Configure bring your own key BYOK for Google CDE

To leverage BYOK (bring your own key) license for Google Custom Document Extractor (CDE) processor, follow these configuration steps.

Prerequisites

  1. Ensure that you have assigned the Document AI Viewer or Document AI Editor role and have created a service account on your Google Cloud Platform. See Create service accounts and IAM roles for Document AI.
  2. Ensure that you have created a service account key for your Google project and downloaded the .json file from your Google Cloud Platform. See Create a service account key.
  3. Log in as the AAE_Locker_Admin user type.

Procedure

  1. Create a custom role for Credential Vault locker.
    1. Provide a name for the role, such as google-cde-credential-role. The Manage my credentials and lockers permission is automatically selected.
    2. Click Create role.

      Assign the role to the Bot creator and Unattended Bot Runner user types.

  2. Create a credential in Credential Vault for Google service account.
    1. Navigate to Manage > Credentials > Create credential.
    2. Provide a name for the credential, such as google-cde-credential.
    3. Provide a name for the attribute, such as ServiceAccount.
    4. Select the Standard input option.
    5. Copy the contents of the Google Document AI API key or the service account key that you created for your project and download as a .json file and paste the contents in the Value field.
      Note: Google refreshes the private key value in the .json file at certain intervals for security reasons. Ensure that you update this value whenever the private key value is refreshed to run your automations without interruptions or errors.
    6. Click Create credential.
  3. Create a locker to store the key.
    1. Navigate to the Lockers tab and click Create locker.
    2. Provide a name for the locker, such as google-cde-locker.
    3. Select the google-cde-credential and click the right arrow to move the credential to the Selected column.
    4. In the Consumers tab, select the google-cde-credential-role and click the right arrow to move the credential to the Selected column.
    5. Click Create locker.