Vertex AI

Enable BigQuery Logging

First, configure your Vertex AI Custom Deployed Model endpoint to log predictions to BigQuery.

Via Console

1. Go to Vertex AI → Endpoints in GCP Console.

2. Select your deployed model endpoint.

3. Click Edit.

4. Under Logging, enable Request/Response logging.

5. Select BigQuery as the destination.

6. Choose or create a dataset (e.g., vertex_ai_logs).

7. Save.

Via gcloud CLI

gcloud ai endpoints update ENDPOINT_ID \
  --region=REGION \
  --request-response-logging-config=bigquery-destination=projects/PROJECT_ID/datasets/DATASET_NAME/tables/TABLE_NAME

Create IAM Service Account

Create a dedicated Service Account for Akto (e.g., akto-bq-reader). This account will need permissions to read from your BigQuery dataset and execute query jobs.

1. Create Service Account

Via Console:

1. Go to IAM & Admin → Service Accounts.

2. Click + CREATE SERVICE ACCOUNT.

3. Name: akto-bq-reader.

4. Description: Service account for Akto to read BigQuery logs.

5. Click CREATE AND CONTINUE.

Via gcloud:

gcloud iam service-accounts create akto-bq-reader \
    --display-name="Akto BigQuery Reader"

2. Grant BigQuery Permissions

You must grant two key roles:

• BigQuery Job User (roles/bigquery.jobUser): Allows running query jobs.

• BigQuery Data Viewer (roles/bigquery.dataViewer): Allows reading table data.

Via Console (on the Service Account creation page):

1. Under Select a role, search for BigQuery Job User.

2. Click ADD ANOTHER ROLE.

3. Search for BigQuery Data Viewer.

4. Click CONTINUE and DONE.

Via gcloud:

# Grant Job User role (permits running queries in the project)
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
    --member="serviceAccount:akto-bq-reader@YOUR_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/bigquery.jobUser"

# Grant Data Viewer role (permits reading dataset contents)
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
    --member="serviceAccount:akto-bq-reader@YOUR_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/bigquery.dataViewer"

Configure Authentication

Choose an authentication method based on your deployment. Akto supports Application Default Credentials (ADC) and Service Account Key Files.

Option A: Use Application Default Credentials (Recommended for GKE/Cloud Run)

If Akto is running on GCP (GKE, Cloud Run, Compute Engine), you can use ADC. This is more secure as it avoids managing long-lived keys.

1. GKE (Workload Identity): Bind the GCP Service Account created in the previous step to the Kubernetes Service Account used by Akto.

   Copy

   # Link K8s SA to GCP SA
   gcloud iam service-accounts add-iam-policy-binding \
     akto-bq-reader@PROJECT_ID.iam.gserviceaccount.com \
     --role="roles/iam.workloadIdentityUser" \
     --member="serviceAccount:PROJECT_ID.svc.id.goog[akto/akto-sa]"
   
   # Annotate K8s SA
   kubectl annotate serviceaccount akto-sa -n akto \
     iam.gke.io/gcp-service-account=akto-bq-reader@PROJECT_ID.iam.gserviceaccount.com

2. No Configuration Needed: When configuring the job in Akto, leave the JSON Authentication File Path field empty. Akto acts as the service account automatically.

Option B: Use a Service Account Key File (External Deployment)

If Akto is running outside of GCP (e.g., On-Prem, AWS, Local Docker), use a Service Account Key.

1. Create Key:

   • Go to IAM & Admin → Service Accounts.

   • Select akto-bq-reader.

   • Go to the Keys tab -> ADD KEY -> Create new key -> JSON.

   • Download the file (e.g., akto-bq-key.json).

2. Mount Key: Ensure this file is accessible to the Akto container.

   Copy

   docker run ... -v /path/to/akto-bq-key.json:/app/credentials.json ...

3. Specify Path: When configuring the job in Akto, provide the path /app/credentials.json in the JSON Authentication File Path field.

Configure Akto Job

In the Akto Dashboard, configure the Vertex AI Custom Deployed Model connector with the following fields: