The gcp:ces/toolset:Toolset resource, part of the Pulumi GCP provider, defines a CES toolset that wraps external APIs defined by OpenAPI schemas, making them callable from conversational AI applications. This guide focuses on three capabilities: OpenAPI schema integration, authentication configuration (service accounts, OAuth, API keys, tokens), and TLS and Service Directory setup.
Toolsets belong to CES Apps and reference external infrastructure like service accounts, Secret Manager secrets, and Service Directory services. The examples are intentionally small. Combine them with your own CES App, authentication credentials, and API definitions.
Authenticate with a service account
Conversational AI applications often need to call external APIs on behalf of the system rather than individual users. Service account authentication provides a stable identity for these system-to-system calls.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const cesAppForToolset = new gcp.ces.App("ces_app_for_toolset", {
appId: "app-id",
location: "us",
description: "App used as parent for CES Toolset example",
displayName: "my-app",
languageSettings: {
defaultLanguageCode: "en-US",
supportedLanguageCodes: [
"es-ES",
"fr-FR",
],
enableMultilingualSupport: true,
fallbackAction: "escalate",
},
timeZoneSettings: {
timeZone: "America/Los_Angeles",
},
});
const cesToolsetOpenapiServiceAccountAuthConfig = new gcp.ces.Toolset("ces_toolset_openapi_service_account_auth_config", {
toolsetId: "toolset1",
location: "us",
app: cesAppForToolset.appId,
displayName: "Basic toolset display name",
openApiToolset: {
openApiSchema: `openapi: 3.0.0
info:
title: My Sample API
version: 1.0.0
description: A simple API example
servers:
- url: https://api.example.com/v1
paths: {}
`,
ignoreUnknownFields: false,
tlsConfig: {
caCerts: [{
displayName: "example",
cert: "ZXhhbXBsZQ==",
}],
},
serviceDirectoryConfig: {
service: "projects/example/locations/us/namespaces/namespace/services/service",
},
apiAuthentication: {
serviceAccountAuthConfig: {
serviceAccount: "testaccount@gmail.com",
},
},
},
});
import pulumi
import pulumi_gcp as gcp
ces_app_for_toolset = gcp.ces.App("ces_app_for_toolset",
app_id="app-id",
location="us",
description="App used as parent for CES Toolset example",
display_name="my-app",
language_settings={
"default_language_code": "en-US",
"supported_language_codes": [
"es-ES",
"fr-FR",
],
"enable_multilingual_support": True,
"fallback_action": "escalate",
},
time_zone_settings={
"time_zone": "America/Los_Angeles",
})
ces_toolset_openapi_service_account_auth_config = gcp.ces.Toolset("ces_toolset_openapi_service_account_auth_config",
toolset_id="toolset1",
location="us",
app=ces_app_for_toolset.app_id,
display_name="Basic toolset display name",
open_api_toolset={
"open_api_schema": """openapi: 3.0.0
info:
title: My Sample API
version: 1.0.0
description: A simple API example
servers:
- url: https://api.example.com/v1
paths: {}
""",
"ignore_unknown_fields": False,
"tls_config": {
"ca_certs": [{
"display_name": "example",
"cert": "ZXhhbXBsZQ==",
}],
},
"service_directory_config": {
"service": "projects/example/locations/us/namespaces/namespace/services/service",
},
"api_authentication": {
"service_account_auth_config": {
"service_account": "testaccount@gmail.com",
},
},
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/ces"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
cesAppForToolset, err := ces.NewApp(ctx, "ces_app_for_toolset", &ces.AppArgs{
AppId: pulumi.String("app-id"),
Location: pulumi.String("us"),
Description: pulumi.String("App used as parent for CES Toolset example"),
DisplayName: pulumi.String("my-app"),
LanguageSettings: &ces.AppLanguageSettingsArgs{
DefaultLanguageCode: pulumi.String("en-US"),
SupportedLanguageCodes: pulumi.StringArray{
pulumi.String("es-ES"),
pulumi.String("fr-FR"),
},
EnableMultilingualSupport: pulumi.Bool(true),
FallbackAction: pulumi.String("escalate"),
},
TimeZoneSettings: &ces.AppTimeZoneSettingsArgs{
TimeZone: pulumi.String("America/Los_Angeles"),
},
})
if err != nil {
return err
}
_, err = ces.NewToolset(ctx, "ces_toolset_openapi_service_account_auth_config", &ces.ToolsetArgs{
ToolsetId: pulumi.String("toolset1"),
Location: pulumi.String("us"),
App: cesAppForToolset.AppId,
DisplayName: pulumi.String("Basic toolset display name"),
OpenApiToolset: &ces.ToolsetOpenApiToolsetArgs{
OpenApiSchema: pulumi.String(`openapi: 3.0.0
info:
title: My Sample API
version: 1.0.0
description: A simple API example
servers:
- url: https://api.example.com/v1
paths: {}
`),
IgnoreUnknownFields: pulumi.Bool(false),
TlsConfig: &ces.ToolsetOpenApiToolsetTlsConfigArgs{
CaCerts: ces.ToolsetOpenApiToolsetTlsConfigCaCertArray{
&ces.ToolsetOpenApiToolsetTlsConfigCaCertArgs{
DisplayName: pulumi.String("example"),
Cert: pulumi.String("ZXhhbXBsZQ=="),
},
},
},
ServiceDirectoryConfig: &ces.ToolsetOpenApiToolsetServiceDirectoryConfigArgs{
Service: pulumi.String("projects/example/locations/us/namespaces/namespace/services/service"),
},
ApiAuthentication: &ces.ToolsetOpenApiToolsetApiAuthenticationArgs{
ServiceAccountAuthConfig: &ces.ToolsetOpenApiToolsetApiAuthenticationServiceAccountAuthConfigArgs{
ServiceAccount: pulumi.String("testaccount@gmail.com"),
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var cesAppForToolset = new Gcp.Ces.App("ces_app_for_toolset", new()
{
AppId = "app-id",
Location = "us",
Description = "App used as parent for CES Toolset example",
DisplayName = "my-app",
LanguageSettings = new Gcp.Ces.Inputs.AppLanguageSettingsArgs
{
DefaultLanguageCode = "en-US",
SupportedLanguageCodes = new[]
{
"es-ES",
"fr-FR",
},
EnableMultilingualSupport = true,
FallbackAction = "escalate",
},
TimeZoneSettings = new Gcp.Ces.Inputs.AppTimeZoneSettingsArgs
{
TimeZone = "America/Los_Angeles",
},
});
var cesToolsetOpenapiServiceAccountAuthConfig = new Gcp.Ces.Toolset("ces_toolset_openapi_service_account_auth_config", new()
{
ToolsetId = "toolset1",
Location = "us",
App = cesAppForToolset.AppId,
DisplayName = "Basic toolset display name",
OpenApiToolset = new Gcp.Ces.Inputs.ToolsetOpenApiToolsetArgs
{
OpenApiSchema = @"openapi: 3.0.0
info:
title: My Sample API
version: 1.0.0
description: A simple API example
servers:
- url: https://api.example.com/v1
paths: {}
",
IgnoreUnknownFields = false,
TlsConfig = new Gcp.Ces.Inputs.ToolsetOpenApiToolsetTlsConfigArgs
{
CaCerts = new[]
{
new Gcp.Ces.Inputs.ToolsetOpenApiToolsetTlsConfigCaCertArgs
{
DisplayName = "example",
Cert = "ZXhhbXBsZQ==",
},
},
},
ServiceDirectoryConfig = new Gcp.Ces.Inputs.ToolsetOpenApiToolsetServiceDirectoryConfigArgs
{
Service = "projects/example/locations/us/namespaces/namespace/services/service",
},
ApiAuthentication = new Gcp.Ces.Inputs.ToolsetOpenApiToolsetApiAuthenticationArgs
{
ServiceAccountAuthConfig = new Gcp.Ces.Inputs.ToolsetOpenApiToolsetApiAuthenticationServiceAccountAuthConfigArgs
{
ServiceAccount = "testaccount@gmail.com",
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.ces.App;
import com.pulumi.gcp.ces.AppArgs;
import com.pulumi.gcp.ces.inputs.AppLanguageSettingsArgs;
