服务账号(也称为服务身份)在管理 Vertex AI 服务方面发挥着至关重要的作用。这些账号是工作负载用于访问 Vertex AI 服务和 AI 模型并以编程方式进行授权 API 调用的账号。例如,服务账号可以管理您的 Vertex AI Workbench 笔记本,以使用 Speech-to-Text API 转写音频文件。与用户账号类似,服务账号也可以被授予权限和角色,从而提供安全可控的环境,但服务账号无法像真人用户一样登录。
您可以指定服务账号的名称、项目 ID 和密钥对的 JSON 文件名称,为 Vertex AI 服务设置服务账号。
[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["很难理解","hardToUnderstand","thumb-down"],["信息或示例代码不正确","incorrectInformationOrSampleCode","thumb-down"],["没有我需要的信息/示例","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-09-04。"],[[["\u003cp\u003eThis guide outlines the necessary steps to prepare a project on Google Distributed Cloud (GDC) air-gapped for running Vertex AI services.\u003c/p\u003e\n"],["\u003cp\u003eYou'll need to install the gdcloud CLI to interact with Distributed Cloud services and manage required components.\u003c/p\u003e\n"],["\u003cp\u003eSetting up service accounts is crucial for managing Vertex AI services and allowing your workloads to programmatically access them through authorized API calls.\u003c/p\u003e\n"],["\u003cp\u003eTo complete these tasks, you will likely need the Project Creator (\u003ccode\u003eproject-creator\u003c/code\u003e) and Project IAM Admin (\u003ccode\u003eproject-iam-admin\u003c/code\u003e) roles, otherwise an admin will need to set up the project for you.\u003c/p\u003e\n"],["\u003cp\u003eYou will also need to set up billing for the project on Distributed Cloud to track the costs for your projects.\u003c/p\u003e\n"]]],[],null,["# Set up a project for Vertex AI\n\nThis page guides you through how to set up a project to run Vertex AI services on Google Distributed Cloud (GDC) air-gapped. It includes steps for configuring your development environment with the gdcloud CLI, the trust bundle certificate authority (CA), and your service accounts, so you can begin integrating machine learning into your applications and workflows.\n\nThis page is for application developers within application operator groups who are responsible for optimizing air-gapped applications and workflows with AI features. For more information, see [Audiences for GDC air-gapped documentation](/distributed-cloud/hosted/docs/latest/gdch/resources/audiences).\n\nAsk an administrator to set up a project for you\n------------------------------------------------\n\nMost tasks to set up a project require platform administrator access. An\nadministrator must determine a meaningful project name and project ID to\nidentify the project. If you are part of an organization or plan to create\nmultiple projects, consider what naming conventions and entities are recognized\non Distributed Cloud. For more information, see\n[Resource hierarchy](/distributed-cloud/hosted/docs/latest/gdch/resources/resource-hierarchy).\n\nIf you lack the necessary permissions, ask your administrator to set up the\nproject on your behalf.\n\nSet up a project by following the instructions in this document.\n| **Note:** Certain tasks in Vertex AI require that you use additional Distributed Cloud components besides Vertex AI. For example, online predictions use Distributed Cloud storage buckets to store artifacts such as datasets and models. Also, to track costs for projects, you require a billing account. You might need to perform additional setup tasks and obtain additional roles to use other Distributed Cloud components.\n\nBefore you begin\n----------------\n\nTo get the permissions that you need to create a project and configure service\naccounts, ask your Organization IAM Admin or Project IAM Admin to grant you the\nfollowing roles in your project namespace:\n\n- To create a project, obtain the Project Creator (`project-creator`) role.\n- To create service accounts, obtain the Project IAM Admin (`project-iam-admin`) role.\n\nFor information about these roles, see [Prepare IAM permissions](/distributed-cloud/hosted/docs/latest/gdch/application/ao-user/vertex-ai-ao-permissions).\nTo learn how to grant permissions to a subject, see [Grant and revoke access](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/iam/set-up-role-bindings).\n\nThen, [create a project](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/create-a-project) to\ngroup your Vertex AI services together.\n[Ensure that billing is enabled for your Distributed Cloud project](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/billing/manage-billing-accounts).\n\nInstall the gdcloud CLI\n-----------------------\n\nTo activate Distributed Cloud services and gain access to tools and\ncomponents, install the gdcloud CLI.\n\nFollow these steps to install the gdcloud CLI and manage the required\ncomponents:\n\n1. [Download the gdcloud CLI](/distributed-cloud/hosted/docs/latest/gdch/resources/gdcloud-download).\n2. Initialize the gdcloud CLI:\n\n gdcloud init\n\n For more information, see [Install the gdcloud CLI](/distributed-cloud/hosted/docs/latest/gdch/resources/gdcloud-install).\n3. Install your required components:\n\n gdcloud components install \u003cvar translate=\"no\"\u003eCOMPONENT_ID\u003c/var\u003e\n\n Replace \u003cvar translate=\"no\"\u003eCOMPONENT_ID\u003c/var\u003e with the name of the component you\n want to install.