The gcp:ces/toolset:Toolset resource, part of the Pulumi GCP provider, defines a toolset that exposes external API tools to conversational AI applications through OpenAPI schemas or Model Context Protocol (MCP) servers. This guide focuses on three capabilities: OpenAPI and MCP toolset configuration, authentication methods (service accounts, OAuth, API keys), and TLS and Service Directory integration.
Toolsets belong to CES Apps and reference service accounts, Secret Manager secrets, and Service Directory services for authentication and routing. The examples are intentionally small. Combine them with your own App resources, IAM configuration, and API endpoints.
Connect OpenAPI tools with service account authentication
Teams building conversational AI applications often integrate external APIs defined by OpenAPI schemas. Service account authentication provides secure, automated access without managing user credentials.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const cesAppForToolset = new gcp.ces.App("ces_app_for_toolset", {
appId: "app-id",
location: "us",
description: "App used as parent for CES Toolset example",
displayName: "my-app",
languageSettings: {
defaultLanguageCode: "en-US",
supportedLanguageCodes: [
"es-ES",
"fr-FR",
],
enableMultilingualSupport: true,
fallbackAction: "escalate",
},
timeZoneSettings: {
timeZone: "America/Los_Angeles",
},
});
const cesToolsetOpenapiServiceAccountAuthConfig = new gcp.ces.Toolset("ces_toolset_openapi_service_account_auth_config", {
toolsetId: "toolset1",
location: "us",
app: cesAppForToolset.appId,
displayName: "Basic toolset display name",
openApiToolset: {
openApiSchema: `openapi: 3.0.0
info:
title: My Sample API
version: 1.0.0
description: A simple API example
servers:
- url: https://api.example.com/v1
paths: {}
`,
ignoreUnknownFields: false,
tlsConfig: {
caCerts: [{
displayName: "example",
cert: "ZXhhbXBsZQ==",
}],
},
serviceDirectoryConfig: {
service: "projects/example/locations/us/namespaces/namespace/services/service",
},
apiAuthentication: {
serviceAccountAuthConfig: {
serviceAccount: "my@service-account.com",
scopes: ["scope1"],
},
},
},
});
import pulumi
import pulumi_gcp as gcp
ces_app_for_toolset = gcp.ces.App("ces_app_for_toolset",
app_id="app-id",
location="us",
description="App used as parent for CES Toolset example",
display_name="my-app",
language_settings={
"default_language_code": "en-US",
"supported_language_codes": [
"es-ES",
"fr-FR",
],
"enable_multilingual_support": True,
"fallback_action": "escalate",
},
time_zone_settings={
"time_zone": "America/Los_Angeles",
})
ces_toolset_openapi_service_account_auth_config = gcp.ces.Toolset("ces_toolset_openapi_service_account_auth_config",
toolset_id="toolset1",
location="us",
app=ces_app_for_toolset.app_id,
display_name="Basic toolset display name",
open_api_toolset={
"open_api_schema": """openapi: 3.0.0
info:
title: My Sample API
version: 1.0.0
description: A simple API example
servers:
- url: https://api.example.com/v1
paths: {}
""",
"ignore_unknown_fields": False,
"tls_config": {
"ca_certs": [{
"display_name": "example",
"cert": "ZXhhbXBsZQ==",
}],
},
"service_directory_config": {
"service": "projects/example/locations/us/namespaces/namespace/services/service",
},
"api_authentication": {
"service_account_auth_config": {
"service_account": "my@service-account.com",
"scopes": ["scope1"],
},
},
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/ces"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
cesAppForToolset, err := ces.NewApp(ctx, "ces_app_for_toolset", &ces.AppArgs{
AppId: pulumi.String("app-id"),
Location: pulumi.String("us"),
Description: pulumi.String("App used as parent for CES Toolset example"),
DisplayName: pulumi.String("my-app"),
LanguageSettings: &ces.AppLanguageSettingsArgs{
DefaultLanguageCode: pulumi.String("en-US"),
SupportedLanguageCodes: pulumi.StringArray{
pulumi.String("es-ES"),
pulumi.String("fr-FR"),
},
EnableMultilingualSupport: pulumi.Bool(true),
FallbackAction: pulumi.String("escalate"),
},
TimeZoneSettings: &ces.AppTimeZoneSettingsArgs{
TimeZone: pulumi.String("America/Los_Angeles"),
},
})
if err != nil {
return err
}
_, err = ces.NewToolset(ctx, "ces_toolset_openapi_service_account_auth_config", &ces.ToolsetArgs{
ToolsetId: pulumi.String("toolset1"),
Location: pulumi.String("us"),
App: cesAppForToolset.AppId,
DisplayName: pulumi.String("Basic toolset display name"),
OpenApiToolset: &ces.ToolsetOpenApiToolsetArgs{
OpenApiSchema: pulumi.String(`openapi: 3.0.0
info:
title: My Sample API
version: 1.0.0
description: A simple API example
servers:
- url: https://api.example.com/v1
paths: {}
`),
IgnoreUnknownFields: pulumi.Bool(false),
TlsConfig: &ces.ToolsetOpenApiToolsetTlsConfigArgs{
CaCerts: ces.ToolsetOpenApiToolsetTlsConfigCaCertArray{
&ces.ToolsetOpenApiToolsetTlsConfigCaCertArgs{
DisplayName: pulumi.String("example"),
Cert: pulumi.String("ZXhhbXBsZQ=="),
},
},
},
ServiceDirectoryConfig: &ces.ToolsetOpenApiToolsetServiceDirectoryConfigArgs{
Service: pulumi.String("projects/example/locations/us/namespaces/namespace/services/service"),
},
ApiAuthentication: &ces.ToolsetOpenApiToolsetApiAuthenticationArgs{
ServiceAccountAuthConfig: &ces.ToolsetOpenApiToolsetApiAuthenticationServiceAccountAuthConfigArgs{
ServiceAccount: pulumi.String("my@service-account.com"),
Scopes: pulumi.StringArray{
pulumi.String("scope1"),
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var cesAppForToolset = new Gcp.Ces.App("ces_app_for_toolset", new()