import com.pulumi.gcp.ces.inputs.AppTimeZoneSettingsArgs;
import com.pulumi.gcp.ces.Toolset;
import com.pulumi.gcp.ces.ToolsetArgs;
import com.pulumi.gcp.ces.inputs.ToolsetOpenApiToolsetArgs;
import com.pulumi.gcp.ces.inputs.ToolsetOpenApiToolsetTlsConfigArgs;
import com.pulumi.gcp.ces.inputs.ToolsetOpenApiToolsetServiceDirectoryConfigArgs;
import com.pulumi.gcp.ces.inputs.ToolsetOpenApiToolsetApiAuthenticationArgs;
import com.pulumi.gcp.ces.inputs.ToolsetOpenApiToolsetApiAuthenticationServiceAccountAuthConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var cesAppForToolset = new App("cesAppForToolset", AppArgs.builder()
.appId("app-id")
.location("us")
.description("App used as parent for CES Toolset example")
.displayName("my-app")
.languageSettings(AppLanguageSettingsArgs.builder()
.defaultLanguageCode("en-US")
.supportedLanguageCodes(
"es-ES",
"fr-FR")
.enableMultilingualSupport(true)
.fallbackAction("escalate")
.build())
.timeZoneSettings(AppTimeZoneSettingsArgs.builder()
.timeZone("America/Los_Angeles")
.build())
.build());
var cesToolsetOpenapiServiceAccountAuthConfig = new Toolset("cesToolsetOpenapiServiceAccountAuthConfig", ToolsetArgs.builder()
.toolsetId("toolset1")
.location("us")
.app(cesAppForToolset.appId())
.displayName("Basic toolset display name")
.openApiToolset(ToolsetOpenApiToolsetArgs.builder()
.openApiSchema("""
openapi: 3.0.0
info:
title: My Sample API
version: 1.0.0
description: A simple API example
servers:
- url: https://api.example.com/v1
paths: {}
""")
.ignoreUnknownFields(false)
.tlsConfig(ToolsetOpenApiToolsetTlsConfigArgs.builder()
.caCerts(ToolsetOpenApiToolsetTlsConfigCaCertArgs.builder()
.displayName("example")
.cert("ZXhhbXBsZQ==")
.build())
.build())
.serviceDirectoryConfig(ToolsetOpenApiToolsetServiceDirectoryConfigArgs.builder()
.service("projects/example/locations/us/namespaces/namespace/services/service")
.build())
.apiAuthentication(ToolsetOpenApiToolsetApiAuthenticationArgs.builder()
.serviceAccountAuthConfig(ToolsetOpenApiToolsetApiAuthenticationServiceAccountAuthConfigArgs.builder()
.serviceAccount("testaccount@gmail.com")
.build())
.build())
.build())
.build());
}
}
resources:
cesAppForToolset:
type: gcp:ces:App
name: ces_app_for_toolset
properties:
appId: app-id
location: us
description: App used as parent for CES Toolset example
displayName: my-app
languageSettings:
defaultLanguageCode: en-US
supportedLanguageCodes:
- es-ES
- fr-FR
enableMultilingualSupport: true
fallbackAction: escalate
timeZoneSettings:
timeZone: America/Los_Angeles
cesToolsetOpenapiServiceAccountAuthConfig:
type: gcp:ces:Toolset
name: ces_toolset_openapi_service_account_auth_config
properties:
toolsetId: toolset1
location: us
app: ${cesAppForToolset.appId}
displayName: Basic toolset display name
openApiToolset:
openApiSchema: |
openapi: 3.0.0
info:
title: My Sample API
version: 1.0.0
description: A simple API example
servers:
- url: https://api.example.com/v1
paths: {}
ignoreUnknownFields: false
tlsConfig:
caCerts:
- displayName: example
cert: ZXhhbXBsZQ==
serviceDirectoryConfig:
service: projects/example/locations/us/namespaces/namespace/services/service
apiAuthentication:
serviceAccountAuthConfig:
serviceAccount: testaccount@gmail.com
The openApiToolset property wraps your API definition. The openApiSchema contains the OpenAPI specification that describes available endpoints. Inside apiAuthentication, the serviceAccountAuthConfig specifies which service account identity to use when calling the API. The tlsConfig and serviceDirectoryConfig handle secure connections and service discovery.
Authenticate with OAuth client credentials
Third-party APIs often require OAuth 2.0 client credentials flow for machine-to-machine authentication, exchanging client ID and secret for access tokens.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const cesAppForToolset = new gcp.ces.App("ces_app_for_toolset", {
appId: "app-id",
location: "us",
description: "App used as parent for CES Toolset example",
displayName: "my-app",
languageSettings: {
defaultLanguageCode: "en-US",
supportedLanguageCodes: [
"es-ES",
"fr-FR",
],
enableMultilingualSupport: true,
fallbackAction: "escalate",
},
timeZoneSettings: {
timeZone: "America/Los_Angeles",
},
});
const cesToolsetOpenapiOauthConfig = new gcp.ces.Toolset("ces_toolset_openapi_oauth_config", {
toolsetId: "toolset1",
location: "us",
app: cesAppForToolset.appId,
displayName: "Basic toolset display name",
openApiToolset: {
openApiSchema: `openapi: 3.0.0
info:
title: My Sample API
version: 1.0.0
description: A simple API example
servers:
- url: https://api.example.com/v1
paths: {}
`,
ignoreUnknownFields: false,
tlsConfig: {
caCerts: [{
displayName: "example",
cert: "ZXhhbXBsZQ==",
}],
},
serviceDirectoryConfig: {
service: "projects/example/locations/us/namespaces/namespace/services/service",
},
apiAuthentication: {
oauthConfig: {
oauthGrantType: "CLIENT_CREDENTIAL",
clientId: "example_client_id",
clientSecretVersion: "projects/fake-project/secrets/fake-secret/versions/version1",
tokenEndpoint: "123",
scopes: ["scope1"],
},
},
},
});
import pulumi
import pulumi_gcp as gcp
ces_app_for_toolset = gcp.ces.App("ces_app_for_toolset",
app_id="app-id",
location="us",
description="App used as parent for CES Toolset example",
display_name="my-app",
language_settings={
"default_language_code": "en-US",
"supported_language_codes": [
"es-ES",
"fr-FR",
],
"enable_multilingual_support": True,
"fallback_action": "escalate",
},
time_zone_settings={
"time_zone": "America/Los_Angeles",
})
ces_toolset_openapi_oauth_config = gcp.ces.Toolset("ces_toolset_openapi_oauth_config",
toolset_id="toolset1",
location="us",
app=ces_app_for_toolset.app_id,
display_name="Basic toolset display name",
open_api_toolset={
"open_api_schema": """openapi: 3.0.0
info:
title: My Sample API
version: 1.0.0
description: A simple API example
servers:
- url: https://api.example.com/v1
paths: {}
""",
"ignore_unknown_fields": False,
"tls_config": {
"ca_certs": [{
"display_name": "example",
"cert": "ZXhhbXBsZQ==",
}],
},
"service_directory_config": {
"service": "projects/example/locations/us/namespaces/namespace/services/service",
},
"api_authentication": {
"oauth_config": {
"oauth_grant_type": "CLIENT_CREDENTIAL",
"client_id": "example_client_id",
"client_secret_version": "projects/fake-project/secrets/fake-secret/versions/version1",
"token_endpoint": "123",
"scopes": ["scope1"],
},
},
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/ces"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
cesAppForToolset, err := ces.NewApp(ctx, "ces_app_for_toolset", &ces.AppArgs{
AppId: pulumi.String("app-id"),
Location: pulumi.String("us"),
Description: pulumi.String("App used as parent for CES Toolset example"),
DisplayName: pulumi.String("my-app"),
LanguageSettings: &ces.AppLanguageSettingsArgs{
DefaultLanguageCode: pulumi.String("en-US"),
SupportedLanguageCodes: pulumi.StringArray{
pulumi.String("es-ES"),
pulumi.String("fr-FR"),
},
EnableMultilingualSupport: pulumi.Bool(true),
FallbackAction: pulumi.String("escalate"),
},
TimeZoneSettings: &ces.AppTimeZoneSettingsArgs{
TimeZone: pulumi.String("America/Los_Angeles"),
