|
| 1 | +--- |
| 2 | +catalog_title: Google Cloud Agent Identity |
| 3 | +catalog_description: Manage OAuth tokens and API keys for your agents |
| 4 | +catalog_icon: /integrations/assets/agent-identity.svg |
| 5 | +catalog_tags: ["google"] |
| 6 | +--- |
| 7 | + |
| 8 | +# Agent Identity Auth Manager for ADK |
| 9 | + |
| 10 | +<div class="language-support-tag"> |
| 11 | + <span class="lst-supported">Supported in ADK</span><span class="lst-python">Python v1.30.0</span><span class="lst-preview">Preview</span> |
| 12 | +</div> |
| 13 | + |
| 14 | +The [Google Cloud Agent |
| 15 | +Identity](https://docs.cloud.google.com/iam/docs/agent-identity-overview) |
| 16 | +service provides a streamlined, Google-managed solution for managing the |
| 17 | +complete lifecycle of auth credentials, including storing credential |
| 18 | +configurations, generating and storing tokens, and auditing access. This |
| 19 | +approach allows for a secure and simplified agent development experience. |
| 20 | + |
| 21 | +!!! example "Preview release" |
| 22 | + |
| 23 | + The Agent Identity Auth Manager feature is a Preview release. For more |
| 24 | + information, see the [launch stage |
| 25 | + descriptions](https://cloud.google.com/products#product-launch-stages). |
| 26 | + |
| 27 | +## Use cases |
| 28 | + |
| 29 | +- **Simplified OAuth Flow**: Manage the complete lifecycle of auth credentials |
| 30 | + without building custom infrastructure. |
| 31 | +- **Secure Exchange and Storage of Tokens**: Securely store credential |
| 32 | + configurations and exchange tokens. |
| 33 | +- **Audit Logging**: View and audit access to stored credentials. |
| 34 | + |
| 35 | +## Prerequisites |
| 36 | + |
| 37 | +- A [Google Cloud |
| 38 | + project](https://cloud.google.com/resource-manager/docs/creating-managing-projects) |
| 39 | +- One or more Agent Identity [auth |
| 40 | + providers](https://cloud.google.com/iam/docs/manage-auth-providers) created in |
| 41 | + your project |
| 42 | +- The caller identity must have the |
| 43 | + [`iamconnectors.user`](https://docs.cloud.google.com/iam/docs/roles-permissions/iamconnectors#iamconnectors.user) |
| 44 | + role or equivalent permissions |
| 45 | +- Authentication configured via [Application Default |
| 46 | + Credentials](https://docs.cloud.google.com/docs/authentication/application-default-credentials) |
| 47 | + (`gcloud auth application-default login`) |
| 48 | + |
| 49 | +## Installation |
| 50 | + |
| 51 | +Install the `agent-identity` extra package group to download the necessary |
| 52 | +client libraries. |
| 53 | + |
| 54 | +```bash |
| 55 | +pip install "google-adk[agent-identity]" |
| 56 | +``` |
| 57 | + |
| 58 | +## Use with agent |
| 59 | + |
| 60 | +Follow these steps to use the Agent Identity Auth Manager within ADK: |
| 61 | + |
| 62 | +### Register auth provider |
| 63 | + |
| 64 | +To enable ADK to determine which `BaseAuthProvider` to use for a given |
| 65 | +`CustomAuthScheme`, register the `GcpAuthProvider` instance with the |
| 66 | +`CredentialManager`. This needs to be done only once in the agent code. |
| 67 | + |
| 68 | +```python |
| 69 | +from google.adk.auth.credential_manager import CredentialManager |
| 70 | +from google.adk.integrations.agent_identity import GcpAuthProvider |
| 71 | + |
| 72 | +CredentialManager.register_auth_provider(GcpAuthProvider()) |
| 73 | +``` |
| 74 | + |
| 75 | +### Configure tools |
| 76 | + |
| 77 | +Configure the Agent Identity auth provider using a `GcpAuthProviderScheme` |
| 78 | +object, then pass it to the `auth_scheme` parameter of any supported `Tool` or |
| 79 | +`Toolset`. The following example shows usage with `McpToolset`, but |
| 80 | +`GcpAuthProviderScheme` also works with other tools like |
| 81 | +`AuthenticatedFunctionTool`. See the [GCP Auth |
| 82 | +sample](https://github.com/google/adk-python/tree/main/contributing/samples/gcp_auth) |
| 83 | +for a complete example. |
| 84 | + |
| 85 | +```python |
| 86 | +from google.adk.integrations.agent_identity import GcpAuthProviderScheme |
| 87 | +from google.adk.tools.mcp import McpToolset |
| 88 | + |
| 89 | +auth_scheme = GcpAuthProviderScheme( |
| 90 | + name="projects/PROJECT_ID/locations/LOCATION/connectors/AUTH_PROVIDER_NAME", |
| 91 | + # continue_uri is only needed for 3-legged OAuth flows. This URI receives |
| 92 | + # the redirect after user consent and must be hosted by your application. |
| 93 | + continue_uri=CONTINUE_URI |
| 94 | +) |
| 95 | + |
| 96 | +toolset = McpToolset( |
| 97 | + connection_params=StreamableHTTPConnectionParams(url="https://YOUR_MCP_SERVER_URL"), |
| 98 | + auth_scheme=auth_scheme, |
| 99 | +) |
| 100 | +``` |
| 101 | + |
| 102 | +### Handle OAuth consent |
| 103 | + |
| 104 | +- **Detecting the Auth Request**: Similar to the existing flow, whenever user |
| 105 | + consent is required, a `FunctionCall` event named `adk-request-credential` |
| 106 | + is generated containing the `auth_uri` field. The user app should open |
| 107 | + the `auth_uri` in a popup window to continue the user consent flow. |
| 108 | +- **Continue URI Handler**: |
| 109 | + - Once the user completes the OAuth consent flow on the third-party |
| 110 | + provider's website, the system redirects to the `continue_uri` |
| 111 | + callback defined earlier in the `GcpAuthProviderScheme`. The agent |
| 112 | + application service must implement this redirect. To finalize issuance, |
| 113 | + your handler must submit a POST request to the credentials endpoint: |
| 114 | + `https://iamconnectorcredentials.googleapis.com/v1alpha/{connector_name}/credentials:finalize`. |
| 115 | + - After credentials are successfully finalized, the web application should |
| 116 | + resume the agent by sending a FunctionResponse. For a sample |
| 117 | + implementation, refer to the [sample |
| 118 | + code](https://docs.cloud.google.com/iam/docs/auth-with-3lo#resume-conversation). |
| 119 | + Unlike the native user consent flow, no authorization code is required to |
| 120 | + resume the agent. |
| 121 | + - For more details, refer to the [sample handler |
| 122 | + implementation](https://docs.cloud.google.com/iam/docs/auth-with-3lo#validation-endpoint). |
| 123 | +- **Resume the conversation**: Irrespective of the status of the consent flow |
| 124 | + (successful or unsuccessful), the agent app should resume the agent to |
| 125 | + complete the conversation turn. The ADK automatically determines whether |
| 126 | + consent was successfully completed and raise an error if it was not. |
| 127 | + |
| 128 | +## Resources |
| 129 | + |
| 130 | +- [Google Cloud Agent Identity Overview](https://docs.cloud.google.com/iam/docs/agent-identity-overview) |
| 131 | +- [Sample agent code](https://github.com/google/adk-python/tree/main/contributing/samples/gcp_auth) |
0 commit comments