{
AppId = "app-id",
Location = "us",
Description = "App used as parent for CES Toolset example",
DisplayName = "my-app",
LanguageSettings = new Gcp.Ces.Inputs.AppLanguageSettingsArgs
{
DefaultLanguageCode = "en-US",
SupportedLanguageCodes = new[]
{
"es-ES",
"fr-FR",
},
EnableMultilingualSupport = true,
FallbackAction = "escalate",
},
TimeZoneSettings = new Gcp.Ces.Inputs.AppTimeZoneSettingsArgs
{
TimeZone = "America/Los_Angeles",
},
});
var cesToolsetOpenapiServiceAccountAuthConfig = new Gcp.Ces.Toolset("ces_toolset_openapi_service_account_auth_config", new()
{
ToolsetId = "toolset1",
Location = "us",
App = cesAppForToolset.AppId,
DisplayName = "Basic toolset display name",
OpenApiToolset = new Gcp.Ces.Inputs.ToolsetOpenApiToolsetArgs
{
OpenApiSchema = @"openapi: 3.0.0
info:
title: My Sample API
version: 1.0.0
description: A simple API example
servers:
- url: https://api.example.com/v1
paths: {}
",
IgnoreUnknownFields = false,
TlsConfig = new Gcp.Ces.Inputs.ToolsetOpenApiToolsetTlsConfigArgs
{
CaCerts = new[]
{
new Gcp.Ces.Inputs.ToolsetOpenApiToolsetTlsConfigCaCertArgs
{
DisplayName = "example",
Cert = "ZXhhbXBsZQ==",
},
},
},
ServiceDirectoryConfig = new Gcp.Ces.Inputs.ToolsetOpenApiToolsetServiceDirectoryConfigArgs
{
Service = "projects/example/locations/us/namespaces/namespace/services/service",
},
ApiAuthentication = new Gcp.Ces.Inputs.ToolsetOpenApiToolsetApiAuthenticationArgs
{
ServiceAccountAuthConfig = new Gcp.Ces.Inputs.ToolsetOpenApiToolsetApiAuthenticationServiceAccountAuthConfigArgs
{
ServiceAccount = "my@service-account.com",
Scopes = new[]
{
"scope1",
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.ces.App;
import com.pulumi.gcp.ces.AppArgs;
import com.pulumi.gcp.ces.inputs.AppLanguageSettingsArgs;
import com.pulumi.gcp.ces.inputs.AppTimeZoneSettingsArgs;
import com.pulumi.gcp.ces.Toolset;
import com.pulumi.gcp.ces.ToolsetArgs;
import com.pulumi.gcp.ces.inputs.ToolsetOpenApiToolsetArgs;
import com.pulumi.gcp.ces.inputs.ToolsetOpenApiToolsetTlsConfigArgs;
import com.pulumi.gcp.ces.inputs.ToolsetOpenApiToolsetServiceDirectoryConfigArgs;
import com.pulumi.gcp.ces.inputs.ToolsetOpenApiToolsetApiAuthenticationArgs;
import com.pulumi.gcp.ces.inputs.ToolsetOpenApiToolsetApiAuthenticationServiceAccountAuthConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var cesAppForToolset = new App("cesAppForToolset", AppArgs.builder()
.appId("app-id")
.location("us")
.description("App used as parent for CES Toolset example")
.displayName("my-app")
.languageSettings(AppLanguageSettingsArgs.builder()
.defaultLanguageCode("en-US")
.supportedLanguageCodes(
"es-ES",
"fr-FR")
.enableMultilingualSupport(true)
.fallbackAction("escalate")
.build())
.timeZoneSettings(AppTimeZoneSettingsArgs.builder()
.timeZone("America/Los_Angeles")
.build())
.build());
var cesToolsetOpenapiServiceAccountAuthConfig = new Toolset("cesToolsetOpenapiServiceAccountAuthConfig", ToolsetArgs.builder()
.toolsetId("toolset1")
.location("us")
.app(cesAppForToolset.appId())
.displayName("Basic toolset display name")
.openApiToolset(ToolsetOpenApiToolsetArgs.builder()
.openApiSchema("""
openapi: 3.0.0
info:
title: My Sample API
version: 1.0.0
description: A simple API example
servers:
- url: https://api.example.com/v1
paths: {}
""")
.ignoreUnknownFields(false)
.tlsConfig(ToolsetOpenApiToolsetTlsConfigArgs.builder()
.caCerts(ToolsetOpenApiToolsetTlsConfigCaCertArgs.builder()
.displayName("example")
.cert("ZXhhbXBsZQ==")
.build())
.build())
.serviceDirectoryConfig(ToolsetOpenApiToolsetServiceDirectoryConfigArgs.builder()
.service("projects/example/locations/us/namespaces/namespace/services/service")
.build())
.apiAuthentication(ToolsetOpenApiToolsetApiAuthenticationArgs.builder()
.serviceAccountAuthConfig(ToolsetOpenApiToolsetApiAuthenticationServiceAccountAuthConfigArgs.builder()
.serviceAccount("my@service-account.com")
.scopes("scope1")
.build())
.build())
.build())
.build());
}
}
resources:
cesAppForToolset:
type: gcp:ces:App
name: ces_app_for_toolset
properties:
appId: app-id
location: us
description: App used as parent for CES Toolset example
displayName: my-app
languageSettings:
defaultLanguageCode: en-US
supportedLanguageCodes:
- es-ES
- fr-FR
enableMultilingualSupport: true
fallbackAction: escalate
timeZoneSettings:
timeZone: America/Los_Angeles
cesToolsetOpenapiServiceAccountAuthConfig:
type: gcp:ces:Toolset
name: ces_toolset_openapi_service_account_auth_config
properties:
toolsetId: toolset1
location: us
app: ${cesAppForToolset.appId}
displayName: Basic toolset display name
openApiToolset:
openApiSchema: |
openapi: 3.0.0
info:
title: My Sample API
version: 1.0.0
description: A simple API example
servers:
- url: https://api.example.com/v1
paths: {}
ignoreUnknownFields: false
tlsConfig:
caCerts:
- displayName: example
cert: ZXhhbXBsZQ==
serviceDirectoryConfig:
service: projects/example/locations/us/namespaces/namespace/services/service
apiAuthentication:
serviceAccountAuthConfig:
serviceAccount: my@service-account.com
scopes:
- scope1
The openApiToolset property defines the API schema and authentication. The openApiSchema contains the OpenAPI specification as a YAML string. The apiAuthentication block configures how the toolset authenticates to the API; serviceAccountAuthConfig uses a GCP service account with specified scopes. The tlsConfig provides custom CA certificates for TLS validation, and serviceDirectoryConfig routes requests through Service Directory.
Authenticate OpenAPI tools with API keys
Many third-party APIs use API keys for authentication. Toolsets retrieve keys from Secret Manager and inject them into requests.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const cesAppForToolset = new gcp.ces.App("ces_app_for_toolset", {
appId: "app-id",
location: "us",
description: "App used as parent for CES Toolset example",
displayName: "my-app",
languageSettings: {
defaultLanguageCode: "en-US",
supportedLanguageCodes: [
"es-ES",
"fr-FR",
],
enableMultilingualSupport: true,
fallbackAction: "escalate",
},
timeZoneSettings: {
timeZone: "America/Los_Angeles",
},
});
const cesToolsetOpenapiApiKeyConfig = new gcp.ces.Toolset("ces_toolset_openapi_api_key_config", {
toolsetId: "toolset1",
location: "us",
app: cesAppForToolset.appId,
displayName: "Basic toolset display name",
description: "Test description",
executionType: "SYNCHRONOUS",
openApiToolset: {
openApiSchema: `openapi: 3.0.0
info:
title: My Sample API
version: 1.0.0
description: A simple API example
servers:
- url: https://api.example.com/v1
paths: {}
`,
ignoreUnknownFields: false,
tlsConfig: {
caCerts: [{
displayName: "example",
cert: "ZXhhbXBsZQ==",
}],
},
serviceDirectoryConfig: {
service: "projects/example/locations/us/namespaces/namespace/services/service",
},
apiAuthentication: {
apiKeyConfig: {
keyName: "ExampleKey",
apiKeySecretVersion: "projects/fake-project/secrets/fake-secret/versions/version-1",
requestLocation: "HEADER",
},
},
},
});
import pulumi
import pulumi_gcp as gcp
ces_app_for_toolset = gcp.ces.App("ces_app_for_toolset",
app_id="app-id",
location="us",
description="App used as parent for CES Toolset example",
display_name="my-app",
language_settings={
"default_language_code": "en-US",
"supported_language_codes": [
"es-ES",
"fr-FR",
],
"enable_multilingual_support": True,
"fallback_action": "escalate",
},
time_zone_settings={
"time_zone": "America/Los_Angeles",
})
ces_toolset_openapi_api_key_config = gcp.ces.Toolset("ces_toolset_openapi_api_key_config",
toolset_id="toolset1",
location="us",
app=ces_app_for_toolset.app_id,
display_name="Basic toolset display name",
description="Test description",
execution_type="SYNCHRONOUS",
open_api_toolset={
"open_api_schema": """openapi: 3.0.0
info:
title: My Sample API
version: 1.0.0
description: A simple API example
servers:
- url: https://api.example.com/v1
paths: {}
""",
"ignore_unknown_fields": False,
"tls_config": {
"ca_certs": [{
"display_name": "example",
"cert": "ZXhhbXBsZQ==",
}],
},
"service_directory_config": {
"service": "projects/example/locations/us/namespaces/namespace/services/service",
},
"api_authentication": {
"api_key_config": {
"key_name": "ExampleKey",
"api_key_secret_version": "projects/fake-project/secrets/fake-secret/versions/version-1",
"request_location": "HEADER",
},
},
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/ces"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
cesAppForToolset, err := ces.NewApp(ctx, "ces_app_for_toolset", &ces.AppArgs{
AppId: pulumi.String("app-id"),
Location: pulumi.String("us"),
Description: pulumi.String("App used as parent for CES Toolset example"),
DisplayName: pulumi.String("my-app"),
LanguageSettings: &ces.AppLanguageSettingsArgs{
DefaultLanguageCode: pulumi.String("en-US"),
SupportedLanguageCodes: pulumi.StringArray{
pulumi.String("es-ES"),
pulumi.String("fr-FR"),
},
EnableMultilingualSupport: pulumi.Bool(true),
FallbackAction: pulumi.String("escalate"),
},
TimeZoneSettings: &ces.AppTimeZoneSettingsArgs{
TimeZone: pulumi.String("America/Los_Angeles"),
},
})
if err != nil {
return err
}
_, err = ces.NewToolset(ctx, "ces_toolset_openapi_api_key_config", &ces.ToolsetArgs{
ToolsetId: pulumi.String("toolset1"),
Location: pulumi.String("us"),
App: cesAppForToolset.AppId,
DisplayName: pulumi.String("Basic toolset display name"),
Description: pulumi.String("Test description"),
ExecutionType: pulumi.String("SYNCHRONOUS"),
OpenApiToolset: &ces.ToolsetOpenApiToolsetArgs{
OpenApiSchema: pulumi.String(`openapi: 3.0.0
info:
title: My Sample API
version: 1.0.0
description: A simple API example
servers:
- url: https://api.example.com/v1
paths: {}
`),
IgnoreUnknownFields: pulumi.Bool(false),
TlsConfig: &ces.ToolsetOpenApiToolsetTlsConfigArgs{
CaCerts: ces.ToolsetOpenApiToolsetTlsConfigCaCertArray{
&ces.ToolsetOpenApiToolsetTlsConfigCaCertArgs{
DisplayName: pulumi.String("example"),
Cert: pulumi.String("ZXhhbXBsZQ=="),
},
},
},
ServiceDirectoryConfig: &ces.ToolsetOpenApiToolsetServiceDirectoryConfigArgs{
Service: pulumi.String("projects/example/locations/us/namespaces/namespace/services/service"),
},
ApiAuthentication: &ces.ToolsetOpenApiToolsetApiAuthenticationArgs{
ApiKeyConfig: &ces.ToolsetOpenApiToolsetApiAuthenticationApiKeyConfigArgs{
KeyName: pulumi.String("ExampleKey"),
ApiKeySecretVersion: pulumi.String("projects/fake-project/secrets/fake-secret/versions/version-1"),
RequestLocation: pulumi.String("HEADER"),
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var cesAppForToolset = new Gcp.Ces.App("ces_app_for_toolset", new()
{
AppId = "app-id",
Location = "us",
Description = "App used as parent for CES Toolset example",
DisplayName = "my-app",
LanguageSettings = new Gcp.Ces.Inputs.AppLanguageSettingsArgs
{
DefaultLanguageCode = "en-US",
SupportedLanguageCodes = new[]
{
"es-ES",
"fr-FR",
},
EnableMultilingualSupport = true,
FallbackAction = "escalate",
},
TimeZoneSettings = new Gcp.Ces.Inputs.AppTimeZoneSettingsArgs
{
TimeZone = "America/Los_Angeles",
},
});
var cesToolsetOpenapiApiKeyConfig = new Gcp.Ces.Toolset("ces_toolset_openapi_api_key_config", new()
{
ToolsetId = "toolset1",
Location = "us",
App = cesAppForToolset.AppId,
DisplayName = "Basic toolset display name",
Description = "Test description",
ExecutionType = "SYNCHRONOUS",
OpenApiToolset = new Gcp.Ces.Inputs.ToolsetOpenApiToolsetArgs
{
OpenApiSchema = @"openapi: 3.0.0
info:
title: My Sample API
version: 1.0.0
description: A simple API example
servers:
- url: https://api.example.com/v1
paths: {}
",
IgnoreUnknownFields = false,
TlsConfig = new Gcp.Ces.Inputs.ToolsetOpenApiToolsetTlsConfigArgs
{
CaCerts = new[]
{
new Gcp.Ces.Inputs.ToolsetOpenApiToolsetTlsConfigCaCertArgs
{
DisplayName = "example",
Cert = "ZXhhbXBsZQ==",
},
},
},
ServiceDirectoryConfig = new Gcp.Ces.Inputs.ToolsetOpenApiToolsetServiceDirectoryConfigArgs
{
Service = "projects/example/locations/us/namespaces/namespace/services/service",
},
ApiAuthentication = new Gcp.Ces.Inputs.ToolsetOpenApiToolsetApiAuthenticationArgs
{
ApiKeyConfig = new Gcp.Ces.Inputs.ToolsetOpenApiToolsetApiAuthenticationApiKeyConfigArgs
{
KeyName = "ExampleKey",
ApiKeySecretVersion = "projects/fake-project/secrets/fake-secret/versions/version-1",
RequestLocation = "HEADER",
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.ces.App;
import com.pulumi.gcp.ces.AppArgs;
import com.pulumi.gcp.ces.inputs.AppLanguageSettingsArgs;
import com.pulumi.gcp.ces.inputs.AppTimeZoneSettingsArgs;
import com.pulumi.gcp.ces.Toolset;
import com.pulumi.gcp.ces.ToolsetArgs;
import com.pulumi.gcp.ces.inputs.ToolsetOpenApiToolsetArgs;
import com.pulumi.gcp.ces.inputs.ToolsetOpenApiToolsetTlsConfigArgs;
import com.pulumi.gcp.ces.inputs.ToolsetOpenApiToolsetServiceDirectoryConfigArgs;
import com.pulumi.gcp.ces.inputs.ToolsetOpenApiToolsetApiAuthenticationArgs;
import com.pulumi.gcp.ces.inputs.ToolsetOpenApiToolsetApiAuthenticationApiKeyConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var cesAppForToolset = new App("cesAppForToolset", AppArgs.builder()
.appId("app-id")
.location("us")
.description("App used as parent for CES Toolset example")
.displayName("my-app")
.languageSettings(AppLanguageSettingsArgs.builder()
.defaultLanguageCode("en-US")
.supportedLanguageCodes(
"es-ES",
"fr-FR")
.enableMultilingualSupport(true)
.fallbackAction("escalate")
.build())
.timeZoneSettings(AppTimeZoneSettingsArgs.builder()
.timeZone("America/Los_Angeles")
.build())
.build());
var cesToolsetOpenapiApiKeyConfig = new Toolset("cesToolsetOpenapiApiKeyConfig", ToolsetArgs.builder()
.toolsetId("toolset1")
.location("us")
.app(cesAppForToolset.appId())
.displayName("Basic toolset display name")
.description("Test description")
.executionType("SYNCHRONOUS")
.openApiToolset(ToolsetOpenApiToolsetArgs.builder()
.openApiSchema("""
openapi: 3.0.0
info:
title: My Sample API
version: 1.0.0
description: A simple API example
servers:
- url: https://api.example.com/v1
paths: {}
""")
.ignoreUnknownFields(false)
.tlsConfig(ToolsetOpenApiToolsetTlsConfigArgs.builder()
.caCerts(ToolsetOpenApiToolsetTlsConfigCaCertArgs.builder()
.displayName("example")
.cert("ZXhhbXBsZQ==")
.build())
.build())
.serviceDirectoryConfig(ToolsetOpenApiToolsetServiceDirectoryConfigArgs.builder()
.service("projects/example/locations/us/namespaces/namespace/services/service")
.build())
.apiAuthentication(ToolsetOpenApiToolsetApiAuthenticationArgs.builder()
.apiKeyConfig(ToolsetOpenApiToolsetApiAuthenticationApiKeyConfigArgs.builder()
.keyName("ExampleKey")
.apiKeySecretVersion("projects/fake-project/secrets/fake-secret/versions/version-1")
.requestLocation("HEADER")
.build())
.build())
.build())
.build());
}
}
resources:
cesAppForToolset:
type: gcp:ces:App
name: ces_app_for_toolset
properties:
appId: app-id
location: us
description: App used as parent for CES Toolset example
displayName: my-app
languageSettings:
defaultLanguageCode: en-US
supportedLanguageCodes:
- es-ES
- fr-FR
enableMultilingualSupport: true
fallbackAction: escalate
timeZoneSettings:
timeZone: America/Los_Angeles
cesToolsetOpenapiApiKeyConfig:
type: gcp:ces:Toolset
name: ces_toolset_openapi_api_key_config
properties:
toolsetId: toolset1
location: us
app: ${cesAppForToolset.appId}
displayName: Basic toolset display name
description: Test description
executionType: SYNCHRONOUS
openApiToolset:
openApiSchema: |
openapi: 3.0.0
info:
title: My Sample API
version: 1.0.0
description: A simple API example
servers:
- url: https://api.example.com/v1
paths: {}
ignoreUnknownFields: false
tlsConfig:
caCerts:
- displayName: example
cert: ZXhhbXBsZQ==
serviceDirectoryConfig:
service: projects/example/locations/us/namespaces/namespace/services/service
apiAuthentication:
apiKeyConfig:
keyName: ExampleKey
apiKeySecretVersion: projects/fake-project/secrets/fake-secret/versions/version-1
requestLocation: HEADER
The apiKeyConfig block specifies the key name, Secret Manager version containing the key, and where to place it in requests (HEADER or query parameter). The executionType property controls whether tool calls run synchronously or asynchronously. The toolset retrieves the API key from Secret Manager at runtime and includes it in outbound requests according to requestLocation.
Connect MCP servers with service account authentication
Model Context Protocol (MCP) servers expose tools through a standardized interface. Service account authentication enables secure, automated access to MCP endpoints.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const cesAppForToolset = new gcp.ces.App("ces_app_for_toolset", {
appId: "app-id",
location: "us",
description: "App used as parent for CES Toolset example",
displayName: "my-app",
languageSettings: {
defaultLanguageCode: "en-US",
supportedLanguageCodes: [
"es-ES",
"fr-FR",
],
enableMultilingualSupport: true,
fallbackAction: "escalate",
},
timeZoneSettings: {
timeZone: "America/Los_Angeles",
},
});
const cesToolsetMcpServiceAccountAuthConfig = new gcp.ces.Toolset("ces_toolset_mcp_service_account_auth_config", {
toolsetId: "toolset1",
location: "us",
app: cesAppForToolset.appId,
displayName: "Basic toolset display name",
mcpToolset: {
serverAddress: "https://api.example.com/mcp/",
tlsConfig: {
caCerts: [{
displayName: "example",
cert: "ZXhhbXBsZQ==",
}],
},
serviceDirectoryConfig: {
service: "projects/example/locations/us/namespaces/namespace/services/service",
},
apiAuthentication: {
serviceAccountAuthConfig: {
serviceAccount: "my@service-account.com",
scopes: ["scope1"],
},
},
},
});
import pulumi
import pulumi_gcp as gcp
ces_app_for_toolset = gcp.ces.App("ces_app_for_toolset",
app_id="app-id",
location="us",
description="App used as parent for CES Toolset example",
display_name="my-app",
language_settings={
"default_language_code": "en-US",
"supported_language_codes": [
"es-ES",
"fr-FR",
],
"enable_multilingual_support": True,
"fallback_action": "escalate",
},
time_zone_settings={
"time_zone": "America/Los_Angeles",
})
ces_toolset_mcp_service_account_auth_config = gcp.ces.Toolset("ces_toolset_mcp_service_account_auth_config",
toolset_id="toolset1",
location="us",
app=ces_app_for_toolset.app_id,
display_name="Basic toolset display name",
mcp_toolset={
"server_address": "https://api.example.com/mcp/",
"tls_config": {
"ca_certs": [{
"display_name": "example",
"cert": "ZXhhbXBsZQ==",
}],
},
"service_directory_config": {
"service": "projects/example/locations/us/namespaces/namespace/services/service",
},
"api_authentication": {
"service_account_auth_config": {
"service_account": "my@service-account.com",
"scopes": ["scope1"],
},
},
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/ces"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
cesAppForToolset, err := ces.NewApp(ctx, "ces_app_for_toolset", &ces.AppArgs{
AppId: pulumi.String("app-id"),
Location: pulumi.String("us"),
Description: pulumi.String("App used as parent for CES Toolset example"),
DisplayName: pulumi.String("my-app"),
LanguageSettings: &ces.AppLanguageSettingsArgs{
DefaultLanguageCode: pulumi.String("en-US"),
SupportedLanguageCodes: pulumi.StringArray{
pulumi.String("es-ES"),
pulumi.String("fr-FR"),
},
EnableMultilingualSupport: pulumi.Bool(true),
FallbackAction: pulumi.String("escalate"),
},
TimeZoneSettings: &ces.AppTimeZoneSettingsArgs{
TimeZone: pulumi.String("America/Los_Angeles"),
},
})
if err != nil {
return err
}
_, err = ces.NewToolset(ctx, "ces_toolset_mcp_service_account_auth_config", &ces.ToolsetArgs{
ToolsetId: pulumi.String("toolset1"),
Location: pulumi.String("us"),
App: cesAppForToolset.AppId,
DisplayName: pulumi.String("Basic toolset display name"),
McpToolset: &ces.ToolsetMcpToolsetArgs{
ServerAddress: pulumi.String("https://api.example.com/mcp/"),
TlsConfig: &ces.ToolsetMcpToolsetTlsConfigArgs{
CaCerts: ces.ToolsetMcpToolsetTlsConfigCaCertArray{
&ces.ToolsetMcpToolsetTlsConfigCaCertArgs{
DisplayName: pulumi.String("example"),
Cert: pulumi.String("ZXhhbXBsZQ=="),
},
},
},
ServiceDirectoryConfig: &ces.ToolsetMcpToolsetServiceDirectoryConfigArgs{
Service: pulumi.String("projects/example/locations/us/namespaces/namespace/services/service"),
},
ApiAuthentication: &ces.ToolsetMcpToolsetApiAuthenticationArgs{
ServiceAccountAuthConfig: &ces.ToolsetMcpToolsetApiAuthenticationServiceAccountAuthConfigArgs{
ServiceAccount: pulumi.String("my@service-account.com"),
Scopes: pulumi.StringArray{
pulumi.String("scope1"),
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var cesAppForToolset = new Gcp.Ces.App("ces_app_for_toolset", new()
{
AppId = "app-id",
Location = "us",
Description = "App used as parent for CES Toolset example",
DisplayName = "my-app",
LanguageSettings = new Gcp.Ces.Inputs.AppLanguageSettingsArgs
{
DefaultLanguageCode = "en-US",
SupportedLanguageCodes = new[]
{
"es-ES",
"fr-FR",
},
EnableMultilingualSupport = true,
FallbackAction = "escalate",
},
TimeZoneSettings = new Gcp.Ces.Inputs.AppTimeZoneSettingsArgs
{
TimeZone = "America/Los_Angeles",
},
});
var cesToolsetMcpServiceAccountAuthConfig = new Gcp.Ces.Toolset("ces_toolset_mcp_service_account_auth_config", new()
{
ToolsetId = "toolset1",
Location = "us",
App = cesAppForToolset.AppId,
DisplayName = "Basic toolset display name",
McpToolset = new Gcp.Ces.Inputs.ToolsetMcpToolsetArgs
{
ServerAddress = "https://api.example.com/mcp/",
TlsConfig = new Gcp.Ces.Inputs.ToolsetMcpToolsetTlsConfigArgs
{
CaCerts = new[]
{
new Gcp.Ces.Inputs.ToolsetMcpToolsetTlsConfigCaCertArgs
{
DisplayName = "example",
Cert = "ZXhhbXBsZQ==",
},
},
},
ServiceDirectoryConfig = new Gcp.Ces.Inputs.ToolsetMcpToolsetServiceDirectoryConfigArgs
{
Service = "projects/example/locations/us/namespaces/namespace/services/service",
},
ApiAuthentication = new Gcp.Ces.Inputs.ToolsetMcpToolsetApiAuthenticationArgs
{
ServiceAccountAuthConfig = new Gcp.Ces.Inputs.ToolsetMcpToolsetApiAuthenticationServiceAccountAuthConfigArgs
{
ServiceAccount = "my@service-account.com",
Scopes = new[]
{
"scope1",
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.ces.App;