},
})
if err != nil {
return err
}
_, err = ces.NewToolset(ctx, "ces_toolset_openapi_oauth_config", &ces.ToolsetArgs{
ToolsetId: pulumi.String("toolset1"),
Location: pulumi.String("us"),
App: cesAppForToolset.AppId,
DisplayName: pulumi.String("Basic toolset display name"),
OpenApiToolset: &ces.ToolsetOpenApiToolsetArgs{
OpenApiSchema: pulumi.String(`openapi: 3.0.0
info:
title: My Sample API
version: 1.0.0
description: A simple API example
servers:
- url: https://api.example.com/v1
paths: {}
`),
IgnoreUnknownFields: pulumi.Bool(false),
TlsConfig: &ces.ToolsetOpenApiToolsetTlsConfigArgs{
CaCerts: ces.ToolsetOpenApiToolsetTlsConfigCaCertArray{
&ces.ToolsetOpenApiToolsetTlsConfigCaCertArgs{
DisplayName: pulumi.String("example"),
Cert: pulumi.String("ZXhhbXBsZQ=="),
},
},
},
ServiceDirectoryConfig: &ces.ToolsetOpenApiToolsetServiceDirectoryConfigArgs{
Service: pulumi.String("projects/example/locations/us/namespaces/namespace/services/service"),
},
ApiAuthentication: &ces.ToolsetOpenApiToolsetApiAuthenticationArgs{
OauthConfig: &ces.ToolsetOpenApiToolsetApiAuthenticationOauthConfigArgs{
OauthGrantType: pulumi.String("CLIENT_CREDENTIAL"),
ClientId: pulumi.String("example_client_id"),
ClientSecretVersion: pulumi.String("projects/fake-project/secrets/fake-secret/versions/version1"),
TokenEndpoint: pulumi.String("123"),
Scopes: pulumi.StringArray{
pulumi.String("scope1"),
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var cesAppForToolset = new Gcp.Ces.App("ces_app_for_toolset", new()
{
AppId = "app-id",
Location = "us",
Description = "App used as parent for CES Toolset example",
DisplayName = "my-app",
LanguageSettings = new Gcp.Ces.Inputs.AppLanguageSettingsArgs
{
DefaultLanguageCode = "en-US",
SupportedLanguageCodes = new[]
{
"es-ES",
"fr-FR",
},
EnableMultilingualSupport = true,
FallbackAction = "escalate",
},
TimeZoneSettings = new Gcp.Ces.Inputs.AppTimeZoneSettingsArgs
{
TimeZone = "America/Los_Angeles",
},
});
var cesToolsetOpenapiOauthConfig = new Gcp.Ces.Toolset("ces_toolset_openapi_oauth_config", new()
{
ToolsetId = "toolset1",
Location = "us",
App = cesAppForToolset.AppId,
DisplayName = "Basic toolset display name",
OpenApiToolset = new Gcp.Ces.Inputs.ToolsetOpenApiToolsetArgs
{
OpenApiSchema = @"openapi: 3.0.0
info:
title: My Sample API
version: 1.0.0
description: A simple API example
servers:
- url: https://api.example.com/v1
paths: {}
",
IgnoreUnknownFields = false,
TlsConfig = new Gcp.Ces.Inputs.ToolsetOpenApiToolsetTlsConfigArgs
{
CaCerts = new[]
{
new Gcp.Ces.Inputs.ToolsetOpenApiToolsetTlsConfigCaCertArgs
{
DisplayName = "example",
Cert = "ZXhhbXBsZQ==",
},
},
},
ServiceDirectoryConfig = new Gcp.Ces.Inputs.ToolsetOpenApiToolsetServiceDirectoryConfigArgs
{
Service = "projects/example/locations/us/namespaces/namespace/services/service",
},
ApiAuthentication = new Gcp.Ces.Inputs.ToolsetOpenApiToolsetApiAuthenticationArgs
{
OauthConfig = new Gcp.Ces.Inputs.ToolsetOpenApiToolsetApiAuthenticationOauthConfigArgs
{
OauthGrantType = "CLIENT_CREDENTIAL",
ClientId = "example_client_id",
ClientSecretVersion = "projects/fake-project/secrets/fake-secret/versions/version1",
TokenEndpoint = "123",
Scopes = new[]
{
"scope1",
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.ces.App;
import com.pulumi.gcp.ces.AppArgs;
import com.pulumi.gcp.ces.inputs.AppLanguageSettingsArgs;
import com.pulumi.gcp.ces.inputs.AppTimeZoneSettingsArgs;
import com.pulumi.gcp.ces.Toolset;
import com.pulumi.gcp.ces.ToolsetArgs;
import com.pulumi.gcp.ces.inputs.ToolsetOpenApiToolsetArgs;
import com.pulumi.gcp.ces.inputs.ToolsetOpenApiToolsetTlsConfigArgs;
import com.pulumi.gcp.ces.inputs.ToolsetOpenApiToolsetServiceDirectoryConfigArgs;
import com.pulumi.gcp.ces.inputs.ToolsetOpenApiToolsetApiAuthenticationArgs;
import com.pulumi.gcp.ces.inputs.ToolsetOpenApiToolsetApiAuthenticationOauthConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var cesAppForToolset = new App("cesAppForToolset", AppArgs.builder()
.appId("app-id")
.location("us")
.description("App used as parent for CES Toolset example")
.displayName("my-app")
.languageSettings(AppLanguageSettingsArgs.builder()
.defaultLanguageCode("en-US")
.supportedLanguageCodes(
"es-ES",
"fr-FR")
.enableMultilingualSupport(true)
.fallbackAction("escalate")
.build())
.timeZoneSettings(AppTimeZoneSettingsArgs.builder()
.timeZone("America/Los_Angeles")
.build())
.build());
var cesToolsetOpenapiOauthConfig = new Toolset("cesToolsetOpenapiOauthConfig", ToolsetArgs.builder()
.toolsetId("toolset1")
.location("us")
.app(cesAppForToolset.appId())
.displayName("Basic toolset display name")
.openApiToolset(ToolsetOpenApiToolsetArgs.builder()
.openApiSchema("""
openapi: 3.0.0
info:
title: My Sample API
version: 1.0.0
description: A simple API example
servers:
- url: https://api.example.com/v1
paths: {}
""")
.ignoreUnknownFields(false)
.tlsConfig(ToolsetOpenApiToolsetTlsConfigArgs.builder()
.caCerts(ToolsetOpenApiToolsetTlsConfigCaCertArgs.builder()
.displayName("example")
.cert("ZXhhbXBsZQ==")
.build())
.build())
.serviceDirectoryConfig(ToolsetOpenApiToolsetServiceDirectoryConfigArgs.builder()
.service("projects/example/locations/us/namespaces/namespace/services/service")
.build())
.apiAuthentication(ToolsetOpenApiToolsetApiAuthenticationArgs.builder()
.oauthConfig(ToolsetOpenApiToolsetApiAuthenticationOauthConfigArgs.builder()
.oauthGrantType("CLIENT_CREDENTIAL")
.clientId("example_client_id")
.clientSecretVersion("projects/fake-project/secrets/fake-secret/versions/version1")
.tokenEndpoint("123")
.scopes("scope1")
.build())
.build())
.build())
.build());
}
}
resources:
cesAppForToolset:
type: gcp:ces:App
name: ces_app_for_toolset
properties:
appId: app-id
location: us
description: App used as parent for CES Toolset example
displayName: my-app
languageSettings:
defaultLanguageCode: en-US
supportedLanguageCodes:
- es-ES
- fr-FR
enableMultilingualSupport: true
fallbackAction: escalate
timeZoneSettings:
timeZone: America/Los_Angeles
cesToolsetOpenapiOauthConfig:
type: gcp:ces:Toolset
name: ces_toolset_openapi_oauth_config
properties:
toolsetId: toolset1
location: us
app: ${cesAppForToolset.appId}
displayName: Basic toolset display name
openApiToolset:
openApiSchema: |
openapi: 3.0.0
info:
title: My Sample API
version: 1.0.0
description: A simple API example
servers:
- url: https://api.example.com/v1
paths: {}
ignoreUnknownFields: false
tlsConfig:
caCerts:
- displayName: example
cert: ZXhhbXBsZQ==
serviceDirectoryConfig:
service: projects/example/locations/us/namespaces/namespace/services/service
apiAuthentication:
oauthConfig:
oauthGrantType: CLIENT_CREDENTIAL
clientId: example_client_id
clientSecretVersion: projects/fake-project/secrets/fake-secret/versions/version1
tokenEndpoint: '123'
scopes:
- scope1
The oauthConfig property configures OAuth 2.0 client credentials flow. The oauthGrantType specifies CLIENT_CREDENTIAL, while clientId and clientSecretVersion reference your OAuth credentials stored in Secret Manager. The tokenEndpoint is where the toolset exchanges credentials for access tokens, and scopes define the requested permissions.
