Skip to main content

Responses are generated using AI and may contain mistakes.

CollectorsCloud Collectors Administration Guide

Table of Contents

Prerequisites to Configure the Gemini Enterprise Cloud Collector

Before you configure the Gemini Enterprise Cloud Collector, complete the following prerequisites:

  • Create a model armor template on console.cloud.google.com.

  • (Optional) Create a Gemini Enterprise app and enable the Model Armor template for the app. This step is optional if you already have the Gemini Enterprise App.

  • Obtain the Gemini Enterprise app ID.

  • Verify if the query retrieves logs for both Discovery Engine and Model Armor in the Log Explorer.

  • Set up a logging sink – Set up a logging sink to export data to Pub/Sub either at the project level or at a folder of the organization level, depending on the data you want to export. For more information, see Routing and storage overview.

  • Create the required subscription in the pub/sub topic.

  • Obtain a Subscription ID – Set up a subscription for the Pub/Sub topic to which the log data is exported. Note the Subscription ID that you set while creating a subscription in GCP Pub/Sub and subscription. Subscription ID is associated with your Pub/Sub topic. For more information, see Set up Pub/Sub topic and subscriptions in the Google documentation.

  • Set audit log permissions – Enable the Data write permission for the cloud discovery engine in Audit logs section.

  • Obtain a Project ID – Note the Project ID that you set while creating the Google service account. See Create a Service Account and Obtain a Project ID.

  • Assign the required permissions to the service account – Assign the following permissions to the service account to support auto-scaling on your Google Cloud Platform:

    • dataflow.metrics.get

    • monitoring.metricDescriptors.get

    • monitoring.metricDescriptors.list

    • monitoring.monitoredResourceDescriptors.list

    • monitoring.timeSeries.list

  • Obtain a Service Credentials JSON file – Create a JSON key for the service account on your Google Cloud Platform. You must enter the JSON file content in the SERVICE CREDENTIALS JSON field while adding a new Google Service account during the Cloud Collector configuration.

  • Assign the required subscription permissions – Assign pubsub.subscriptions.consume permission to the service account.

Create a Model Armor Template

The Model Armor templates help you set filters and thresholds for different safety and security needs to screen prompts and responses in your AI apps.

Use the following steps to create a Model Armor template on the Google Cloud Console.

  1. Ensure that you have the Model Armor Admin IAM role (roles/modelarmor.admin) for creating templates.

  2. Enable the Model Armor API in your Google Cloud project.

  3. Navigate to the Security section, then select Model Armor. Alternatively, you can use the search box to locate the Model Armor page.

    Gemini_Model_armor_1.png

  4. Click Create template.

  5. Specify a template ID and select a region. The region that you select must match with the Gemini Enterprise app that you created.

  6. In the Detections section, select Prompt injection and jailbreak detection. Based on your requirement, you can select multiple options.

  7. In the Responsible AI section, based on your requirement set the filter.

  8. In the Configure logging section, select Prompts and responses. You can select the operations for which you want to configure logging. When you enable this option, the log explorer displays Model Armor logs.

  9. Optionally, you can select Enable multi-language support for using the multi-language detection settings.

  10. Click Create.

    The page displays a confirmation message which indicates that the template is created successfully.

    For more information, see Create and manage templates in the Google Cloud documentation. For the detailed steps, refer to the Create a Model Armor template section in the Google cloud documentation.

  11. On the Template details page that appears after you create the template, from the Resource name field, copy the path by clicking the copy icon.

    Gemini_Model_armor_2.png

  12. Record the Resource name path to use while creating the Gemini Enterprise app in your project on the the Google cloud console.

Create a Gemini Enterprise app

The Gemini Enterprise app helps you search relevant data and automate tasks using AI in a secure and easy way. Use the following steps to create a Gemini Enterprise App on the Google Cloud Console. For more information see Create an app in the Google cloud documentation.

  1. On the Google Cloud Console, navigate to the Gemini Enterprise page. Alternatively, you can use the search box to locate the Gemini Enterprise page.

  2. In the Apps page, click Create app.

  3. Specify the name for app by updating the automatically generated app ID, and select a location. The region that you select for the app must match with the Google Model Armor Template that you created.

  4. Click Create.

    The page displays a confirmation message which indicates that the app is created successfully.

  5. On the same app page in the left pane, click Configurations.

  6. In the Assistant tab, enable the option Enable Model Armor.

    Gemini_app_3.png

  7. In the Gemini Model Armor template for user prompts field, paste the Resource name path that you recorded while creating the Model Armor template.

    Gemini_app4.png

  8. Complete the other required configurations for the Gemini Enterprise app based on your requirement. For more information see, Configure the assistant and the other relevant sections in the Google Cloud documentation.

  9. Click Save and publish.

Obtain the Gemini Enterprise APP ID

Use the following steps to obtain the Gemini Enterprise App ID.

  1. In the Google Cloud Console, navigate to the Apps page.

  2. The Apps page lists all the Gemini Enterprise apps that you created.

    Gemini_Enterprise_App_ID.png

  3. Record the app ID listed in the ID column for the Gemini Enterprise apps that you created.

    Use this ID while entering query in the Log Explorer.