import com.pulumi.gcp.ces.AppArgs;
import com.pulumi.gcp.ces.inputs.AppLanguageSettingsArgs;
import com.pulumi.gcp.ces.inputs.AppTimeZoneSettingsArgs;
import com.pulumi.gcp.ces.Toolset;
import com.pulumi.gcp.ces.ToolsetArgs;
import com.pulumi.gcp.ces.inputs.ToolsetMcpToolsetArgs;
import com.pulumi.gcp.ces.inputs.ToolsetMcpToolsetTlsConfigArgs;
import com.pulumi.gcp.ces.inputs.ToolsetMcpToolsetServiceDirectoryConfigArgs;
import com.pulumi.gcp.ces.inputs.ToolsetMcpToolsetApiAuthenticationArgs;
import com.pulumi.gcp.ces.inputs.ToolsetMcpToolsetApiAuthenticationServiceAccountAuthConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var cesAppForToolset = new App("cesAppForToolset", AppArgs.builder()
.appId("app-id")
.location("us")
.description("App used as parent for CES Toolset example")
.displayName("my-app")
.languageSettings(AppLanguageSettingsArgs.builder()
.defaultLanguageCode("en-US")
.supportedLanguageCodes(
"es-ES",
"fr-FR")
.enableMultilingualSupport(true)
.fallbackAction("escalate")
.build())
.timeZoneSettings(AppTimeZoneSettingsArgs.builder()
.timeZone("America/Los_Angeles")
.build())
.build());
var cesToolsetMcpServiceAccountAuthConfig = new Toolset("cesToolsetMcpServiceAccountAuthConfig", ToolsetArgs.builder()
.toolsetId("toolset1")
.location("us")
.app(cesAppForToolset.appId())
.displayName("Basic toolset display name")
.mcpToolset(ToolsetMcpToolsetArgs.builder()
.serverAddress("https://api.example.com/mcp/")
.tlsConfig(ToolsetMcpToolsetTlsConfigArgs.builder()
.caCerts(ToolsetMcpToolsetTlsConfigCaCertArgs.builder()
.displayName("example")
.cert("ZXhhbXBsZQ==")
.build())
.build())
.serviceDirectoryConfig(ToolsetMcpToolsetServiceDirectoryConfigArgs.builder()
.service("projects/example/locations/us/namespaces/namespace/services/service")
.build())
.apiAuthentication(ToolsetMcpToolsetApiAuthenticationArgs.builder()
.serviceAccountAuthConfig(ToolsetMcpToolsetApiAuthenticationServiceAccountAuthConfigArgs.builder()
.serviceAccount("my@service-account.com")
.scopes("scope1")
.build())
.build())
.build())
.build());
}
}
resources:
cesAppForToolset:
type: gcp:ces:App
name: ces_app_for_toolset
properties:
appId: app-id
location: us
description: App used as parent for CES Toolset example
displayName: my-app
languageSettings:
defaultLanguageCode: en-US
supportedLanguageCodes:
- es-ES
- fr-FR
enableMultilingualSupport: true
fallbackAction: escalate
timeZoneSettings:
timeZone: America/Los_Angeles
cesToolsetMcpServiceAccountAuthConfig:
type: gcp:ces:Toolset
name: ces_toolset_mcp_service_account_auth_config
properties:
toolsetId: toolset1
location: us
app: ${cesAppForToolset.appId}
displayName: Basic toolset display name
mcpToolset:
serverAddress: https://api.example.com/mcp/
tlsConfig:
caCerts:
- displayName: example
cert: ZXhhbXBsZQ==
serviceDirectoryConfig:
service: projects/example/locations/us/namespaces/namespace/services/service
apiAuthentication:
serviceAccountAuthConfig:
serviceAccount: my@service-account.com
scopes:
- scope1
The mcpToolset property replaces openApiToolset for MCP-based integrations. The serverAddress points to the MCP endpoint. Authentication, TLS, and routing configuration work identically to OpenAPI toolsets. MCP servers dynamically expose their available tools; the toolset discovers them at runtime rather than requiring an upfront schema.
Authenticate OpenAPI tools with OAuth client credentials
OAuth 2.0 client credentials flow provides token-based authentication for machine-to-machine API access without user interaction.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const cesAppForToolset = new gcp.ces.App("ces_app_for_toolset", {
appId: "app-id",
location: "us",
description: "App used as parent for CES Toolset example",
displayName: "my-app",
languageSettings: {
defaultLanguageCode: "en-US",
supportedLanguageCodes: [
"es-ES",
"fr-FR",
],
enableMultilingualSupport: true,
fallbackAction: "escalate",
},
timeZoneSettings: {
timeZone: "America/Los_Angeles",
},
});
const cesToolsetOpenapiOauthConfig = new gcp.ces.Toolset("ces_toolset_openapi_oauth_config", {
toolsetId: "toolset1",
location: "us",
app: cesAppForToolset.appId,
displayName: "Basic toolset display name",
openApiToolset: {
openApiSchema: `openapi: 3.0.0
info:
title: My Sample API
version: 1.0.0
description: A simple API example
servers:
- url: https://api.example.com/v1
paths: {}
`,
ignoreUnknownFields: false,
tlsConfig: {
caCerts: [{
displayName: "example",
cert: "ZXhhbXBsZQ==",
}],
},
serviceDirectoryConfig: {
service: "projects/example/locations/us/namespaces/namespace/services/service",
},
apiAuthentication: {
oauthConfig: {
oauthGrantType: "CLIENT_CREDENTIAL",
clientId: "example_client_id",
clientSecretVersion: "projects/fake-project/secrets/fake-secret/versions/version1",
tokenEndpoint: "123",
scopes: ["scope1"],
},
},
},
});
import pulumi
import pulumi_gcp as gcp
ces_app_for_toolset = gcp.ces.App("ces_app_for_toolset",
app_id="app-id",
location="us",
description="App used as parent for CES Toolset example",
display_name="my-app",
language_settings={
"default_language_code": "en-US",
"supported_language_codes": [
"es-ES",
"fr-FR",
],
"enable_multilingual_support": True,
"fallback_action": "escalate",
},
time_zone_settings={
"time_zone": "America/Los_Angeles",
})
ces_toolset_openapi_oauth_config = gcp.ces.Toolset("ces_toolset_openapi_oauth_config",
toolset_id="toolset1",
location="us",
app=ces_app_for_toolset.app_id,
display_name="Basic toolset display name",
open_api_toolset={
"open_api_schema": """openapi: 3.0.0
info:
title: My Sample API
version: 1.0.0
description: A simple API example
servers:
- url: https://api.example.com/v1
paths: {}
""",
"ignore_unknown_fields": False,
"tls_config": {
"ca_certs": [{
"display_name": "example",
