PERMISSION_DENIED: integrations.integrations.invoke denied

Google Cloud Integration Services
1

I’m building a Vertex AI Agent using the Agent Development Kit (ADK), deployed on an Agent Engine in us-central1.

This agent uses a Google Cloud Application Integration named ListFile2, also located in us-central1, to interact with Google Drive.

I granted the service account service-[PROJECT_NUMBER]@gcp-sa-aiplatform.iam.gserviceaccount.com the following roles:

  • roles/aiplatform.serviceAgent

  • roles/iam.serviceAccountTokenCreator

  • roles/iam.serviceAccountUser

  • roles/integrations.integrationInvoker

However, I’m still encountering the following error:

Execution Error:
{
“error”: {
“code”: 403,
“message”: “Permission ‘integrations.integrations.invoke’ denied on resource ‘//integrations.googleapis.com/projects/[PROJECT_ID]/locations/us-central1/integrations/ListFile2’ (or it may not exist).”,
“status”: “PERMISSION_DENIED”,
“details”: [
{
@type”: “type.googleapis.com/google.rpc.ErrorInfo”,
“reason”: “IAM_PERMISSION_DENIED”,
“domain”: “integrations.googleapis.com”,
“metadata”: {
“resource”: “projects/[PROJECT_ID]/locations/us-central1/integrations/ListFile2”,
“permission”: “integrations.integrations.invoke”
}
}
]
}
}

2

Hi @oumaima ,

Can you confirm that your runtime agent is using the identity that matches your service account? (account service-[PROJECT_NUMBER]@gcp-sa-aiplatform.iam.gserviceaccount.com).

The ADK agent code has to be deployed to a runtime, and that runtime must use the service account identity which was assigned the IntegrationInvoker role (roles/integrations.integrationInvoker), or you also need to grant this role to whichever identity is running the ADK code.

I hope that helps!

.

1 Like
3

Thank you for your response @shaaland .
I deployed the agent to agent engine in vertax ia and successfully created a session.
However, I’m not sure which service account is being used at runtime.
Is there a way to verify which identity the runtime is using?

Thank you again for the help

4

Thank you for the follow-up @oumaima . After reviewing this, we advise reaching out to support. They can then involve specialized team to provide a solution and tailored guidance.

We appreciate you engaging in the forum, and please don’t hesitate to reach out with any future questions.

5

Hi @oumaima ,
I think Application Integration Invoker permissions should be granted to AI Platform Reasoning Engine Service Agent which should match: service-@gcp-sa-aiplatform-re.iam.gserviceaccount.com (Ref: https://cloud.google.com/vertex-ai/generative-ai/docs/agent-engine/set-up#service-agent). Can you please try and let us know if it works.

2 Likes