Set up a Gmail data store

This page describes how to create a data store and connect Gmail to Gemini Enterprise.

Before you begin

Sign in to the Google Cloud console with the same account that you use for the Google Workspace instance that you plan to connect. Vertex AI Search uses your Google Workspace customer ID to connect to Gmail.
To enforce data source access control and secure data in Gemini Enterprise, ensure that you have configured your identity provider.
Before you add actions to the Gmail data store, a Google Cloud administrator must first complete the steps in the Set up authentication and permissions for Gmail section to configure OAuth 2.0 authentication to provide you with the client ID and client secret and set up minimum permissions.

Create the Gmail data store

To create the Gmail data store, perform the following steps:

In the Google Google Cloud console, go to the Gemini Enterprise page.

Gemini Enterprise
Select or create a Google Cloud project.

Note: To access the unified flow, your project must be on the allowlist.
In the navigation menu, click Data stores.
Click + Create data store.
In the Source, search for Gmail, and click Select.
In the Actions section:
1. Enter the Client ID and Client Secret obtained from the OAuth 2.0 application, and then click Verify Auth.
  
  For information on how to obtain the client ID and client secret, see Create OAuth client credentials. For the required scopes for search and actions, see Required scopes.
2. Optional: Expand Advanced settings and enter the Service name, the resource name of your service created in Service Directory. This field is required when VPC Service Controls is enabled.
3. Choose the actions from the list to enable them for the Gmail connector.
Note: If you skip adding actions in this step, you must create a new data store to add actions.

To view the list of actions, see View actions.
Click Continue.
In the Configuration section:
1. From the Multi-region list, select the location for your data connector.
2. In the Data connector name field, enter a name for your connector.
3. If you selected US or EU as the location, configure the Encryption settings:
  - Select Google-managed encryption key or Cloud KMS key.
  - If you selected Cloud KMS key:
    - In the Key management type list, select the appropriate type.
    - In the Cloud KMS key list, select the key.
  For more information, see Customer-managed encryption keys.
Click Continue.
In the Billing section, select General pricing or Configurable pricing. For more information, see Verify the billing status of your projects and Licenses.
Click Create. Gemini Enterprise creates your data store and displays your data stores on the Data Stores page.

On the Data Stores page, click your data store name to see the status. When the data store state changes from Creating to Active, the Gmail connector is ready to be used.

After creating the data store, create an app and connect it to the Gmail data store before executing the query.

Query Execution

This section describes how Gemini Enterprise manages your query and the privacy implications of using the federated data store.

After you authorize Gmail and send a search query to Gemini Enterprise:

Gemini Enterprise sends your search query directly to the Gmail API.
Gemini Enterprise blends the results with those from other connected data sources and displays a comprehensive search result.

Error messages and troubleshooting

The following table describes common error messages that you might encounter when you work with the Gmail connector, which includes possible HTTP error codes and suggested troubleshooting steps.

Error code	Error message	Description	Troubleshooting
403 (Permission Denied)	Search by using service account credentials isn't supported for Google Workspace data stores.	The engine being searched has Google Workspace data stores, and the credentials passed are of a service account. Search by using service account credentials on Google Workspace data stores isn't supported.	Call search using user credentials, or remove Google Workspace data stores from the engine.
403 (Permission Denied)	Consumer accounts aren't supported for Google Workspace data stores.	Search is called using a consumer account (@gmail.com) credential, which isn't supported for Google Workspace data stores.	Remove Google Workspace data stores from the engine or use a managed Google Account.
403 (Permission Denied)	Customer ID mismatch for data store	Search is only allowed for users who belong to the same organization as Google Workspace data stores.	Remove Google Workspace data stores from the engine or contact support if the user and Google Workspace data stores are meant to be in different organizations.
403 (Permission Denied)	Workspace access for Agent Space disabled by organization administrator.	A Google Workspace administrator has disabled access to Google Workspace data for Gemini Enterprise.	Contact your Google Workspace administrator to enable access.

What's next

To provide a user interface for querying your Gmail data, create an app and connect it to the Gmail data store.
To view the list of actions you enabled for the Gmail data store, see View actions.
To enable alerts for the data store, see Configure alerts for third-party data stores.
To preview how your search results appear after your app is set up, see Get search results.