This page walks an IT administrator through a complete Vertex AI deployment: enabling Claude in your Google Cloud project, choosing the authentication path that fits your organization, preparing devices, and pushing the managed configuration. If you only need the list of configuration keys, skip to Configure the app.Documentation Index
Fetch the complete documentation index at: https://claude.com/docs/llms.txt
Use this file to discover all available pages before exploring further.
Choose an authentication approach
Vertex AI authenticates with Google Cloud Application Default Credentials, which can be supplied several ways. The right one depends on whether your users have Google identities and whether you need per-user attribution in Cloud Audit Logs.| Scenario | Use | Per-device prerequisite | Per-user Cloud Audit Logs identity | Notes |
|---|---|---|---|---|
| Proof of concept, single team | Service-account key (inferenceVertexCredentialsFile) | The key file on each device | No (shared service account) | A long-lived secret distributed to every device. Simplest to start; not recommended for broad rollout. |
| Users have Google Workspace or Cloud Identity accounts | In-app Google sign-in (inferenceVertexOAuth*) | None | Yes | Users sign in with their Google account inside the app. See the session-control warning below. |
| You already operate an LLM proxy | Gateway provider instead of Vertex | None | At your gateway | The proxy holds the Google Cloud credentials; the app authenticates only to the proxy. |
inferenceCredentialHelper is not invoked when inferenceProvider is vertex, because Vertex authentication is file-based rather than token-based. Use one of the options above.
Set up Google Cloud
These steps are performed once per Google Cloud project, regardless of which authentication approach you chose. You need a project with Owner or Editor access.Enable the Vertex AI API
In the Google Cloud console, enable the Vertex AI API for your project.
Enable Claude models in Model Garden
In the Vertex AI Model Garden, locate the Claude models you intend to deploy and click Enable on each. Model availability varies by region; enable them in the region you will set as
inferenceVertexRegion.Grant users access to Vertex AI
Each authenticated principal needs permission to call the model. On the project’s IAM page, grant the Vertex AI User role (
roles/aiplatform.user) to:- the service account, if using a service-account key file
- the Google group containing your users, if using in-app Google sign-in
aiplatform.endpoints.predict.Create an OAuth client (in-app Google sign-in only)
If you chose in-app Google sign-in, create a Desktop-app OAuth client in your project. See Sign in with Google for Vertex AI for the full procedure, including consent-screen setup.
Federate to your IdP (optional)
If your users authenticate with Microsoft Entra ID, Okta, or another SAML identity provider and do not already have Google accounts, provision a free Cloud Identity tenant and configure SAML single sign-on to your IdP. Users then sign in through the in-app Google sign-in approach with a Google identity that is backed by your IdP. No Google Workspace licenses are required. See Set up SSO with a third-party IdP in the Cloud Identity documentation.
Prepare devices
What each end-user device needs depends on the authentication approach you chose.Credentials file
Create a service account in your project, grant it the Vertex AI User role, and download its JSON key. Distribute the key file to a fixed path on each device through your device-management tooling and setinferenceVertexCredentialsFile to that path.
inferenceVertexCredentialsFile accepts any Application Default Credentials JSON format, so if your environment already produces an authorized_user file (from gcloud auth application-default login) or an external_account Workforce Identity Federation configuration, you can point at that file instead. For external_account files, the credential_source must be of type file or url (executable sources are not supported), and separate tooling on the device must obtain the IdP token and write it to the configured location; Cowork does not perform that step.
In-app Google sign-in
No per-device preparation is required. Distribute the OAuth client ID and secret in the managed configuration; the app shows a Sign in with Google page on first launch and stores the user’s refresh token encrypted with the operating system’s secure storage. See Sign in with Google for Vertex AI for the full flow.Configure the app
With Google Cloud set up and devices prepared, add the Vertex keys to your managed configuration. The easiest path is to enter these values in the in-app configuration window (Developer → Configure third-party inference) on an evaluation device and export; see Installation and setup. The examples below show the raw profile formats.- macOS (.mobileconfig)
- Windows (.reg / Group Policy)
- Windows (Intune)
A
.mobileconfig profile delivered by Jamf, Kandji, or any Apple MDM writes these keys to /Library/Managed Preferences/com.anthropic.claudefordesktop.plist.inferenceVertexOAuth* keys with inferenceVertexCredentialsFile pointing at the absolute path of the credentials JSON file.
Configuration keys
The full set of Vertex keys is below. SetinferenceProvider to vertex, supply a project and region, and provide exactly one credential source.
| Setting | Required | Description |
|---|---|---|
GCP project IDinferenceVertexProjectId | Yes | Google Cloud project ID. |
GCP regioninferenceVertexRegion | Yes | Google Cloud region for the Vertex AI endpoint, for example us-east5 or europe-west4. global is also accepted where the model supports it. |
GCP credentials file pathinferenceVertexCredentialsFile | One credential source | Absolute path to a service-account key, authorized_user, or external_account (Workforce Identity Federation) JSON file. No ~ or environment-variable expansion. If set, in-app Google sign-in is disabled. |
Vertex OAuth client IDinferenceVertexOAuthClientId | One credential source (with secret) | Client ID of a Desktop-app OAuth client in your Google Cloud project. Enables in-app Google sign-in. |
Vertex OAuth client secretinferenceVertexOAuthClientSecret | With OAuth client ID | Client secret paired with the client ID above. Not treated as confidential for installed apps. |
Vertex OAuth scopesinferenceVertexOAuthScopes | No | Space-separated OAuth scopes for Google sign-in. Defaults to openid email https://www.googleapis.com/auth/cloud-platform. |
Vertex AI base URLinferenceVertexBaseUrl | No | Override the public regional endpoint, for example with a Private Service Connect address. Must be https://. |
inferenceVertexCredentialsFile nor the OAuth client keys are set, the Google client library falls back to the standard Application Default Credentials search path on the device (~/.config/gcloud/application_default_credentials.json, then the environment’s metadata server).
You must also set inferenceModels to a list of Vertex publisher model IDs, for example claude-sonnet-4@20250514. See the Configuration reference.
What users experience
The first-launch and re-authentication behavior depends on the authentication approach.| Approach | First launch | Re-authentication |
|---|---|---|
| Credentials file (service-account key) | Cowork opens directly; no user action. | Never, until you rotate the key file. |
| In-app Google sign-in | The Cowork tab shows a Sign in with Google page. Clicking it opens Google’s consent flow in the default browser. After approval, the app relaunches into Cowork. | When the refresh token is revoked, when you deploy a new OAuth client ID, or when your Google Cloud session-control policy expires it. |