# Configure delegated access for GCP Vertex AI ## Overview For Vertex AI, delegated access is typically implemented with a Google service account and short-lived OAuth access tokens generated through secure identity flows. In production, prefer Workload Identity Federation or managed identity paths over long-lived JSON key files. ## When to use this * Production systems where static service-account keys are discouraged. * Centralized IAM/security operations with scoped permissions. * Environments requiring frequent credential rotation and strong audit trails. ## Prerequisites * GCP project with Vertex AI enabled. * Permissions to create/manage service accounts and IAM roles. * A service account dedicated to Flashback AI provider access. * Flashback AI LLM setup path: [Configure an AI LLM](/guides/setup-the-cloud-and-ai-gateway/start-with-cloud-storage/create-a-bucket-1.md). ## Step-by-step (provider side) {% stepper %} {% step %} #### Create a service account with least privilege Create a service account for Vertex AI calls and assign only required permissions. Use minimum roles required for your use case (for example, prediction/invocation capabilities instead of broad project admin roles). {% endstep %} {% step %} #### Prefer short-lived credentials Use Workload Identity / token exchange flows to obtain short-lived OAuth access tokens. Avoid storing long-lived JSON private keys in production when possible. {% endstep %} {% step %} #### Generate and refresh access tokens Implement a secure token refresh mechanism (for example in a trusted backend service) that obtains fresh OAuth access tokens before expiry. If your architecture needs a stable upstream interface, expose a small proxy that handles token acquisition and forwards requests to Vertex AI. {% endstep %} {% endstepper %} ## Configure in Flashback Use [Configure an AI LLM](/guides/setup-the-cloud-and-ai-gateway/start-with-cloud-storage/create-a-bucket-1.md) with existing fields: * Choose the appropriate **AI LLM Type** for your Vertex integration. * Set **API Endpoint** to Vertex AI endpoint (or your proxy endpoint). * Set **API Secret** to the token/credential expected by that endpoint. * Set **API Key** only if your integration endpoint requires an additional key. {% hint style="info" %} If your provider flow cannot be mapped directly to endpoint + secret/token, place the identity logic in a controlled proxy and configure Flashback to call that proxy. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.flashback.tech/guides/configure-external-delegated-credentials/configure-delegated-access-for-gcp-vertex-ai.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.