SaaS Agent Security
Onboard Gemini Enterprise to SaaS Agent Security
Table of Contents
Onboard Gemini Enterprise to SaaS Agent Security
Onboard Gemini Enterprise to SaaS Agent Security to gain deep visibility
and security for your Gemini Enterprise AI platform and apps.
Gemini Enterprise is a new AI platform from Google designed for businesses that
integrates its most advanced models into a single conversational interface for
employees. It allows employees to use pre-built agents or create their own custom
agents to perform tasks, analyze data, and automate workflows by securely connecting
to company data and applications like Google Workspace and Salesforce. The platform
aims to shift employees from tedious tasks to high-impact work while providing
central governance and security.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
Or any of the following licenses that include the SaaS Agent Security license:
|
Onboard Gemini Enterprise to gain deep visibility and security for your Gemini
Enterprise platform and apps.
To access your Gemini Enterprise instance, SaaS Agent Security requires the
following information, which you will specify during the onboarding process.
| Item | Description |
|---|---|
| Service Account Email | A service account email in Gemini Enterprise is a special non-human account. Applications and virtual machines use this account to authenticate and access Google Cloud resources securely. It provides a secure identity for programmatic access to the Gemini for Google Cloud API and related services. |
| Project ID | A Project ID in Gemini Enterprise is a unique identifier for a Google Cloud project. Gemini Enterprise uses the Google Cloud platform, so its services and resources are organized within the same project structure. A Project ID is needed for authentication, billing, and access control when working with Gemini models and related services. |
| Location |
In Google Cloud's Gemini Enterprise, a "location" is a specific
geographic area for creating, processing, and storing data.
Location selection allows enterprises to control data residency.
This control is important for data privacy, compliance, and
meeting requirements in different regions.
The types of locations available for data storage in Gemini
Enterprise and the wider Google Cloud infrastructure include:
|
| Collection ID | In Gemini Enterprise, a "collection ID" is a unique identifier. It is for a logical grouping of data stores. A collection is a top-level resource. It organizes the data for Gemini-based applications and agents. |
- Go to your project home page (where you developed your agent) in the Google Cloud console.Copy your project ID and project number and keep it handy for onboarding later.
![]()
Enable Discover Engine API- From Google Cloud console, select .Search for Discovery Engine API and enable it.
![]()
Create a custom role and assign the following permissions to that role.- iam.serviceAccounts.getIamPolicy
- iam.serviceAccounts.setIamPolicy
To create a new service account, select .Specify a service account name, account ID, and description and click Create and continue.![]()
In the Permissions section drop-down, choose Service Account Token Creator, <your custom role>, Discovery Engine Viewer roles and click Save.![]()
In the list of service accounts, click on the service account that you just created.The service account details are displayed.![]()
Copy the service account email address and keep it handy for onboarding later.Select .In the Add principals section, specify the name of the principal.Your service account email has the following template: agentspace-agent-scan-connecto@<region-name>.iam.gserviceaccount.com. The following are the region names for different regions.- US: agentspace-agent-scan-connecto@sspm-identity-us-west2.iam.gserviceaccount.com
- EU: agentspace-agent-scan-connecto@spm-identity-europe-west3.iam.gserviceaccount.com
- UK: agentspace-agent-scan-connecto@sspm-identity-europe-west2.iam.gserviceaccount.com
- AUSTRALIA: agentspace-agent-scan-connecto@sspm-australia-southeast1.iam.gserviceaccount.com
- INDIA: agentspace-agent-scan-connecto@sspm-asia-south1.iam.gserviceaccount.com
- JAPAN: agentspace-agent-scan-connecto@sspm-asia-northeast1.iam.gserviceaccount.com
- SINGAPORE: agentspace-agent-scan-connecto@sspm-identity-asia-southeast1.iam.gserviceaccount.com
In the Assign roles section, select the Service Account Token Creator role and Save.![]()
To start onboarding Gemini Enterprise to SaaS Agent Security, log in to Strata Cloud Manager.Select .![]()
Ensure you have completed all the three steps mentioned in the following onboarding wizard and then Get Started.![]()
On the Authorization Method Selection page, the API authentication method is selected by default. Click Next.![]()
On the Onboard Agent Platform page, enter the following information (that you gathered in STEP 2 and STEP 8) and Complete.- Service Account Email
- Project ID: You can use either the project ID or the project number.
- Location: Choose either global, us, or eu as per your requirement.
- Collection ID: The default value is default_collection.
![]()
SaaS Agent Security establishes the API connection and validates the credentials and permissions. After the validation is successful, you will see the following confirmation message.![]()
SaaS Agent Security immediately begins to scan your onboarded agentic platform after a successful validation.The amount of time SaaS Agent Security takes to scan varies based on the amount of data it is required to scan. At a minimum, it takes at least one hour to scan and display data in the SaaS Agent Security dashboard.