"cert": "ZXhhbXBsZQ==",
}],
},
"service_directory_config": {
"service": "projects/example/locations/us/namespaces/namespace/services/service",
},
"api_authentication": {
"oauth_config": {
"oauth_grant_type": "CLIENT_CREDENTIAL",
"client_id": "example_client_id",
"client_secret_version": "projects/fake-project/secrets/fake-secret/versions/version1",
"token_endpoint": "123",
"scopes": ["scope1"],
},
},
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/ces"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
cesAppForToolset, err := ces.NewApp(ctx, "ces_app_for_toolset", &ces.AppArgs{
AppId: pulumi.String("app-id"),
Location: pulumi.String("us"),
Description: pulumi.String("App used as parent for CES Toolset example"),
DisplayName: pulumi.String("my-app"),
LanguageSettings: &ces.AppLanguageSettingsArgs{
DefaultLanguageCode: pulumi.String("en-US"),
SupportedLanguageCodes: pulumi.StringArray{
pulumi.String("es-ES"),
pulumi.String("fr-FR"),
},
EnableMultilingualSupport: pulumi.Bool(true),
FallbackAction: pulumi.String("escalate"),
},
TimeZoneSettings: &ces.AppTimeZoneSettingsArgs{
TimeZone: pulumi.String("America/Los_Angeles"),
},
})
if err != nil {
return err
}
_, err = ces.NewToolset(ctx, "ces_toolset_openapi_oauth_config", &ces.ToolsetArgs{
ToolsetId: pulumi.String("toolset1"),
Location: pulumi.String("us"),
App: cesAppForToolset.AppId,
DisplayName: pulumi.String("Basic toolset display name"),
OpenApiToolset: &ces.ToolsetOpenApiToolsetArgs{
OpenApiSchema: pulumi.String(`openapi: 3.0.0
info:
title: My Sample API
version: 1.0.0
description: A simple API example
servers:
- url: https://api.example.com/v1
paths: {}
`),
IgnoreUnknownFields: pulumi.Bool(false),
TlsConfig: &ces.ToolsetOpenApiToolsetTlsConfigArgs{
CaCerts: ces.ToolsetOpenApiToolsetTlsConfigCaCertArray{
&ces.ToolsetOpenApiToolsetTlsConfigCaCertArgs{
DisplayName: pulumi.String("example"),
Cert: pulumi.String("ZXhhbXBsZQ=="),
},
},
},
ServiceDirectoryConfig: &ces.ToolsetOpenApiToolsetServiceDirectoryConfigArgs{
Service: pulumi.String("projects/example/locations/us/namespaces/namespace/services/service"),
},
ApiAuthentication: &ces.ToolsetOpenApiToolsetApiAuthenticationArgs{
OauthConfig: &ces.ToolsetOpenApiToolsetApiAuthenticationOauthConfigArgs{
OauthGrantType: pulumi.String("CLIENT_CREDENTIAL"),
ClientId: pulumi.String("example_client_id"),
ClientSecretVersion: pulumi.String("projects/fake-project/secrets/fake-secret/versions/version1"),
TokenEndpoint: pulumi.String("123"),
Scopes: pulumi.StringArray{
pulumi.String("scope1"),
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var cesAppForToolset = new Gcp.Ces.App("ces_app_for_toolset", new()
{
AppId = "app-id",
Location = "us",
Description = "App used as parent for CES Toolset example",
DisplayName = "my-app",
LanguageSettings = new Gcp.Ces.Inputs.AppLanguageSettingsArgs
{
DefaultLanguageCode = "en-US",
SupportedLanguageCodes = new[]
{
"es-ES",
"fr-FR",
},
EnableMultilingualSupport = true,
FallbackAction = "escalate",
},
TimeZoneSettings = new Gcp.Ces.Inputs.AppTimeZoneSettingsArgs
{
TimeZone = "America/Los_Angeles",
},
});
var cesToolsetOpenapiOauthConfig = new Gcp.Ces.Toolset("ces_toolset_openapi_oauth_config", new()
{
ToolsetId = "toolset1",
Location = "us",
App = cesAppForToolset.AppId,
DisplayName = "Basic toolset display name",
OpenApiToolset = new Gcp.Ces.Inputs.ToolsetOpenApiToolsetArgs
{
OpenApiSchema = @"openapi: 3.0.0
info:
title: My Sample API
version: 1.0.0
description: A simple API example
servers:
- url: https://api.example.com/v1
paths: {}
",
IgnoreUnknownFields = false,
TlsConfig = new Gcp.Ces.Inputs.ToolsetOpenApiToolsetTlsConfigArgs
{
CaCerts = new[]
{
new Gcp.Ces.Inputs.ToolsetOpenApiToolsetTlsConfigCaCertArgs
{
DisplayName = "example",
Cert = "ZXhhbXBsZQ==",
},
},
},
ServiceDirectoryConfig = new Gcp.Ces.Inputs.ToolsetOpenApiToolsetServiceDirectoryConfigArgs
{
Service = "projects/example/locations/us/namespaces/namespace/services/service",
},
ApiAuthentication = new Gcp.Ces.Inputs.ToolsetOpenApiToolsetApiAuthenticationArgs
{
OauthConfig = new Gcp.Ces.Inputs.ToolsetOpenApiToolsetApiAuthenticationOauthConfigArgs
{
OauthGrantType = "CLIENT_CREDENTIAL",
ClientId = "example_client_id",
ClientSecretVersion = "projects/fake-project/secrets/fake-secret/versions/version1",
TokenEndpoint = "123",
Scopes = new[]
{
"scope1",
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.ces.App;
import com.pulumi.gcp.ces.AppArgs;
import com.pulumi.gcp.ces.inputs.AppLanguageSettingsArgs;
import com.pulumi.gcp.ces.inputs.AppTimeZoneSettingsArgs;
import com.pulumi.gcp.ces.Toolset;
import com.pulumi.gcp.ces.ToolsetArgs;
import com.pulumi.gcp.ces.inputs.ToolsetOpenApiToolsetArgs;
import com.pulumi.gcp.ces.inputs.ToolsetOpenApiToolsetTlsConfigArgs;
import com.pulumi.gcp.ces.inputs.ToolsetOpenApiToolsetServiceDirectoryConfigArgs;
import com.pulumi.gcp.ces.inputs.ToolsetOpenApiToolsetApiAuthenticationArgs;
import com.pulumi.gcp.ces.inputs.ToolsetOpenApiToolsetApiAuthenticationOauthConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var cesAppForToolset = new App("cesAppForToolset", AppArgs.builder()
.appId("app-id")
.location("us")
.description("App used as parent for CES Toolset example")
.displayName("my-app")
.languageSettings(AppLanguageSettingsArgs.builder()
.defaultLanguageCode("en-US")
.supportedLanguageCodes(
"es-ES",
"fr-FR")
.enableMultilingualSupport(true)
.fallbackAction("escalate")
.build())
.timeZoneSettings(AppTimeZoneSettingsArgs.builder()
.timeZone("America/Los_Angeles")
.build())
.build());
var cesToolsetOpenapiOauthConfig = new Toolset("cesToolsetOpenapiOauthConfig", ToolsetArgs.builder()
.toolsetId("toolset1")
.location("us")
.app(cesAppForToolset.appId())
.displayName("Basic toolset display name")