Verify Logs in the Log Explorer

In Google Cloud Console, Log Explorer helps you to search, view, filter, and analyze log data from various Google cloud services. The Log Explorer shows details all the logs in the explorer window. To filter and view only Model Armor logs, enter the appropriate query in the upper right text box.

Use the following steps to enter a query in the Log Explorer.

  1. In the Log Explorer, enter the following query to verify its accuracy and ensure that the query retrieves logs for both Discovery Engine and Model Armor.

    (resource.type="audited_resource"
resource.labels.method="google.cloud.discoveryengine.v1main.AssistantService.StreamAssist"
resource.labels.service="discoveryengine.googleapis.com"
operation.first="true"
protoPayload.resourceName=~"<yourappname>")
OR
(resource.type="modelarmor.googleapis.com/SanitizeOperation"
jsonPayload.operationType="SANITIZE_USER_PROMPT"
labels."modelarmor.googleapis.com/client_correlation_id"=~"<yourappname>")

    Use this query while configuring the logging sink.

    Gemini_enterprise_Log_explorer1.png

  2. In the query, replace the ID in ".*geminiabcdapp_1891823799993*" in line 5 and 9, with your APP ID that you obtained after creating a Gemini Enterprise App via the Apps page.

  3. In the upper right corner, click Run Query.

  4. Verify that the results section displays user prompt logs for the discovery engine and model armor.

Set up a Logging Sink

Use the following steps to set up a logging sunk.

  1. On the Google Cloud console, navigate to Log Router.

  2. Click Create Sink. For more information, see Routing and storage overview and create a sink in the Google cloud documentation.

  3. Add sink details such as name and description.

  4. In the Sink destination section, select the Cloud Pub/Sub topic sink service, and select an existing Cloud Pub/Sub topic or create a new one.

  5. Click Next.

  6. Enter the the following query to create a filter and verify if logs are fetched for model armor.

    pub_sub_topic_sink_2.png
    (resource.type="audited_resource"
resource.labels.method="google.cloud.discoveryengine.v1main.AssistantService.StreamAssist"
resource.labels.service="discoveryengine.googleapis.com"
operation.first="true"
protoPayload.resourceName=~"<yourappname>")
OR
(resource.type="modelarmor.googleapis.com/SanitizeOperation"
jsonPayload.operationType="SANITIZE_USER_PROMPT"
labels."modelarmor.googleapis.com/client_correlation_id"=~"<yourappname>")

  7. Click Next, then click Create sink.

    The page displays a confirmation message which indicates that the log sink is created successfully. The sink routes the logs from log explorer to the Pub/sub topic.

  8. Create the required subscription.

Create the Required Subscription in Pub/Sub Topic

After you created the log sink, you can create a subscription and obtain the subscription ID. Refer to the following steps for obtaining a subscription ID.

  1. On the Create log sink next steps page, in the View sink destination section, click See Pub/Sub topic.

    sink_3.png

  2. In the Pub/Sub topic that you created, in the Subscriptions section, Click Create subscription.

    create_subscription_in_pub_sub_topic.png

  3. Specify a subscription ID. Use this subscription ID while you configure the Gemini Enterprise Cloud Collector.

    subscription_ID_in_pubsub.png

  4. Set the other options such as Message retention duration and Expiration period based on your requirement.

  5. Click Create.

Set Audit Log Permissions

Use the following steps to configure audit log permissions for Cloud Discovery Engine API.

  1. In the Google Cloud Console, navigate to IAM & Admin > Audit Logs. Alternatively, you can use the search box to locate the Audit logs page.

  2. In the Data access audit logs configuration, search for a property name Cloud Discovery Engine API.

    Audit_log_page_1.png

  3. Enable the data access audit log type Data write for Cloud Discovery Engine API.

    Audit_log_page_2.png

  4. Click Save. The Data write permission is applicable to the apps that you create in the project in Google Cloud console.

    data_write_2.png

Create a Service Account and Obtain a Project ID

  1. To create a service account in the project in which the Pub/Sub subscription has been created, in the Google Cloud console, navigate to IAM & Admin > Service Accounts > CREATE SERVICE ACCOUNT page.

  2. Select a Cloud project if you already created a project. If not, create a Cloud project.

  3. Enter the project name and edit the automatically generated project ID. Note the Project ID that you set while creating the Google service account. You require to use the project ID while configuring the Gemini Enterprise Cloud Collector.

  4. For more information and relevant steps, see Creating and managing service accounts in the Google documentation.

Create a Service-Credentials-Json File for the Gemini Enterprise Cloud Collector

To facilitate communication and enable to retrieve audit events, you must create a service-credentials-json file.

  1. Log in to the Google Developers Console with an account that has super-admin permissions.

  2. Select a Google Cloud project from which you want to collect Gmail logs.

  3. Create the service account and download service account JSON file.

    1. In the top-left corner of the console, click Menu.

    2. Click IAM & Admin.

    3. Click Create service account and in the Service account name field, enter a name for the service account.

    4. Select the Furnish a new private key box and ensure the key type is set to JSON.

    5. Select the Enable Domain-wide Delegation box and enter a name in the Product name for the consent screen field.

    6. Click Create. You'll see a message that the service account JSON file has been downloaded to your computer. The JOSN file contains the project ID.

    7. Click Close.