Authenticate with service agent identity tokens
Google Cloud services can authenticate to each other using identity tokens issued by the service agent, eliminating the need to manage credentials explicitly.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const cesAppForToolset = new gcp.ces.App("ces_app_for_toolset", {
appId: "app-id",
location: "us",
description: "App used as parent for CES Toolset example",
displayName: "my-app",
languageSettings: {
defaultLanguageCode: "en-US",
supportedLanguageCodes: [
"es-ES",
"fr-FR",
],
enableMultilingualSupport: true,
fallbackAction: "escalate",
},
timeZoneSettings: {
timeZone: "America/Los_Angeles",
},
});
const cesToolsetOpenapiServiceAgentIdTokenAuthConfig = new gcp.ces.Toolset("ces_toolset_openapi_service_agent_id_token_auth_config", {
toolsetId: "toolset1",
location: "us",
app: cesAppForToolset.appId,
displayName: "Basic toolset display name",
openApiToolset: {
openApiSchema: `openapi: 3.0.0
info:
title: My Sample API
version: 1.0.0
description: A simple API example
servers:
- url: https://api.example.com/v1
paths: {}
`,
ignoreUnknownFields: false,
tlsConfig: {
caCerts: [{
displayName: "example",
cert: "ZXhhbXBsZQ==",
}],
},
serviceDirectoryConfig: {
service: "projects/example/locations/us/namespaces/namespace/services/service",
},
apiAuthentication: {
serviceAgentIdTokenAuthConfig: {},
},
},
});
import pulumi
import pulumi_gcp as gcp
ces_app_for_toolset = gcp.ces.App("ces_app_for_toolset",
app_id="app-id",
location="us",
description="App used as parent for CES Toolset example",
display_name="my-app",
language_settings={
"default_language_code": "en-US",
"supported_language_codes": [
"es-ES",
"fr-FR",
],
"enable_multilingual_support": True,
"fallback_action": "escalate",
},
time_zone_settings={
"time_zone": "America/Los_Angeles",
})
ces_toolset_openapi_service_agent_id_token_auth_config = gcp.ces.Toolset("ces_toolset_openapi_service_agent_id_token_auth_config",
toolset_id="toolset1",
location="us",
app=ces_app_for_toolset.app_id,
display_name="Basic toolset display name",
open_api_toolset={
"open_api_schema": """openapi: 3.0.0
info:
title: My Sample API
version: 1.0.0
description: A simple API example
servers:
- url: https://api.example.com/v1
paths: {}
""",
"ignore_unknown_fields": False,
"tls_config": {
"ca_certs": [{
"display_name": "example",
"cert": "ZXhhbXBsZQ==",
}],
},
"service_directory_config": {
"service": "projects/example/locations/us/namespaces/namespace/services/service",
},
"api_authentication": {
"service_agent_id_token_auth_config": {},
},
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/ces"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
cesAppForToolset, err := ces.NewApp(ctx, "ces_app_for_toolset", &ces.AppArgs{
AppId: pulumi.String("app-id"),
Location: pulumi.String("us"),
Description: pulumi.String("App used as parent for CES Toolset example"),
DisplayName: pulumi.String("my-app"),
LanguageSettings: &ces.AppLanguageSettingsArgs{
DefaultLanguageCode: pulumi.String("en-US"),
SupportedLanguageCodes: pulumi.StringArray{
pulumi.String("es-ES"),
pulumi.String("fr-FR"),
},
EnableMultilingualSupport: pulumi.Bool(true),
FallbackAction: pulumi.String("escalate"),
},
TimeZoneSettings: &ces.AppTimeZoneSettingsArgs{
TimeZone: pulumi.String("America/Los_Angeles"),
},
})
if err != nil {
return err
}
_, err = ces.NewToolset(ctx, "ces_toolset_openapi_service_agent_id_token_auth_config", &ces.ToolsetArgs{
ToolsetId: pulumi.String("toolset1"),
Location: pulumi.String("us"),
App: cesAppForToolset.AppId,
DisplayName: pulumi.String("Basic toolset display name"),
OpenApiToolset: &ces.ToolsetOpenApiToolsetArgs{
OpenApiSchema: pulumi.String(`openapi: 3.0.0
info:
title: My Sample API
version: 1.0.0
description: A simple API example
servers:
- url: https://api.example.com/v1
paths: {}
`),
IgnoreUnknownFields: pulumi.Bool(false),
TlsConfig: &ces.ToolsetOpenApiToolsetTlsConfigArgs{
CaCerts: ces.ToolsetOpenApiToolsetTlsConfigCaCertArray{
&ces.ToolsetOpenApiToolsetTlsConfigCaCertArgs{
DisplayName: pulumi.String("example"),
Cert: pulumi.String("ZXhhbXBsZQ=="),
},
},
},
ServiceDirectoryConfig: &ces.ToolsetOpenApiToolsetServiceDirectoryConfigArgs{
Service: pulumi.String("projects/example/locations/us/namespaces/namespace/services/service"),
},
ApiAuthentication: &ces.ToolsetOpenApiToolsetApiAuthenticationArgs{
ServiceAgentIdTokenAuthConfig: &ces.ToolsetOpenApiToolsetApiAuthenticationServiceAgentIdTokenAuthConfigArgs{},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var cesAppForToolset = new Gcp.Ces.App("ces_app_for_toolset", new()
{
AppId = "app-id",
Location = "us",
Description = "App used as parent for CES Toolset example",
DisplayName = "my-app",
LanguageSettings = new Gcp.Ces.Inputs.AppLanguageSettingsArgs
{
DefaultLanguageCode = "en-US",
SupportedLanguageCodes = new[]
{
"es-ES",
"fr-FR",
},
EnableMultilingualSupport = true,
FallbackAction = "escalate",
},
TimeZoneSettings = new Gcp.Ces.Inputs.AppTimeZoneSettingsArgs
{
TimeZone = "America/Los_Angeles",
},
});
var cesToolsetOpenapiServiceAgentIdTokenAuthConfig = new Gcp.Ces.Toolset("ces_toolset_openapi_service_agent_id_token_auth_config", new()
{
ToolsetId = "toolset1",
Location = "us",
App = cesAppForToolset.AppId,
DisplayName = "Basic toolset display name",
OpenApiToolset = new Gcp.Ces.Inputs.ToolsetOpenApiToolsetArgs
{
OpenApiSchema = @"openapi: 3.0.0
info:
title: My Sample API
version: 1.0.0
description: A simple API example
servers:
- url: https://api.example.com/v1
paths: {}
",
IgnoreUnknownFields = false,
TlsConfig = new Gcp.Ces.Inputs.ToolsetOpenApiToolsetTlsConfigArgs
{
CaCerts = new[]
{
new Gcp.Ces.Inputs.ToolsetOpenApiToolsetTlsConfigCaCertArgs
{
DisplayName = "example",
Cert = "ZXhhbXBsZQ==",
},
},
},
ServiceDirectoryConfig = new Gcp.Ces.Inputs.ToolsetOpenApiToolsetServiceDirectoryConfigArgs
{
Service = "projects/example/locations/us/namespaces/namespace/services/service",
},
ApiAuthentication = new Gcp.Ces.Inputs.ToolsetOpenApiToolsetApiAuthenticationArgs
{
ServiceAgentIdTokenAuthConfig = null,
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.ces.App;
import com.pulumi.gcp.ces.AppArgs;
import com.pulumi.gcp.ces.inputs.AppLanguageSettingsArgs;
import com.pulumi.gcp.ces.inputs.AppTimeZoneSettingsArgs;
import com.pulumi.gcp.ces.Toolset;
import com.pulumi.gcp.ces.ToolsetArgs;
import com.pulumi.gcp.ces.inputs.ToolsetOpenApiToolsetArgs;
import com.pulumi.gcp.ces.inputs.ToolsetOpenApiToolsetTlsConfigArgs;
import com.pulumi.gcp.ces.inputs.ToolsetOpenApiToolsetServiceDirectoryConfigArgs;
import com.pulumi.gcp.ces.inputs.ToolsetOpenApiToolsetApiAuthenticationArgs;
import com.pulumi.gcp.ces.inputs.ToolsetOpenApiToolsetApiAuthenticationServiceAgentIdTokenAuthConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var cesAppForToolset = new App("cesAppForToolset", AppArgs.builder()
