Google Vertex AI
Vertex AI serves Google's Gemini models and Anthropic's Claude models on Google Cloud. Connecting it behind NetBird gives your agents keyless access over the tunnel: NetBird holds the Google credential server-side, ties every request to a real identity from your IdP, and applies your policies, limits, and audit on the way to Vertex.
Unlike API-key providers, Vertex AI authenticates with a Google Cloud service account rather than a single key string. You create the service account in your project, grant it the Vertex AI roles, download a JSON key, and hand that key to NetBird, which stores it encrypted server-side.
Prerequisites
- A Google Cloud project with the Vertex AI API enabled.
- The
gcloudCLI authenticated against that project. - Permission to create service accounts and grant IAM roles in the project.
Set Your Google Cloud Project
gcloud config set project <your-project>
Create a Service Account
Create a dedicated service account for NetBird so its access is scoped and auditable separately from your own credentials:
gcloud iam service-accounts create netbird-vertex \
--display-name="NetBird Vertex AI"
Grant IAM Roles
The service account needs two roles — one to call Vertex AI models, and one to consume the project's enabled services:
gcloud projects add-iam-policy-binding <your-project> \
--member="serviceAccount:netbird-vertex@<your-project>.iam.gserviceaccount.com" \
--role="roles/aiplatform.user"
gcloud projects add-iam-policy-binding <your-project> \
--member="serviceAccount:netbird-vertex@<your-project>.iam.gserviceaccount.com" \
--role="roles/serviceusage.serviceUsageConsumer"
Generate a JSON Key
gcloud iam service-accounts keys create netbird-vertex-key.json \
--iam-account=netbird-vertex@<your-project>.iam.gserviceaccount.com
The key file grants access to Vertex AI in your project. Treat it as a secret — store it securely, never commit it to source control, and delete the local copy once it's stored in NetBird.
If you'd rather paste the key as a single line, base64-encode it first:
cat netbird-vertex-key.json | base64 | pbcopy
Connect the Provider
- Go to Agent Network → Providers and click Connect Provider.
- Select Google Vertex AI. NetBird pre-fills the upstream URL
(
https://aiplatform.googleapis.com) and the correct auth handling for Vertex. - Provide the service account key you generated (
netbird-vertex-key.json). NetBird stores it encrypted server-side and never returns it to callers. - (Optional) Restrict the allowed models and set per-model pricing — for example
gemini-2.5-pro,gemini-2.5-flash,claude-sonnet-4-6, orclaude-opus-4-7. Leaving the list empty allows any catalog model. - Save the provider. The credential is now held server-side — the next step authorizes who can use it.
See Providers for details.
Create a Policy
By default nothing is allowed — a policy must connect a source group to the Vertex AI provider before anyone can route through it.
- Go to Agent Network → Policies and add a policy.
- Set the Source to the users or agents who should be able to reach Vertex AI (for
example your
Engineeringgroup from your IdP). - Set the Provider to the Google Vertex AI provider you just connected.
- Optionally attach per-user or per-group token and budget limits and guardrails such as a model allowlist.
See Policies for details.
Manage Service Account Keys
List the keys for the service account, and revoke any you no longer need:
gcloud iam service-accounts keys list \
--iam-account=netbird-vertex@<your-project>.iam.gserviceaccount.com
gcloud iam service-accounts keys delete <key-id> \
--iam-account=netbird-vertex@<your-project>.iam.gserviceaccount.com
Rotating the key is a single server-side change in NetBird: generate a new JSON key, update the provider's credential, then delete the old key in Google Cloud.