\n\n For more information, see [Manage gdcloud CLI components](/distributed-cloud/hosted/docs/latest/gdch/resources/gdcloud-install#manage-components).\n4. Authenticate with gdcloud CLI:\n\n gdcloud auth login\n\n For more information about how to authenticate with your configured identity\n provider and get a kubeconfig file for your user identity and Kubernetes\n cluster, see [the gdcloud CLI authentication](/distributed-cloud/hosted/docs/latest/gdch/resources/gdcloud-auth).\n\nSet up service accounts\n-----------------------\n\nService accounts, also referred to as service identities, play a crucial role in\nmanaging your Vertex AI services. They are the accounts that your\nworkloads use to access Vertex AI services and AI models and make\nauthorized API calls programmatically. For example, service accounts can manage\nyour Vertex AI Workbench notebook to transcribe audio files using\nthe Speech-to-Text API. Similar to a user account, service accounts can be\ngranted permissions and roles, providing a secure and controlled environment,\nbut they can't sign in like a human user.\n\nYou can set up service accounts for Vertex AI services by\nspecifying the name of your service account, your project ID, and the name of a\nJSON file for key pairs.\n\nTo learn more about how to create a service account, assign role bindings to it,\nand create and add key pairs, see [Manage service accounts](/distributed-cloud/hosted/docs/latest/gdch/application/ao-user/iam/service-identities).\n\nFollow these steps to set up service accounts using the gdcloud CLI:\n\n1. Create a service account:\n\n gdcloud iam service-accounts create \u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT\u003c/var\u003e --project=\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT\u003c/var\u003e: the name of the service account. The name must be unique within the project namespace.\n - \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: the project ID where you want to create the service account. If `gdcloud init` is already set, then you can omit the `--project` flag.\n2. Create the application default credentials JSON file and the public and\n private key pairs:\n\n gdcloud iam service-accounts keys create \u003cvar translate=\"no\"\u003eAPPLICATION_DEFAULT_CREDENTIALS_FILENAME\u003c/var\u003e \\\n --project=\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e \\\n --iam-account=\u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT\u003c/var\u003e \\\n --ca-cert-path=\u003cvar translate=\"no\"\u003eCA_CERTIFICATE_PATH\u003c/var\u003e\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eAPPLICATION_DEFAULT_CREDENTIALS_FILENAME\u003c/var\u003e: the name of the JSON file, such as `my-service-key.json`.\n - \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: the project to create the key for.\n - \u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT\u003c/var\u003e: the name of the service account to add the key for.\n - \u003cvar translate=\"no\"\u003eCA_CERTIFICATE_PATH\u003c/var\u003e: an optional flag for the path to the certificate authority (CA) certificate that verifies the authentication endpoint. If you don't specify this path, the system CA certificates are used. You must install the CA in the system CA certificates.\n\n Distributed Cloud adds the public key to the service account keys you\n use to verify the JSON web tokens (JWT) that the private key signs. The\n private key is written to the application default credentials JSON file.\n3. Grant the service account access to project resources by assigning a role\n binding. The name of the role depends on the Vertex AI service\n you want to use the service account for.\n\n gdcloud iam service-accounts add-iam-policy-binding \\\n --project=\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e \\\n --iam-account=\u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT\u003c/var\u003e \\\n --role=\u003cvar translate=\"no\"\u003eROLE\u003c/var\u003e\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: the project to create the role binding in.\n - \u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT\u003c/var\u003e: the name of the service account to use.\n - \u003cvar translate=\"no\"\u003eROLE\u003c/var\u003e: the predefined role to assign to the\n service account. Specify roles in the format `Role/name` where *Role* is\n the Kubernetes type, such as `Role` or `ProjectRole`, and *name* is the\n Kubernetes resource name of the predefined role. For example, the\n following are roles that you can assign to service accounts to use some of\n the Vertex AI pre-trained APIs:\n\n - To assign the AI OCR Developer (`ai-ocr-developer`) role, set the role to `Role/ai-ocr-developer`.\n - To assign the AI Speech Developer (`ai-speech-developer`) role, set the role to `Role/ai-speech-developer`.\n - To assign the AI Translation Developer (`ai-translation-developer`) role, set the role to `Role/ai-translation-developer`.\n\n | **Note:** To learn more about predefined roles and the names you must assign depending on the Vertex AI service or model you want to use, see [Prepare IAM permissions](/distributed-cloud/hosted/docs/latest/gdch/application/ao-user/vertex-ai-ao-permissions)."]]