Skip to main content
This page walks an IT administrator through a complete Vertex AI deployment: enabling Claude in your Google Cloud project, choosing the authentication path that fits your organization, preparing devices, and pushing the managed configuration. If you only need the list of configuration keys, skip to Configure the app.

Choose an authentication approach

Vertex AI authenticates with Google Cloud Application Default Credentials, which can be supplied several ways. The right one depends on whether your users have Google identities and whether you need per-user attribution in Cloud Audit Logs.
ScenarioUsePer-device prerequisitePer-user Cloud Audit Logs identityNotes
Proof of concept, single teamService-account key (inferenceVertexCredentialsFile)The key file on each deviceNo (shared service account)A long-lived secret distributed to every device. Simplest to start; not recommended for broad rollout.
Users have Google Workspace or Cloud Identity accountsIn-app Google sign-in (inferenceVertexOAuth*)NoneYesUsers sign in with their Google account inside the app. See the session-control warning below.
Users authenticate with a third-party IdP (Entra ID, Okta, Ping, …) and you don’t want to provision Google identitiesIn-app Workforce Identity sign-in (inferenceVertexWorkforce*)NoneYes (workforce-pool principal)Users sign in with their corporate identity inside the app. The app runs PKCE against your IdP and exchanges the ID token at Google STS.
Your organization already has tooling that obtains a Vertex-usable bearerCredential helper (inferenceCredentialHelper)The helper executable on each deviceDepends on what the helper obtainsThe helper’s stdout is sent as the bearer on each Vertex request.
You already operate an LLM proxyGateway provider instead of VertexNoneAt your gatewayThe proxy holds the Google Cloud credentials; the app authenticates only to the proxy.
If your Google Workspace or Cloud Identity organization enforces a Google Cloud session length of a few hours or less (Admin console → Security → Google Cloud session control), the in-app Google sign-in stores a refresh token that is subject to that policy, and users will be prompted to sign in again each time it expires. For short session policies, either mark your OAuth client as a trusted app exempt from reauthentication, or use a service-account key, Workforce Identity sign-in, or the gateway provider instead.

Set up Google Cloud

These steps are performed once per Google Cloud project, regardless of which authentication approach you chose. You need a project with Owner or Editor access.
1

Enable the Vertex AI API

In the Google Cloud console, enable the Vertex AI API for your project.
2

Enable Claude models in Model Garden

In the Vertex AI Model Garden, locate the Claude models you intend to deploy and click Enable on each. Model availability varies by region; enable them in the region you will set as inferenceVertexRegion.
3

Grant users access to Vertex AI

Each authenticated principal needs permission to call the model. On the project’s IAM page, grant the Vertex AI User role (roles/aiplatform.user) to:
  • the service account, if using a service-account key file
  • the Google group containing your users, if using in-app Google sign-in
If your organization uses a narrower custom role, it must include at minimum aiplatform.endpoints.predict.
4

Create an OAuth client (in-app Google sign-in only)

If you chose in-app Google sign-in, create a Desktop-app OAuth client in your project. See Sign in with Google for Vertex AI for the full procedure, including consent-screen setup.
5

Federate to your IdP (optional)

If your users authenticate with Microsoft Entra ID, Okta, or another identity provider and do not already have Google accounts, you have two options:
  • Workforce Identity Federation (recommended). Create a workforce pool with an OIDC provider, and use the in-app Workforce Identity sign-in approach. Users sign in directly with their corporate identity; no Google identity is provisioned.
  • Cloud Identity with SAML SSO. Provision a free Cloud Identity tenant and configure SAML single sign-on to your IdP. Users then sign in through the in-app Google sign-in approach with a Google identity that is backed by your IdP. See Set up SSO with a third-party IdP in the Cloud Identity documentation.

Prepare devices

What each end-user device needs depends on the authentication approach you chose.

Credentials file

Create a service account in your project, grant it the Vertex AI User role, and download its JSON key. Distribute the key file to a fixed path on each device through your device-management tooling and set inferenceVertexCredentialsFile to that path. inferenceVertexCredentialsFile accepts any Application Default Credentials JSON format, so if your environment already produces an authorized_user file (from gcloud auth application-default login) or an external_account Workforce Identity Federation configuration, you can point at that file instead. For external_account files, the credential_source must be of type file or url (executable sources are not supported), and separate tooling on the device must obtain the IdP token and write it to the configured location; Cowork does not perform that step.

In-app Google sign-in

No per-device preparation is required. Distribute the OAuth client ID and secret in the managed configuration; the app shows a Sign in with Google page on first launch and stores the user’s refresh token encrypted with the operating system’s secure storage. See Sign in with Google for Vertex AI for the full flow.

In-app Workforce Identity sign-in

No per-device preparation is required. In Google Cloud, create a workforce pool with an OIDC provider pointing at your organization’s IdP, and grant the pool’s principals the Vertex AI User role on the project. In your IdP, register a native (PKCE) OAuth client with the loopback redirect URI http://127.0.0.1:<port>/callback. Distribute the workforce-pool provider audience and the IdP OIDC client in the managed configuration; the app shows a Sign in page on first launch, runs an authorization-code-with-PKCE flow against your IdP in the system browser, exchanges the returned ID token for a Google Cloud access token at sts.googleapis.com, and stores the IdP refresh token encrypted with the operating system’s secure storage. No gcloud CLI, helper script, or Google identity is required.