.appId("app-id")
.location("us")
.description("App used as parent for CES Toolset example")
.displayName("my-app")
.languageSettings(AppLanguageSettingsArgs.builder()
.defaultLanguageCode("en-US")
.supportedLanguageCodes(
"es-ES",
"fr-FR")
.enableMultilingualSupport(true)
.fallbackAction("escalate")
.build())
.timeZoneSettings(AppTimeZoneSettingsArgs.builder()
.timeZone("America/Los_Angeles")
.build())
.build());
var cesToolsetOpenapiServiceAgentIdTokenAuthConfig = new Toolset("cesToolsetOpenapiServiceAgentIdTokenAuthConfig", ToolsetArgs.builder()
.toolsetId("toolset1")
.location("us")
.app(cesAppForToolset.appId())
.displayName("Basic toolset display name")
.openApiToolset(ToolsetOpenApiToolsetArgs.builder()
.openApiSchema("""
openapi: 3.0.0
info:
title: My Sample API
version: 1.0.0
description: A simple API example
servers:
- url: https://api.example.com/v1
paths: {}
""")
.ignoreUnknownFields(false)
.tlsConfig(ToolsetOpenApiToolsetTlsConfigArgs.builder()
.caCerts(ToolsetOpenApiToolsetTlsConfigCaCertArgs.builder()
.displayName("example")
.cert("ZXhhbXBsZQ==")
.build())
.build())
.serviceDirectoryConfig(ToolsetOpenApiToolsetServiceDirectoryConfigArgs.builder()
.service("projects/example/locations/us/namespaces/namespace/services/service")
.build())
.apiAuthentication(ToolsetOpenApiToolsetApiAuthenticationArgs.builder()
.serviceAgentIdTokenAuthConfig(ToolsetOpenApiToolsetApiAuthenticationServiceAgentIdTokenAuthConfigArgs.builder()
.build())
.build())
.build())
.build());
}
}
resources:
cesAppForToolset:
type: gcp:ces:App
name: ces_app_for_toolset
properties:
appId: app-id
location: us
description: App used as parent for CES Toolset example
displayName: my-app
languageSettings:
defaultLanguageCode: en-US
supportedLanguageCodes:
- es-ES
- fr-FR
enableMultilingualSupport: true
fallbackAction: escalate
timeZoneSettings:
timeZone: America/Los_Angeles
cesToolsetOpenapiServiceAgentIdTokenAuthConfig:
type: gcp:ces:Toolset
name: ces_toolset_openapi_service_agent_id_token_auth_config
properties:
toolsetId: toolset1
location: us
app: ${cesAppForToolset.appId}
displayName: Basic toolset display name
openApiToolset:
openApiSchema: |
openapi: 3.0.0
info:
title: My Sample API
version: 1.0.0
description: A simple API example
servers:
- url: https://api.example.com/v1
paths: {}
ignoreUnknownFields: false
tlsConfig:
caCerts:
- displayName: example
cert: ZXhhbXBsZQ==
serviceDirectoryConfig:
service: projects/example/locations/us/namespaces/namespace/services/service
apiAuthentication:
serviceAgentIdTokenAuthConfig: {}
The serviceAgentIdTokenAuthConfig property enables Google-managed authentication. This is the simplest option because you don’t manage credentials; Google Cloud handles token issuance and rotation automatically. Use this when calling Google Cloud APIs or services that accept Google identity tokens.
Authenticate with API keys
Many public APIs use simple API key authentication, passing a static key in request headers or query parameters.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const cesAppForToolset = new gcp.ces.App("ces_app_for_toolset", {
appId: "app-id",
location: "us",
description: "App used as parent for CES Toolset example",
displayName: "my-app",
languageSettings: {
defaultLanguageCode: "en-US",
supportedLanguageCodes: [
"es-ES",
"fr-FR",
],
enableMultilingualSupport: true,
fallbackAction: "escalate",
},
timeZoneSettings: {
timeZone: "America/Los_Angeles",
},
});
const cesToolsetOpenapiApiKeyConfig = new gcp.ces.Toolset("ces_toolset_openapi_api_key_config", {
toolsetId: "toolset1",
location: "us",
app: cesAppForToolset.appId,
displayName: "Basic toolset display name",
description: "Test description",
executionType: "SYNCHRONOUS",
openApiToolset: {
openApiSchema: `openapi: 3.0.0
info:
title: My Sample API
version: 1.0.0
description: A simple API example
servers:
- url: https://api.example.com/v1
paths: {}
`,
ignoreUnknownFields: false,
tlsConfig: {
caCerts: [{
displayName: "example",
cert: "ZXhhbXBsZQ==",
}],
},
serviceDirectoryConfig: {
service: "projects/example/locations/us/namespaces/namespace/services/service",
},
apiAuthentication: {
apiKeyConfig: {
keyName: "ExampleKey",
apiKeySecretVersion: "projects/fake-project/secrets/fake-secret/versions/version-1",
requestLocation: "HEADER",
},
},
},
});
import pulumi
import pulumi_gcp as gcp
ces_app_for_toolset = gcp.ces.App("ces_app_for_toolset",
app_id="app-id",
location="us",
description="App used as parent for CES Toolset example",
display_name="my-app",
language_settings={
"default_language_code": "en-US",
"supported_language_codes": [
"es-ES",
"fr-FR",
],
"enable_multilingual_support": True,
"fallback_action": "escalate",
},
time_zone_settings={
"time_zone": "America/Los_Angeles",
})
ces_toolset_openapi_api_key_config = gcp.ces.Toolset("ces_toolset_openapi_api_key_config",
toolset_id="toolset1",
location="us",
app=ces_app_for_toolset.app_id,
display_name="Basic toolset display name",
description="Test description",
execution_type="SYNCHRONOUS",
open_api_toolset={
"open_api_schema": """openapi: 3.0.0
info:
title: My Sample API
version: 1.0.0
description: A simple API example
servers:
- url: https://api.example.com/v1
paths: {}
""",
"ignore_unknown_fields": False,
"tls_config": {
"ca_certs": [{
"display_name": "example",
"cert": "ZXhhbXBsZQ==",
}],
},
"service_directory_config": {
"service": "projects/example/locations/us/namespaces/namespace/services/service",
},
"api_authentication": {
"api_key_config": {
"key_name": "ExampleKey",
"api_key_secret_version": "projects/fake-project/secrets/fake-secret/versions/version-1",
"request_location": "HEADER",
},
},
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/ces"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
cesAppForToolset, err := ces.NewApp(ctx, "ces_app_for_toolset", &ces.AppArgs{
AppId: pulumi.String("app-id"),
Location: pulumi.String("us"),
Description: pulumi.String("App used as parent for CES Toolset example"),
DisplayName: pulumi.String("my-app"),
LanguageSettings: &ces.AppLanguageSettingsArgs{
DefaultLanguageCode: pulumi.String("en-US"),
SupportedLanguageCodes: pulumi.StringArray{
pulumi.String("es-ES"),
pulumi.String("fr-FR"),
},
EnableMultilingualSupport: pulumi.Bool(true),
FallbackAction: pulumi.String("escalate"),
},
TimeZoneSettings: &ces.AppTimeZoneSettingsArgs{
TimeZone: pulumi.String("America/Los_Angeles"),
},
})
if err != nil {
return err
}
_, err = ces.NewToolset(ctx, "ces_toolset_openapi_api_key_config", &ces.ToolsetArgs{
ToolsetId: pulumi.String("toolset1"),
Location: pulumi.String("us"),
App: cesAppForToolset.AppId,
DisplayName: pulumi.String("Basic toolset display name"),
Description: pulumi.String("Test description"),