.openApiToolset(ToolsetOpenApiToolsetArgs.builder()
.openApiSchema("""
openapi: 3.0.0
info:
title: My Sample API
version: 1.0.0
description: A simple API example
servers:
- url: https://api.example.com/v1
paths: {}
""")
.ignoreUnknownFields(false)
.tlsConfig(ToolsetOpenApiToolsetTlsConfigArgs.builder()
.caCerts(ToolsetOpenApiToolsetTlsConfigCaCertArgs.builder()
.displayName("example")
.cert("ZXhhbXBsZQ==")
.build())
.build())
.serviceDirectoryConfig(ToolsetOpenApiToolsetServiceDirectoryConfigArgs.builder()
.service("projects/example/locations/us/namespaces/namespace/services/service")
.build())
.apiAuthentication(ToolsetOpenApiToolsetApiAuthenticationArgs.builder()
.oauthConfig(ToolsetOpenApiToolsetApiAuthenticationOauthConfigArgs.builder()
.oauthGrantType("CLIENT_CREDENTIAL")
.clientId("example_client_id")
.clientSecretVersion("projects/fake-project/secrets/fake-secret/versions/version1")
.tokenEndpoint("123")
.scopes("scope1")
.build())
.build())
.build())
.build());
}
}
resources:
cesAppForToolset:
type: gcp:ces:App
name: ces_app_for_toolset
properties:
appId: app-id
location: us
description: App used as parent for CES Toolset example
displayName: my-app
languageSettings:
defaultLanguageCode: en-US
supportedLanguageCodes:
- es-ES
- fr-FR
enableMultilingualSupport: true
fallbackAction: escalate
timeZoneSettings:
timeZone: America/Los_Angeles
cesToolsetOpenapiOauthConfig:
type: gcp:ces:Toolset
name: ces_toolset_openapi_oauth_config
properties:
toolsetId: toolset1
location: us
app: ${cesAppForToolset.appId}
displayName: Basic toolset display name
openApiToolset:
openApiSchema: |
openapi: 3.0.0
info:
title: My Sample API
version: 1.0.0
description: A simple API example
servers:
- url: https://api.example.com/v1
paths: {}
ignoreUnknownFields: false
tlsConfig:
caCerts:
- displayName: example
cert: ZXhhbXBsZQ==
serviceDirectoryConfig:
service: projects/example/locations/us/namespaces/namespace/services/service
apiAuthentication:
oauthConfig:
oauthGrantType: CLIENT_CREDENTIAL
clientId: example_client_id
clientSecretVersion: projects/fake-project/secrets/fake-secret/versions/version1
tokenEndpoint: '123'
scopes:
- scope1
The oauthConfig block configures OAuth 2.0 client credentials flow. The oauthGrantType specifies CLIENT_CREDENTIAL for machine-to-machine authentication. The clientId and clientSecretVersion reference OAuth credentials stored in Secret Manager. The tokenEndpoint is where the toolset exchanges credentials for access tokens. The toolset automatically handles token refresh and includes tokens in API requests.
Beyond these examples
These snippets focus on specific toolset features: OpenAPI and MCP toolset integration, authentication methods (service accounts, OAuth, API keys, bearer tokens), and TLS configuration and Service Directory routing. They’re intentionally minimal rather than full conversational AI applications.
The examples reference pre-existing infrastructure such as CES App parent resources, service accounts with appropriate IAM permissions, Secret Manager secrets for API keys and OAuth credentials, and Service Directory services for routing. They focus on configuring the toolset rather than provisioning the surrounding infrastructure.
To keep things focused, common toolset patterns are omitted, including:
- Service agent ID token authentication (serviceAgentIdTokenAuthConfig)
- Bearer token authentication with context variables
- Execution type configuration (SYNCHRONOUS vs ASYNCHRONOUS)
- Schema validation options (ignoreUnknownFields)
These omissions are intentional: the goal is to illustrate how each toolset feature is wired, not provide drop-in AI integration modules. See the CES Toolset resource reference for all available configuration options.
Let's configure GCP Cloud Execution Service Toolsets
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Configuration & Constraints
What properties can't I change after creating a toolset?
The
app, location, project, and toolsetId properties are immutable and require resource replacement if changed.Do I need to create a CES App before creating a toolset?
Yes, a
gcp.ces.App resource must exist first. All examples create the app resource before referencing it in the toolset’s app property.What are the constraints on displayName?
The
displayName must be unique within the same app.What happens if I don't provide a toolsetId?
A unique ID will be automatically assigned for the toolset if
toolsetId is not provided.Toolset Types & Execution
What's the difference between OpenAPI and MCP toolsets?
OpenAPI toolsets are defined by an OpenAPI schema (
openApiToolset), while MCP toolsets contain tools offered by an MCP server with a serverAddress (mcpToolset).What's the difference between SYNCHRONOUS and ASYNCHRONOUS execution?
The
executionType property controls whether toolset operations run synchronously or asynchronously. Set to SYNCHRONOUS or ASYNCHRONOUS.Authentication
What authentication methods are available for toolsets?
Five authentication methods are supported: Service Account (
serviceAccountAuthConfig), OAuth (oauthConfig), Service Agent ID Token (serviceAgentIdTokenAuthConfig), API Key (apiKeyConfig), and Bearer Token (bearerTokenConfig).How do I use bearer token authentication with context variables?
Set
bearerTokenConfig.token to a context variable reference like $context.variables.my_ces_toolset_auth_token.Import & Management
How do I import an existing toolset?
Use one of three formats:
projects/{{project}}/locations/{{location}}/apps/{{app}}/toolsets/{{toolset_id}}, {{project}}/{{location}}/{{app}}/{{toolset_id}}, or {{location}}/{{app}}/{{toolset_id}}.Using a different cloud?
Explore integration guides for other cloud providers: