Setting Up a Secure GCP Service Account for Vertex AI and Cloud Storage
June 2, 2026 • 7 min read
When connecting Indexu to Google Cloud, using a properly scoped service account is essential for security. This guide walks you through creating a locked-down service account that grants only the permissions needed for Vertex AI and Cloud Storage — nothing more.
Why a Dedicated Service Account Matters
Using your personal Google account or an overly permissive service account for production workloads is a common security mistake. A properly scoped service account:
- Limits the blast radius if credentials are ever compromised
- Makes it easy to audit exactly what the account is doing
- Can be rotated and revoked independently of other services
- Follows the principle of least privilege
Step 1: Create a Dedicated IAM User for This Purpose
Before we create the service account, we'll create a dedicated IAM user whose sole responsibility is managing service accounts. This prevents service account keys from being tied to personal accounts.
Navigate to IAM & Admin → Service Accounts in your GCP console. If you haven't already, create a new IAM user (not a service account) with the Service Account Admin role at the project level:
- Go to IAM & Admin → IAM
- Click Grant Access
- Enter the email of a dedicated admin account (e.g.,
sa-admin@yourdomain.com) - Assign the role Service Account Admin
- Click Save
This user will be used exclusively for creating and managing service account keys in the next steps.
Step 2: Create the Service Account
Now log in as your dedicated IAM user and create the service account that Indexu will use:
- Go to IAM & Admin → Service Accounts
- Click Create Service Account
- Enter a descriptive name like
indexu-vertexai-access - The service account ID will auto-fill. Take note of the full email address — you'll need it later
- Add an optional description:
Service account for Indexu to access Vertex AI and Cloud Storage - Click Create and Continue
Naming convention tip: Use a pattern like {app-name}-{purpose}. This makes it easy to identify service accounts when you have many of them.
Step 3: Assign Least-Privilege Roles
This is the most critical step. Only grant the exact permissions Indexu needs:
On the Grant this service account access to project screen, add these roles:
| Role | Purpose |
|---|---|
roles/aiplatform.user |
Run predictions and access Vertex AI models |
roles/storage.objectUser |
Read and write objects in Cloud Storage buckets |
Click Continue, then Done. You can skip the Grant users access to this service account step — we'll handle authentication via the JSON key.
Important: Do not assign roles/editor, roles/owner, or any broad role. Stick to aiplatform.user and storage.objectUser — these provide exactly the access Indexu needs.
Step 4: Export the JSON Key
Now create and download the JSON key file that Indexu will use for authentication:
- In the Service Accounts list, find your newly created service account
- Click the three-dot menu on the right and select Manage Keys
- Click Add Key → Create New Key
- Select JSON as the key type
- Click Create
The JSON file will download automatically. It looks like this:
{
"type": "service_account",
"project_id": "your-project-id",
"private_key_id": "abc123...",
"private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n",
"client_email": "indexu-vertexai-access@your-project-id.iam.gserviceaccount.com",
"client_id": "...",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/..."
}
Security warning: Treat this JSON key file like a password. It grants programmatic access to your GCP project. Never commit it to version control, never share it in chat messages, and store it in a secure location like an environment variable or secrets manager.
Store the entire JSON content as an environment variable in your Indexu deployment:
GOOGLE_APPLICATION_CREDENTIALS_JSON={"type":"service_account","project_id":"..."}
Step 5: Set Up Vertex AI Quotas
By default, new GCP projects have limited or zero quota for Vertex AI. You need to request quota before Indexu can make API calls:
- Go to IAM & Admin → Quotas
- In the filter, search for Vertex AI
- Look for these key quotas and check your current limits:
| Quota Name | Recommended Minimum |
|---|---|
| Online prediction requests per minute | 60 |
| Concurrent online prediction requests | 5 |
| LLM online prediction requests per minute | 100 |
| Base model online prediction tokens per minute | 300,000 |
If any quota is at zero or below your needs:
- Select the quota row and click Edit Quota
- Enter your requested limit (use the recommended values above to start)
- Provide a brief justification: "Required for AI agent serving customer chat requests via Indexu"
- Submit the request. Approval typically takes a few hours but can take up to 2 business days
Pro tip: Request quota early. Vertex AI quota approvals are usually quick for reasonable amounts, but it's best to have this sorted before you go live.
Step 6: Whitelist Your IP Addresses
For an additional layer of security, restrict which IP addresses can use the service account. This ensures that even if the key is leaked, it can only be used from your known infrastructure:
Option A: VPC Service Controls (Recommended for Production)
VPC Service Controls let you define a security perimeter around your GCP resources:
- Go to Security → VPC Service Controls
- Create a new Service Perimeter for your project
- Add these services to the perimeter:
- Vertex AI API (
aiplatform.googleapis.com) - Cloud Storage API (
storage.googleapis.com)
In the Ingress Policy, specify your server's public IP address or IP range. Only traffic originating from those IPs will be allowed to access Vertex AI and Cloud Storage through this project.
Option B: Organization Policy (Simpler for Smaller Setups)
If VPC Service Controls feels heavy for your use case, use an Organization Policy to restrict service account key usage:
- Go to IAM & Admin → Organization Policies
- Find Restrict API access with IP ranges
- Add your server's outbound IP address(es) to the allowlist
Don't forget: If your application runs behind a load balancer, proxy, or NAT gateway, make sure you whitelist the egress IP(s) — not the internal or incoming IP. You can find your egress IP by running curl ifconfig.me from your server.
Step 7: Verify Everything Works
Before wiring this up in Indexu, verify the service account works correctly from your server:
# Test Vertex AI access
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token --impersonate-service-account=indexu-vertexai-access@PROJECT.iam.gserviceaccount.com)" \
-H "Content-Type: application/json" \
"https://us-central1-aiplatform.googleapis.com/v1/projects/PROJECT/locations/us-central1/publishers/google/models/gemini-2.5-flash:predict" \
-d '{"instances":[{"content":"Hello"}]}'
# Test Cloud Storage access
gsutil ls gs://your-bucket-name/
If both commands succeed from your whitelisted IP and fail from elsewhere, your setup is correct.
Summary
You now have a production-ready GCP setup where:
- A dedicated IAM user manages service account keys (not tied to personal accounts)
- The service account has only
aiplatform.userandstorage.objectUserroles — no broader permissions - The JSON key can be stored as an environment variable and rotated independently
- Vertex AI quota is approved and ready for production traffic
- IP-based access controls prevent the key from being used outside your infrastructure
This is the same setup we recommend for all Indexu customers using Vertex AI. It balances security with simplicity and follows Google Cloud's best practices for service account management.
Ready to connect Indexu to Vertex AI?
Contact us and we'll help you configure your service account and get your AI agent running in minutes.