ExecutionType: pulumi.String("SYNCHRONOUS"),
OpenApiToolset: &ces.ToolsetOpenApiToolsetArgs{
OpenApiSchema: pulumi.String(`openapi: 3.0.0
info:
title: My Sample API
version: 1.0.0
description: A simple API example
servers:
- url: https://api.example.com/v1
paths: {}
`),
IgnoreUnknownFields: pulumi.Bool(false),
TlsConfig: &ces.ToolsetOpenApiToolsetTlsConfigArgs{
CaCerts: ces.ToolsetOpenApiToolsetTlsConfigCaCertArray{
&ces.ToolsetOpenApiToolsetTlsConfigCaCertArgs{
DisplayName: pulumi.String("example"),
Cert: pulumi.String("ZXhhbXBsZQ=="),
},
},
},
ServiceDirectoryConfig: &ces.ToolsetOpenApiToolsetServiceDirectoryConfigArgs{
Service: pulumi.String("projects/example/locations/us/namespaces/namespace/services/service"),
},
ApiAuthentication: &ces.ToolsetOpenApiToolsetApiAuthenticationArgs{
ApiKeyConfig: &ces.ToolsetOpenApiToolsetApiAuthenticationApiKeyConfigArgs{
KeyName: pulumi.String("ExampleKey"),
ApiKeySecretVersion: pulumi.String("projects/fake-project/secrets/fake-secret/versions/version-1"),
RequestLocation: pulumi.String("HEADER"),
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var cesAppForToolset = new Gcp.Ces.App("ces_app_for_toolset", new()
{
AppId = "app-id",
Location = "us",
Description = "App used as parent for CES Toolset example",
DisplayName = "my-app",
LanguageSettings = new Gcp.Ces.Inputs.AppLanguageSettingsArgs
{
DefaultLanguageCode = "en-US",
SupportedLanguageCodes = new[]
{
"es-ES",
"fr-FR",
},
EnableMultilingualSupport = true,
FallbackAction = "escalate",
},
TimeZoneSettings = new Gcp.Ces.Inputs.AppTimeZoneSettingsArgs
{
TimeZone = "America/Los_Angeles",
},
});
var cesToolsetOpenapiApiKeyConfig = new Gcp.Ces.Toolset("ces_toolset_openapi_api_key_config", new()
{
ToolsetId = "toolset1",
Location = "us",
App = cesAppForToolset.AppId,
DisplayName = "Basic toolset display name",
Description = "Test description",
ExecutionType = "SYNCHRONOUS",
OpenApiToolset = new Gcp.Ces.Inputs.ToolsetOpenApiToolsetArgs
{
OpenApiSchema = @"openapi: 3.0.0
info:
title: My Sample API
version: 1.0.0
description: A simple API example
servers:
- url: https://api.example.com/v1
paths: {}
",
IgnoreUnknownFields = false,
TlsConfig = new Gcp.Ces.Inputs.ToolsetOpenApiToolsetTlsConfigArgs
{
CaCerts = new[]
{
new Gcp.Ces.Inputs.ToolsetOpenApiToolsetTlsConfigCaCertArgs
{
DisplayName = "example",
Cert = "ZXhhbXBsZQ==",
},
},
},
ServiceDirectoryConfig = new Gcp.Ces.Inputs.ToolsetOpenApiToolsetServiceDirectoryConfigArgs
{
Service = "projects/example/locations/us/namespaces/namespace/services/service",
},
ApiAuthentication = new Gcp.Ces.Inputs.ToolsetOpenApiToolsetApiAuthenticationArgs
{
ApiKeyConfig = new Gcp.Ces.Inputs.ToolsetOpenApiToolsetApiAuthenticationApiKeyConfigArgs
{
KeyName = "ExampleKey",
ApiKeySecretVersion = "projects/fake-project/secrets/fake-secret/versions/version-1",
RequestLocation = "HEADER",
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.ces.App;
import com.pulumi.gcp.ces.AppArgs;
import com.pulumi.gcp.ces.inputs.AppLanguageSettingsArgs;
import com.pulumi.gcp.ces.inputs.AppTimeZoneSettingsArgs;
import com.pulumi.gcp.ces.Toolset;
import com.pulumi.gcp.ces.ToolsetArgs;
import com.pulumi.gcp.ces.inputs.ToolsetOpenApiToolsetArgs;
import com.pulumi.gcp.ces.inputs.ToolsetOpenApiToolsetTlsConfigArgs;
import com.pulumi.gcp.ces.inputs.ToolsetOpenApiToolsetServiceDirectoryConfigArgs;
import com.pulumi.gcp.ces.inputs.ToolsetOpenApiToolsetApiAuthenticationArgs;
import com.pulumi.gcp.ces.inputs.ToolsetOpenApiToolsetApiAuthenticationApiKeyConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var cesAppForToolset = new App("cesAppForToolset", AppArgs.builder()
.appId("app-id")
.location("us")
.description("App used as parent for CES Toolset example")
.displayName("my-app")
.languageSettings(AppLanguageSettingsArgs.builder()
.defaultLanguageCode("en-US")
.supportedLanguageCodes(
"es-ES",
"fr-FR")
.enableMultilingualSupport(true)
.fallbackAction("escalate")
.build())
.timeZoneSettings(AppTimeZoneSettingsArgs.builder()
.timeZone("America/Los_Angeles")
.build())
.build());
var cesToolsetOpenapiApiKeyConfig = new Toolset("cesToolsetOpenapiApiKeyConfig", ToolsetArgs.builder()
.toolsetId("toolset1")
.location("us")
.app(cesAppForToolset.appId())
.displayName("Basic toolset display name")
.description("Test description")
.executionType("SYNCHRONOUS")
.openApiToolset(ToolsetOpenApiToolsetArgs.builder()
.openApiSchema("""
openapi: 3.0.0
info:
title: My Sample API
version: 1.0.0
description: A simple API example
servers:
- url: https://api.example.com/v1
paths: {}
""")
.ignoreUnknownFields(false)
.tlsConfig(ToolsetOpenApiToolsetTlsConfigArgs.builder()
.caCerts(ToolsetOpenApiToolsetTlsConfigCaCertArgs.builder()
.displayName("example")
.cert("ZXhhbXBsZQ==")
.build())
.build())
.serviceDirectoryConfig(ToolsetOpenApiToolsetServiceDirectoryConfigArgs.builder()
.service("projects/example/locations/us/namespaces/namespace/services/service")
.build())
.apiAuthentication(ToolsetOpenApiToolsetApiAuthenticationArgs.builder()
.apiKeyConfig(ToolsetOpenApiToolsetApiAuthenticationApiKeyConfigArgs.builder()
.keyName("ExampleKey")
.apiKeySecretVersion("projects/fake-project/secrets/fake-secret/versions/version-1")
.requestLocation("HEADER")
.build())
.build())
.build())
.build());
}
}
resources:
cesAppForToolset:
type: gcp:ces:App
name: ces_app_for_toolset
properties:
appId: app-id
location: us
description: App used as parent for CES Toolset example
displayName: my-app
languageSettings:
defaultLanguageCode: en-US
supportedLanguageCodes:
- es-ES
- fr-FR
enableMultilingualSupport: true
fallbackAction: escalate
timeZoneSettings:
timeZone: America/Los_Angeles
cesToolsetOpenapiApiKeyConfig:
type: gcp:ces:Toolset
name: ces_toolset_openapi_api_key_config
properties:
toolsetId: toolset1
location: us
app: ${cesAppForToolset.appId}
displayName: Basic toolset display name
description: Test description
executionType: SYNCHRONOUS
openApiToolset:
openApiSchema: |
openapi: 3.0.0
info:
title: My Sample API
version: 1.0.0
description: A simple API example
servers:
- url: https://api.example.com/v1
paths: {}
ignoreUnknownFields: false
tlsConfig:
caCerts:
- displayName: example
cert: ZXhhbXBsZQ==
serviceDirectoryConfig:
service: projects/example/locations/us/namespaces/namespace/services/service
apiAuthentication:
apiKeyConfig:
keyName: ExampleKey
apiKeySecretVersion: projects/fake-project/secrets/fake-secret/versions/version-1
requestLocation: HEADER
The apiKeyConfig property configures API key authentication. The keyName specifies the parameter name (e.g., “ExampleKey”), apiKeySecretVersion points to the key stored in Secret Manager, and requestLocation determines whether the key goes in the HEADER or query string. The executionType property controls whether API calls run synchronously or asynchronously.
