentation](/distributed-cloud/hosted/docs/latest/gdch/resources/audiences).\n\nAsk an administrator to set up a project for you\n------------------------------------------------\n\nMost tasks to set up a project require platform administrator access. An\nadministrator must determine a meaningful project name and project ID to\nidentify the project. If you are part of an organization or plan to create\nmultiple projects, consider what naming conventions and entities are recognized\non Distributed Cloud. For more information, see\n[Resource hierarchy](/distributed-cloud/hosted/docs/latest/gdch/resources/resource-hierarchy).\n\nIf you lack the necessary permissions, ask your administrator to set up the\nproject on your behalf.\n\nSet up a project by following the instructions in this document.\n| **Note:** Certain tasks in Vertex AI require that you use additional Distributed Cloud components besides Vertex AI. For example, online predictions use Distributed Cloud storage buckets to store artifacts such as datasets and models. Also, to track costs for projects, you require a billing account. You might need to perform additional setup tasks and obtain additional roles to use other Distributed Cloud components.\n\nBefore you begin\n----------------\n\nTo get the permissions that you need to create a project and configure service\naccounts, ask your Organization IAM Admin or Project IAM Admin to grant you the\nfollowing roles in your project namespace:\n\n- To create a project, obtain the Project Creator (`project-creator`) role.\n- To create service accounts, obtain the Project IAM Admin (`project-iam-admin`) role.\n\nFor information about these roles, see [Prepare IAM permissions](/distributed-cloud/hosted/docs/latest/gdch/application/ao-user/vertex-ai-ao-permissions).\nTo learn how to grant permissions to a subject, see [Grant and revoke access](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/iam/set-up-role-bindings).\n\nThen, [create a project](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/create-a-project) to\ngroup your Vertex AI services together.\n[Ensure that billing is enabled for your Distributed Cloud project](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/billing/manage-billing-accounts).\n\nInstall the gdcloud CLI\n-----------------------\n\nTo activate Distributed Cloud services and gain access to tools and\ncomponents, install the gdcloud CLI.\n\nFollow these steps to install the gdcloud CLI and manage the required\ncomponents:\n\n1. [Download the gdcloud CLI](/distributed-cloud/hosted/docs/latest/gdch/resources/gdcloud-download).\n2. Initialize the gdcloud CLI:\n\n gdcloud init\n\n For more information, see [Install the gdcloud CLI](/distributed-cloud/hosted/docs/latest/gdch/resources/gdcloud-install).\n3. Install your required components:\n\n gdcloud components install \u003cvar translate=\"no\"\u003eCOMPONENT_ID\u003c/var\u003e\n\n Replace \u003cvar translate=\"no\"\u003eCOMPONENT_ID\u003c/var\u003e with the name of the component you\n want to install.\n\n For more information, see [Manage gdcloud CLI components](/distributed-cloud/hosted/docs/latest/gdch/resources/gdcloud-install#manage-components).\n4. Authenticate with gdcloud CLI:\n\n gdcloud auth login\n\n For more information about how to authenticate with your configured identity\n provider and get a kubeconfig file for your user identity and Kubernetes\n cluster, see [the gdcloud CLI authentication](/distributed-cloud/hosted/docs/latest/gdch/resources/gdcloud-auth).\n\nSet up service accounts\n-----------------------\n\nService accounts, also referred to as service identities, play a crucial role in\nmanaging your Vertex AI services. They are the accounts that your\nworkloads use to access Vertex AI services and AI models and make\nauthorized API calls programmatically. For example, service accounts can manage\nyour Vertex AI Workbench notebook to transcribe audio files using\nthe Speech-to-Text API. Similar to a user account, service accounts can be\ngranted permissions and roles, providing a secure and controlled environment,\nbut they can't sign in like a human user.\n\nYou can set up service accounts for Vertex AI services by\nspecifying the name of your service account, your project ID, and the name of a\nJSON file for key pairs.\n\nTo learn more about how to create a service account, assign role bindings to it,\nand create and add key pairs, see [Manage service accounts](/distributed-cloud/hosted/docs/latest/gdch/application/ao-user/iam/service-identities).\n\nFollow these steps to set up service accounts using the gdcloud CLI:\n\n1. Create a service account:\n\n gdcloud iam service-accounts create \u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT\u003c/var\u003e --project=\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT\u003c/var\u003e: the name of the service account. The name must be unique within the project namespace.\n - \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: the project ID where you want to create the service account. If `gdcloud init` is already set, then you can omit the `--project` flag.\n2. Create the application default credentials JSON file and the public and\n private key pairs:\n\n gdcloud iam service-accounts keys create \u003cvar translate=\"no\"\u003eAPPLICATION_DEFAULT_CREDENTIALS_FILENAME\u003c/var\u003e \\\n --project=\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e \\\n --iam-account=\u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT\u003c/var\u003e \\\n --ca-cert-path=\u003cvar translate=\"no\"\u003eCA_CERTIFICATE_PATH\u003c/var\u003e\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eAPPLICATION_DEFAULT_CREDENTIALS_FILENAME\u003c/var\u003e: the name of the JSON file, such as `my-service-key.json`.\n - \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: the project to create the key for.\n - \u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT\u003c/var\u003e: the name of the service account to add the key for.\n - \u003cvar translate=\"no\"\u003eCA_CERTIFICATE_PATH\u003c/var\u003e: an optional flag for the path to the certificate authority (CA) certificate that verifies the authentication endpoint. If you don't specify this path, the system CA certificates are used. You must install the CA in the system CA certificates.\n\n Distributed Cloud adds the public key to the service account keys you\n use to verify the JSON web tokens (JWT) that the private key signs. The\n private key is written to the application default credentials JSON file.\n3. Grant the service account access to project resources by assigning a role\n binding. The name of the role depends on the Vertex AI service\n you want to use the service account for.\n\n gdcloud iam service-accounts add-iam-policy-binding \\\n --project=\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e \\\n --iam-account=\u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT\u003c/var\u003e \\\n --role=\u003cvar translate=\"no\"\u003eROLE\u003c/var\u003e\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: the project to create the role binding in.\n - \u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT\u003c/var\u003e: the name of the service account to use.\n - \u003cvar translate=\"no\"\u003eROLE\u003c/var\u003e: the predefined role to assign to the\n service account. Specify roles in the format `Role/name` where *Role* is\n the Kubernetes type, such as `Role` or `ProjectRole`, and *name* is the\n Kubernetes resource name of the predefined role. For example, the\n following are roles that you can assign to service accounts to use some of\n the Vertex AI pre-trained APIs:\n\n - To assign the AI OCR Developer (`ai-ocr-developer`) role, set the role to `Role/ai-ocr-developer`.\n - To assign the AI Speech Developer (`ai-speech-developer`) role, set the role to `Role/ai-speech-developer`.\n - To assign the AI Translation Developer (`ai-translation-developer`) role, set the role to `Role/ai-translation-developer`.\n\n | **Note:** To learn more about predefined roles and the names you must assign depending on the Vertex AI service or model you want to use, see [Prepare IAM permissions](/distributed-cloud/hosted/docs/latest/gdch/application/ao-user/vertex-ai-ao-permissions)."]]