Configure the app

With Google Cloud set up and devices prepared, open the in-app configuration window (Developer → Configure third-party inference) on an evaluation device. In the Connection section, set Inference provider to Vertex AI and fill in the Vertex AI credentials card with the values for whichever authentication approach you chose:
FieldService-account keyIn-app Google sign-in
GCP project IDyour-gcp-projectyour-gcp-project
GCP regione.g. us-east5e.g. us-east5
GCP credentials file path/path/to/sa-key.jsonleave empty
Vertex OAuth client IDleave empty1234567890-abc123.apps.googleusercontent.com
Vertex OAuth client secretleave emptyGOCSPX-xxxxxxxxxxxxxxxxxxxx
Vertex OAuth scopesleave emptyleave empty for the default
Vertex AI base URLoptionaloptional
Under Models, add at least one Model list entry using the Vertex publisher model ID, for example claude-sonnet-4-5@20250929. Then click Export to produce a .mobileconfig (macOS) or .reg (Windows) file for your MDM. See Installation and setup for the export and deployment workflow.

Configuration keys

The full set of Vertex keys is below. Set inferenceProvider to vertex, supply a project and region, and provide exactly one credential source.
SettingRequiredDescription
GCP project ID
inferenceVertexProjectId		YesGoogle Cloud project ID.
GCP region
inferenceVertexRegion		YesGoogle Cloud region for the Vertex AI endpoint, for example us-east5 or europe-west4. global is also accepted where the model supports it.
GCP credentials file path
inferenceVertexCredentialsFile		One credential sourceAbsolute path to a service-account key, authorized_user, or external_account (Workforce Identity Federation) JSON file. A leading ~ is expanded to the user’s home directory; other environment-variable expansion is not performed. If the OAuth client keys are also set, the OAuth sign-in takes precedence and this file is ignored; set only one credential source.
Vertex OAuth client ID
inferenceVertexOAuthClientId		One credential source (with secret)Client ID of a Desktop-app OAuth client in your Google Cloud project. Enables in-app Google sign-in.
Vertex OAuth client secret
inferenceVertexOAuthClientSecret		With OAuth client IDClient secret paired with the client ID above. Not treated as confidential for installed apps.
Vertex OAuth scopes
inferenceVertexOAuthScopes		NoSpace-separated OAuth scopes for Google sign-in. Defaults to openid email https://www.googleapis.com/auth/cloud-platform.
Workforce Identity audience
inferenceVertexWorkforceAudience		One credential source (with Workforce OIDC)Workforce-pool provider resource string, for example //iam.googleapis.com/locations/global/workforcePools/POOL/providers/PROVIDER. When set, interactive sign-in uses your own IdP plus a Google STS exchange instead of a Google identity. Must be set together with inferenceVertexWorkforceOidc.
Workforce Identity billing project
inferenceVertexWorkforceUserProject		NoGoogle Cloud project for STS billing and quota. Defaults to inferenceVertexProjectId.
Workforce Identity IdP (OIDC)
inferenceVertexWorkforceOidc		With Workforce audienceA JSON object describing your organization’s OIDC identity provider: clientId (required), issuer (or authorizationUrl and tokenUrl), scopes (space-separated; defaults to openid profile email offline_access), and redirectPort. Same shape as inferenceGatewayOidc without bearerTokenType.
Vertex AI base URL
inferenceVertexBaseUrl		NoOverride the public regional endpoint, for example with a Private Service Connect address. If no scheme is given, https:// is assumed.
If none of inferenceVertexCredentialsFile, the OAuth client keys, the Workforce Identity keys, or inferenceCredentialHelper is set, the Google client library falls back to the standard Application Default Credentials search path on the device (~/.config/gcloud/application_default_credentials.json, then the environment’s metadata server). You must also set inferenceModels to a list of Vertex publisher model IDs, for example claude-sonnet-4-5@20250929. See the Configuration reference.

What users experience

The first-launch and re-authentication behavior depends on the authentication approach.
ApproachFirst launchRe-authentication
Credentials file (service-account key)Cowork opens directly; no user action.Never, until you rotate the key file.
In-app Google sign-inThe Cowork tab shows a Sign in with Google page. Clicking it opens Google’s consent flow in the default browser. After approval, the app relaunches into Cowork.When the refresh token is revoked, when you deploy a new OAuth client ID, or when your Google Cloud session-control policy expires it.
For in-app Google sign-in, users can sign out by revoking the app from their Google Account’s third-party connections page; the app detects the revoked token at the next session start and shows the sign-in page again.

Troubleshoot

To confirm which keys the app read and whether credentials validated, use Help → Troubleshooting → Copy Managed Configuration Report; see Verifying the deployment for that workflow and the common causes when the app does not enter 3P mode. Application log locations are listed in Data storage and residency.