Authenticate with bearer tokens from context
Applications that already have authentication tokens in their execution context can pass those tokens directly to external APIs without additional credential management.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const cesAppForToolset = new gcp.ces.App("ces_app_for_toolset", {
appId: "app-id",
location: "us",
description: "App used as parent for CES Toolset example",
displayName: "my-app",
languageSettings: {
defaultLanguageCode: "en-US",
supportedLanguageCodes: [
"es-ES",
"fr-FR",
],
enableMultilingualSupport: true,
fallbackAction: "escalate",
},
timeZoneSettings: {
timeZone: "America/Los_Angeles",
},
});
const cesToolsetBearerTokenConfig = new gcp.ces.Toolset("ces_toolset_bearer_token_config", {
toolsetId: "toolset1",
location: "us",
app: cesAppForToolset.appId,
displayName: "Basic toolset display name",
openApiToolset: {
openApiSchema: `openapi: 3.0.0
info:
title: My Sample API
version: 1.0.0
description: A simple API example
servers:
- url: https://api.example.com/v1
paths: {}
`,
ignoreUnknownFields: false,
tlsConfig: {
caCerts: [{
displayName: "example",
cert: "ZXhhbXBsZQ==",
}],
},
serviceDirectoryConfig: {
service: "projects/example/locations/us/namespaces/namespace/services/service",
},
apiAuthentication: {
bearerTokenConfig: {
token: "$context.variables.my_ces_toolset_auth_token",
},
},
},
});
import pulumi
import pulumi_gcp as gcp
ces_app_for_toolset = gcp.ces.App("ces_app_for_toolset",
app_id="app-id",
location="us",
description="App used as parent for CES Toolset example",
display_name="my-app",
language_settings={
"default_language_code": "en-US",
"supported_language_codes": [
"es-ES",
"fr-FR",
],
"enable_multilingual_support": True,
"fallback_action": "escalate",
},
time_zone_settings={
"time_zone": "America/Los_Angeles",
})
ces_toolset_bearer_token_config = gcp.ces.Toolset("ces_toolset_bearer_token_config",
toolset_id="toolset1",
location="us",
app=ces_app_for_toolset.app_id,
display_name="Basic toolset display name",
open_api_toolset={
"open_api_schema": """openapi: 3.0.0
info:
title: My Sample API
version: 1.0.0
description: A simple API example
servers:
- url: https://api.example.com/v1
paths: {}
""",
"ignore_unknown_fields": False,
"tls_config": {
"ca_certs": [{
"display_name": "example",
"cert": "ZXhhbXBsZQ==",
}],
},
"service_directory_config": {
"service": "projects/example/locations/us/namespaces/namespace/services/service",
},
"api_authentication": {
"bearer_token_config": {
"token": "$context.variables.my_ces_toolset_auth_token",
},
},
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/ces"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
cesAppForToolset, err := ces.NewApp(ctx, "ces_app_for_toolset", &ces.AppArgs{
AppId: pulumi.String("app-id"),
Location: pulumi.String("us"),
Description: pulumi.String("App used as parent for CES Toolset example"),
DisplayName: pulumi.String("my-app"),
LanguageSettings: &ces.AppLanguageSettingsArgs{
DefaultLanguageCode: pulumi.String("en-US"),
SupportedLanguageCodes: pulumi.StringArray{
pulumi.String("es-ES"),
pulumi.String("fr-FR"),
},
EnableMultilingualSupport: pulumi.Bool(true),
FallbackAction: pulumi.String("escalate"),
},
TimeZoneSettings: &ces.AppTimeZoneSettingsArgs{
TimeZone: pulumi.String("America/Los_Angeles"),
},
})
if err != nil {
return err
}
_, err = ces.NewToolset(ctx, "ces_toolset_bearer_token_config", &ces.ToolsetArgs{
ToolsetId: pulumi.String("toolset1"),
Location: pulumi.String("us"),
App: cesAppForToolset.AppId,
DisplayName: pulumi.String("Basic toolset display name"),
OpenApiToolset: &ces.ToolsetOpenApiToolsetArgs{
OpenApiSchema: pulumi.String(`openapi: 3.0.0
info:
title: My Sample API
version: 1.0.0
description: A simple API example
servers:
- url: https://api.example.com/v1
paths: {}
`),
IgnoreUnknownFields: pulumi.Bool(false),
TlsConfig: &ces.ToolsetOpenApiToolsetTlsConfigArgs{
CaCerts: ces.ToolsetOpenApiToolsetTlsConfigCaCertArray{
&ces.ToolsetOpenApiToolsetTlsConfigCaCertArgs{
DisplayName: pulumi.String("example"),
Cert: pulumi.String("ZXhhbXBsZQ=="),
},
},
},
ServiceDirectoryConfig: &ces.ToolsetOpenApiToolsetServiceDirectoryConfigArgs{
Service: pulumi.String("projects/example/locations/us/namespaces/namespace/services/service"),
},
ApiAuthentication: &ces.ToolsetOpenApiToolsetApiAuthenticationArgs{
BearerTokenConfig: &ces.ToolsetOpenApiToolsetApiAuthenticationBearerTokenConfigArgs{
Token: pulumi.String("$context.variables.my_ces_toolset_auth_token"),
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var cesAppForToolset = new Gcp.Ces.App("ces_app_for_toolset", new()
{
AppId = "app-id",
Location = "us",
Description = "App used as parent for CES Toolset example",
DisplayName = "my-app",
LanguageSettings = new Gcp.Ces.Inputs.AppLanguageSettingsArgs
{
DefaultLanguageCode = "en-US",
SupportedLanguageCodes = new[]
{
"es-ES",
"fr-FR",
},
EnableMultilingualSupport = true,
FallbackAction = "escalate",
},
TimeZoneSettings = new Gcp.Ces.Inputs.AppTimeZoneSettingsArgs
{
TimeZone = "America/Los_Angeles",
},
});
var cesToolsetBearerTokenConfig = new Gcp.Ces.Toolset("ces_toolset_bearer_token_config", new()
{
ToolsetId = "toolset1",
Location = "us",
App = cesAppForToolset.AppId,
DisplayName = "Basic toolset display name",
OpenApiToolset = new Gcp.Ces.Inputs.ToolsetOpenApiToolsetArgs
{
OpenApiSchema = @"openapi: 3.0.0
info:
title: My Sample API
version: 1.0.0
description: A simple API example
servers:
- url: https://api.example.com/v1
paths: {}
",
IgnoreUnknownFields = false,
TlsConfig = new Gcp.Ces.Inputs.ToolsetOpenApiToolsetTlsConfigArgs
{
CaCerts = new[]
{
new Gcp.Ces.Inputs.ToolsetOpenApiToolsetTlsConfigCaCertArgs
{
DisplayName = "example",
Cert = "ZXhhbXBsZQ==",
},
},
},
ServiceDirectoryConfig = new Gcp.Ces.Inputs.ToolsetOpenApiToolsetServiceDirectoryConfigArgs
{
Service = "projects/example/locations/us/namespaces/namespace/services/service",
},
ApiAuthentication = new Gcp.Ces.Inputs.ToolsetOpenApiToolsetApiAuthenticationArgs
{
BearerTokenConfig = new Gcp.Ces.Inputs.ToolsetOpenApiToolsetApiAuthenticationBearerTokenConfigArgs
{
Token = "$context.variables.my_ces_toolset_auth_token",
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.ces.App;
import com.pulumi.gcp.ces.AppArgs;
import com.pulumi.gcp.ces.inputs.AppLanguageSettingsArgs;
