Documentation
BlogsCreate Account

Integration Provider - GCP

Suggest Edits

TrueFoundry supports integrating with multiple GCP services like GCS, GKE, GCR, GSM, GCP Models etc.

To integrate any of the above services, you simply need to add your GCP account as a provider account and add integrations for the same as shown below:

Share access with users, teams or everyone in your TrueFoundry account

As shown in the previous slides, you can share access of each integration with users, teams or everyone in your TrueFoundry account. This would allow them to view and use the integration. Only tenant-admins can edit the integrations.

Create a custom serviceaccount

  1. Create an IAM serviceaccount named tfy-<short-region-name>-<name>-platform (name can be anything but add a prefix tfy to differentiate it with others), if not created before.
  2. Once the IAM serviceaccount is created, make sure to create a key in JSON format.

Google Cloud Storage Integration

Follow the steps below to connect GCS storage to TrueFoundry:

  1. Create a GCP bucket.
    • Make sure to add the lifecycle configurations on the bucket to delete multipart upload after 7 days.
    • For this go to GCP bucket -> Lifecycle -> Add a rule
    • Select Delete multi-part upload for 7 days
  2. We also need to add the CORS policy to the GCP bucket. Right now adding the CORS policy to the GCP bucket is not possible through the console so for this, we will use gsutil
    1. Create a file called cors.json using the below command 
    cat > cors.json <<EOF
[
    {
      "origin": ["*"],
      "method": ["GET", "POST", "PUT"],
      "maxAgeSeconds": 3600
    }
]
EOF
    1. Attach the above CORS policy to the service account by running the following command using gsutils
    gsutil cors set cors.json  gs://BUCKET_NAME
  3. Create a custom IAM role with the following permissions and add to the serviceaccount created above: 
    [
    "storage.objects.create",
    "storage.objects.delete",
    "storage.objects.get",
    "storage.objects.list",
    "storage.objects.update",
    "storage.buckets.create",
    "storage.buckets.get",
    "storage.buckets.list",
    "storage.buckets.create",
    "storage.buckets.update",
    "storage.multipartUploads.create",
    "storage.multipartUploads.list",
    "storage.multipartUploads.listParts",
    "storage.multipartUploads.abort",
    "resourcemanager.projects.get"
  ]
  4. Add the following IAM condition - resource.name.startsWith('projects/\_/buckets/<bucket name>}')
  5. Navigate to Integrations tab and follow the steps shown the previous demo to integrate your storage.

Google Artifact registry Integration

  1. Create a custom IAM role with the following permissions and add to the serviceaccount created above: 
    [
    "artifactregistry.dockerimages.get",
    "artifactregistry.dockerimages.list",
    "artifactregistry.locations.get",
    "artifactregistry.locations.list",
    "artifactregistry.repositories.get",
    "artifactregistry.repositories.list",
    "artifactregistry.repositories.create",
    "artifactregistry.repositories.createTagBinding",
    "artifactregistry.repositories.delete",
    "artifactregistry.repositories.deleteArtifacts",
    "artifactregistry.repositories.deleteTagBinding",
    "artifactregistry.repositories.downloadArtifacts",
    "artifactregistry.repositories.get",
    "artifactregistry.repositories.getIamPolicy",
    "artifactregistry.repositories.list",
    "artifactregistry.repositories.listEffectiveTags",
    "artifactregistry.repositories.listTagBindings",
    "artifactregistry.repositories.update",
    "artifactregistry.repositories.uploadArtifacts",
    "artifactregistry.tags.get",
    "artifactregistry.tags.list",
    "artifactregistry.tags.create",
    "artifactregistry.tags.update",
    "artifactregistry.versions.get",
    "artifactregistry.versions.list",
    "artifactregistry.versions.delete"
  ]
  2. Navigate to Integrations tab and follow the steps shown the previous demo to integrate your Artifact registry.

Google Secrets Manager Integration

  1. Create a custom IAM role with the following permissions and add to the serviceaccount created above: 
    [
    "secretmanager.secrets.get",
    "secretmanager.secrets.list",
    "secretmanager.secrets.create",
    "secretmanager.secrets.delete",
    "secretmanager.secrets.update",
    "secretmanager.versions.access",
    "secretmanager.versions.list",
    "secretmanager.versions.get",
    "secretmanager.versions.add",
    "secretmanager.versions.destroy",
    "resourcemanager.projects.get",
  ]
  2. Add the following IAM condition- resource.name.startsWith('projects/<GCP Project Number>/secrets/tfy')
  3. Navigate to Integrations tab and follow the steps shown the previous demo to integrate your secret manager.

Google GKE cluster Integration

  1. Create a custom IAM role with the following permissions and add to the serviceaccount created above: 
    [
    "container.clusters.get",
    "container.clusters.list",
    "container.nodes.get",
    "container.nodes.getStatus",
    "container.nodes.list",
    "resourcemanager.projects.get",
]
  2. Navigate to Integrations tab and follow the steps shown the previous demo to integrate your secret manager.

Google Vertex Model Integration

  1. Create the GCP Provider Account as described in the demo at the top of this document.

  2. Create a custom IAM role with the following permission and add to the serviceaccount created above: 

    [
  "aiplatform.endpoints.predict"
]

  3. Navigate to Integrations tab and edit the GCP Provider Account previously created and add the required models using their model id and they should start showing up in the LLM Gateway. Here's an example of adding gemini-1.5-flash-001.

Updated 28 days ago