This page explains how you can share the Agent-to-Agent (A2A), Agent Development Kit (ADK), Dialogflow agents that you registered with Gemini Enterprise, and agents added from Google Cloud Marketplace. The A2A agents that you added from Google Cloud Marketplace are also explained so that users know how to access these agents from the Gemini Enterprise web app.
Before you begin
Before you can share an agent, you must meet the following requirements:
You must have an existing Gemini Enterprise web app. To create a new app, see Create an app.
You must have registered or added the custom agents to Gemini Enterprise using any of the following options:
Share a custom agent with users
You can control who has access to a custom agent registered with Gemini Enterprise.
To share an agent, follow these steps:
In the Google Cloud console, go to the Gemini Enterprise page.
Select your project.
Click your app from the Name column. The navigation menu updates.
Click Agents from the navigation menu.
Click the Display name of the agent that you want to share.
Click the User permissions tab, and the Permissioned users page displays.
Click Add user. The Add user permissions roles to agent dialog displays.
Configure the permission details:
Select one of the following options in the Member type section:
User: An individual end user. For this member type to function, you must include the correct IAM role. For more information, see IAM roles and permissions.
Group: A collection of end users. For this member type to function, you must include the correct IAM role. For more information, see IAM roles and permissions.
Principal set: All identities in a workload identity pool group, which includes external groups that aren't managed by Google.
All users: All users in the organization.
Enter the unique member identification, and select a role:
Member type Description User Enter email addresses in the Member field.
Select a role in the Assign role field.Group Enter email addresses in the Member field.
Select a role in the Assign role field.Workforce identity pool Enter Principal identifier in the Member field.
Select a role in the Assign role field.
For examples of principal sets, see Principal sets.All users Select a role in the Assign role field.
Click Save.
Principal sets
The following are examples of principal sets that you can specify for the Workforce identity pool member type:
| Principal set | Description |
|---|---|
principalSet://iam.googleapis.com/locations/global/workforcePools/POOL_ID/group/GROUP_ID |
All workforce identities in a group. |
principalSet://iam.googleapis.com/locations/global/workforcePools/POOL_ID/attribute.ATTRIBUTE_NAME/ATTRIBUTE_VALUE |
All workforce identities with a specific attribute value. |
principalSet://iam.googleapis.com/locations/global/workforcePools/POOL_ID/* |
All identities in a workforce identity pool. |
principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/group/GROUP_ID |
A workload identity pool group. |
principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/attribute.ATTRIBUTE_NAME/ATTRIBUTE_VALUE |
All identities in a workload identity pool with a certain attribute. |
principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/* |
All identities in a workload identity pool. |
Replace the following placeholders with values in the code sample:
PROJECT_NUMBER: the number used in the resource path to identify a specific Google Cloud project.GROUP_ID: a specific group identifier from an external Identity Provider (IdP), letting you grant access to all members of that group.POOL_ID: the unique ID for the workload identity pool that you create in Google Cloud.ATTRIBUTE_NAME: a user-defined name of a custom attribute that you have mapped from an external Identity Provider (IdP).ATTRIBUTE_VALUE: the specific value of theATTRIBUTE_NAMEused to restrict access.