import com.pulumi.gcp.ces.inputs.AppTimeZoneSettingsArgs;
import com.pulumi.gcp.ces.Toolset;
import com.pulumi.gcp.ces.ToolsetArgs;
import com.pulumi.gcp.ces.inputs.ToolsetOpenApiToolsetArgs;
import com.pulumi.gcp.ces.inputs.ToolsetOpenApiToolsetTlsConfigArgs;
import com.pulumi.gcp.ces.inputs.ToolsetOpenApiToolsetServiceDirectoryConfigArgs;
import com.pulumi.gcp.ces.inputs.ToolsetOpenApiToolsetApiAuthenticationArgs;
import com.pulumi.gcp.ces.inputs.ToolsetOpenApiToolsetApiAuthenticationBearerTokenConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var cesAppForToolset = new App("cesAppForToolset", AppArgs.builder()
.appId("app-id")
.location("us")
.description("App used as parent for CES Toolset example")
.displayName("my-app")
.languageSettings(AppLanguageSettingsArgs.builder()
.defaultLanguageCode("en-US")
.supportedLanguageCodes(
"es-ES",
"fr-FR")
.enableMultilingualSupport(true)
.fallbackAction("escalate")
.build())
.timeZoneSettings(AppTimeZoneSettingsArgs.builder()
.timeZone("America/Los_Angeles")
.build())
.build());
var cesToolsetBearerTokenConfig = new Toolset("cesToolsetBearerTokenConfig", ToolsetArgs.builder()
.toolsetId("toolset1")
.location("us")
.app(cesAppForToolset.appId())
.displayName("Basic toolset display name")
.openApiToolset(ToolsetOpenApiToolsetArgs.builder()
.openApiSchema("""
openapi: 3.0.0
info:
title: My Sample API
version: 1.0.0
description: A simple API example
servers:
- url: https://api.example.com/v1
paths: {}
""")
.ignoreUnknownFields(false)
.tlsConfig(ToolsetOpenApiToolsetTlsConfigArgs.builder()
.caCerts(ToolsetOpenApiToolsetTlsConfigCaCertArgs.builder()
.displayName("example")
.cert("ZXhhbXBsZQ==")
.build())
.build())
.serviceDirectoryConfig(ToolsetOpenApiToolsetServiceDirectoryConfigArgs.builder()
.service("projects/example/locations/us/namespaces/namespace/services/service")
.build())
.apiAuthentication(ToolsetOpenApiToolsetApiAuthenticationArgs.builder()
.bearerTokenConfig(ToolsetOpenApiToolsetApiAuthenticationBearerTokenConfigArgs.builder()
.token("$context.variables.my_ces_toolset_auth_token")
.build())
.build())
.build())
.build());
}
}
resources:
cesAppForToolset:
type: gcp:ces:App
name: ces_app_for_toolset
properties:
appId: app-id
location: us
description: App used as parent for CES Toolset example
displayName: my-app
languageSettings:
defaultLanguageCode: en-US
supportedLanguageCodes:
- es-ES
- fr-FR
enableMultilingualSupport: true
fallbackAction: escalate
timeZoneSettings:
timeZone: America/Los_Angeles
cesToolsetBearerTokenConfig:
type: gcp:ces:Toolset
name: ces_toolset_bearer_token_config
properties:
toolsetId: toolset1
location: us
app: ${cesAppForToolset.appId}
displayName: Basic toolset display name
openApiToolset:
openApiSchema: |
openapi: 3.0.0
info:
title: My Sample API
version: 1.0.0
description: A simple API example
servers:
- url: https://api.example.com/v1
paths: {}
ignoreUnknownFields: false
tlsConfig:
caCerts:
- displayName: example
cert: ZXhhbXBsZQ==
serviceDirectoryConfig:
service: projects/example/locations/us/namespaces/namespace/services/service
apiAuthentication:
bearerTokenConfig:
token: $context.variables.my_ces_toolset_auth_token
The bearerTokenConfig property forwards existing tokens to the API. The token property references a context variable using the syntax $context.variables.my_ces_toolset_auth_token. Your application must populate this variable at runtime before the toolset makes API calls.
Beyond these examples
These snippets focus on specific toolset-level features: OpenAPI schema integration, authentication methods (service accounts, OAuth, API keys, bearer tokens), and TLS and Service Directory configuration. They’re intentionally minimal rather than full conversational AI applications.
The examples reference pre-existing infrastructure such as CES App (parent resource), service accounts, OAuth clients, or Secret Manager secrets, Service Directory services, and CA certificates for TLS. They focus on configuring the toolset rather than provisioning everything around it.
To keep things focused, common toolset patterns are omitted, including:
- OpenAPI schema content (paths, operations, parameters)
- Error handling and retry configuration
- Execution type tuning (synchronous vs asynchronous)
- Multi-language support and localization
These omissions are intentional: the goal is to illustrate how each authentication method is wired, not provide drop-in API integration modules. See the CES Toolset resource reference for all available configuration options.
Let's configure GCP Cloud Execution Service Toolsets
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Configuration & Setup
What properties can't I change after creating a toolset?
The
app, location, project, and toolsetId properties are immutable and cannot be changed after creation. You’ll need to recreate the toolset to modify these values.Why is my toolset displayName being rejected?
The
displayName must be unique within the same parent app. Check for existing toolsets with the same display name in your app.Do I need to create an App before creating a Toolset?
Yes, a toolset requires a parent
gcp.ces.App resource. All examples create the app first, then reference it using the app property.Authentication Methods
What authentication methods are supported for OpenAPI toolsets?
Five authentication methods are available within apiAuthentication:
- Service Account -
serviceAccountAuthConfigwith service account email - OAuth -
oauthConfigwith client credentials and token endpoint - Service Agent ID Token -
serviceAgentIdTokenAuthConfig(empty config object) - API Key -
apiKeyConfigwith key name and secret version - Bearer Token -
bearerTokenConfigwith token reference
Execution & Behavior
What's the difference between synchronous and asynchronous execution?
The
executionType property accepts two values: SYNCHRONOUS or ASYNCHRONOUS. The schema doesn’t specify behavioral differences, but this controls how the toolset executes operations.What format should the OpenAPI schema be in?
The
openApiSchema property accepts inline YAML format. All examples show OpenAPI 3.0.0 specifications with info, servers, and paths sections.Using a different cloud?
Explore integration guides for other cloud providers: