Close httplib2 connections.
create(parent, body=None, toolsetId=None, x__xgafv=None)
Creates a new toolset in the given app.
delete(name, etag=None, force=None, x__xgafv=None)
Deletes the specified toolset.
Gets details of the specified toolset.
list(parent, filter=None, orderBy=None, pageSize=None, pageToken=None, x__xgafv=None)
Lists toolsets in the given app.
Retrieves the next page of results.
patch(name, body=None, updateMask=None, x__xgafv=None)
Updates the specified toolset.
retrieveTools(toolset, body=None, x__xgafv=None)
Retrieve the list of tools included in the specified toolset.
close()
Close httplib2 connections.
create(parent, body=None, toolsetId=None, x__xgafv=None)
Creates a new toolset in the given app.
Args:
parent: string, Required. The resource name of the app to create a toolset in. (required)
body: object, The request body.
The object takes the form of:
{ # A toolset represents a group of dynamically managed tools that can be used by the agent.
"connectorToolset": { # A toolset that generates tools from an Integration Connectors Connection. # Optional. A toolset that generates tools from an Integration Connectors Connection.
"authConfig": { # End-user authentication configuration used for Connection calls. The field values must be the names of context variables in the format `$context.variables.`. # Optional. Configures how authentication is handled in Integration Connectors. By default, an admin authentication is passed in the Integration Connectors API requests. You can override it with a different end-user authentication config. **Note**: The Connection must have authentication override enabled in order to specify an EUC configuration here - otherwise, the Toolset creation will fail. See: https://cloud.google.com/application-integration/docs/configure-connectors-task#configure-authentication-override
"oauth2AuthCodeConfig": { # Oauth 2.0 Authorization Code authentication configuration. # Oauth 2.0 Authorization Code authentication.
"oauthToken": "A String", # Required. Oauth token parameter name to pass through. Must be in the format `$context.variables.`.
},
"oauth2JwtBearerConfig": { # JWT Profile Oauth 2.0 Authorization Grant authentication configuration. # JWT Profile Oauth 2.0 Authorization Grant authentication.
"clientKey": "A String", # Required. Client parameter name to pass through. Must be in the format `$context.variables.`.
"issuer": "A String", # Required. Issuer parameter name to pass through. Must be in the format `$context.variables.`.
"subject": "A String", # Required. Subject parameter name to pass through. Must be in the format `$context.variables.`.
},
},
"connection": "A String", # Required. The full resource name of the referenced Integration Connectors Connection. Format: `projects/{project}/locations/{location}/connections/{connection}`
"connectorActions": [ # Required. The list of connector actions/entity operations to generate tools for.
{ # Configuration of an Action for the tool to use. Note: This can be either an Action or an Operation. See https://cloud.google.com/integration-connectors/docs/entities-operation-action for details.
"connectionActionId": "A String", # ID of a Connection action for the tool to use.
"entityOperation": { # Entity CRUD operation specification. # Entity operation configuration for the tool to use.
"entityId": "A String", # Required. ID of the entity.
"operation": "A String", # Required. Operation to perform on the entity.
},
"inputFields": [ # Optional. Entity fields to use as inputs for the operation. If no fields are specified, all fields of the Entity will be used.
"A String",
],
"outputFields": [ # Optional. Entity fields to return from the operation. If no fields are specified, all fields of the Entity will be returned.
"A String",
],
},
],
},
"createTime": "A String", # Output only. Timestamp when the toolset was created.
"description": "A String", # Optional. The description of the toolset.
"displayName": "A String", # Optional. The display name of the toolset. Must be unique within the same app.
"etag": "A String", # ETag used to ensure the object hasn't changed during a read-modify-write operation. If the etag is empty, the update will overwrite any concurrent changes.
"executionType": "A String", # Optional. The execution type of the tools in the toolset.
"mcpToolset": { # A toolset that contains a list of tools that are offered by the MCP server. # Optional. A toolset that contains a list of tools that are offered by the MCP server.
"apiAuthentication": { # Authentication information required for API calls. # Optional. Authentication information required to access tools and execute a tool against the MCP server. For bearer token authentication, the token applies only to tool execution, not to listing tools. This requires that tools can be listed without authentication.
"apiKeyConfig": { # Configurations for authentication with API key. # Optional. Config for API key auth.
"apiKeySecretVersion": "A String", # Required. The name of the SecretManager secret version resource storing the API key. Format: `projects/{project}/secrets/{secret}/versions/{version}` Note: You should grant `roles/secretmanager.secretAccessor` role to the CES service agent `service-@gcp-sa-ces.iam.gserviceaccount.com`.
"keyName": "A String", # Required. The parameter name or the header name of the API key. E.g., If the API request is "https://example.com/act?X-Api-Key=", "X-Api-Key" would be the parameter name.
"requestLocation": "A String", # Required. Key location in the request.
},
"bearerTokenConfig": { # Configurations for authentication with a bearer token. # Optional. Config for bearer token auth.
"token": "A String", # Required. The bearer token. Must be in the format `$context.variables.`.
},
"oauthConfig": { # Configurations for authentication with OAuth. # Optional. Config for OAuth.
"clientId": "A String", # Required. The client ID from the OAuth provider.
"clientSecretVersion": "A String", # Required. The name of the SecretManager secret version resource storing the client secret. Format: `projects/{project}/secrets/{secret}/versions/{version}` Note: You should grant `roles/secretmanager.secretAccessor` role to the CES service agent `service-@gcp-sa-ces.iam.gserviceaccount.com`.
"oauthGrantType": "A String", # Required. OAuth grant types.
"scopes": [ # Optional. The OAuth scopes to grant.
"A String",
],
"tokenEndpoint": "A String", # Required. The token endpoint in the OAuth provider to exchange for an access token.
},
"serviceAccountAuthConfig": { # Configurations for authentication using a custom service account. # Optional. Config for service account authentication.
"scopes": [ # Optional. The OAuth scopes to grant. If not specified, the default scope `https://www.googleapis.com/auth/cloud-platform` is used.
"A String",
],
"serviceAccount": "A String", # Required. The email address of the service account used for authentication. CES uses this service account to exchange an access token and the access token is then sent in the `Authorization` header of the request. The service account must have the `roles/iam.serviceAccountTokenCreator` role granted to the CES service agent `service-@gcp-sa-ces.iam.gserviceaccount.com`.
},
"serviceAgentIdTokenAuthConfig": { # Configurations for authentication with [ID token](https://cloud.google.com/docs/authentication/token-types#id) generated from service agent. # Optional. Config for ID token auth generated from CES service agent.
},
},
"serverAddress": "A String", # Required. The address of the MCP server, for example, "https://example.com/mcp/". If the server is built with the MCP SDK, the url should be suffixed with "/mcp/". Only Streamable HTTP transport based servers are supported. See https://modelcontextprotocol.io/specification/2025-03-26/basic/transports#streamable-http for more details.
"serviceDirectoryConfig": { # Configuration for tools using Service Directory. # Optional. Service Directory configuration for VPC-SC, used to resolve service names within a perimeter.
"service": "A String", # Required. The name of [Service Directory](https://cloud.google.com/service-directory) service. Format: `projects/{project}/locations/{location}/namespaces/{namespace}/services/{service}`. Location of the service directory must be the same as the location of the app.
},
"tlsConfig": { # The TLS configuration. # Optional. The TLS configuration. Includes the custom server certificates that the client should trust.
"caCerts": [ # Required. Specifies a list of allowed custom CA certificates for HTTPS verification.
{ # The CA certificate.
"cert": "A String", # Required. The allowed custom CA certificates (in DER format) for HTTPS verification. This overrides the default SSL trust store. If this is empty or unspecified, CES will use Google's default trust store to verify certificates. N.B. Make sure the HTTPS server certificates are signed with "subject alt name". For instance a certificate can be self-signed using the following command, openssl x509 -req -days 200 -in example.com.csr \ -signkey example.com.key \ -out example.com.crt \ -extfile <(printf "\nsubjectAltName='DNS:www.example.com'")
"displayName": "A String", # Required. The name of the allowed custom CA certificates. This can be used to disambiguate the custom CA certificates.
},
],
},
},
"name": "A String", # Identifier. The unique identifier of the toolset. Format: `projects/{project}/locations/{location}/apps/{app}/toolsets/{toolset}`
"openApiToolset": { # A toolset that contains a list of tools that are defined by an OpenAPI schema. # Optional. A toolset that contains a list of tools that are defined by an OpenAPI schema.
"apiAuthentication": { # Authentication information required for API calls. # Optional. Authentication information required by the API.
"apiKeyConfig": { # Configurations for authentication with API key. # Optional. Config for API key auth.
"apiKeySecretVersion": "A String", # Required. The name of the SecretManager secret version resource storing the API key. Format: `projects/{project}/secrets/{secret}/versions/{version}` Note: You should grant `roles/secretmanager.secretAccessor` role to the CES service agent `service-@gcp-sa-ces.iam.gserviceaccount.com`.
"keyName": "A String", # Required. The parameter name or the header name of the API key. E.g., If the API request is "https://example.com/act?X-Api-Key=", "X-Api-Key" would be the parameter name.
"requestLocation": "A String", # Required. Key location in the request.
},
"bearerTokenConfig": { # Configurations for authentication with a bearer token. # Optional. Config for bearer token auth.
"token": "A String", # Required. The bearer token. Must be in the format `$context.variables.`.
},
"oauthConfig": { # Configurations for authentication with OAuth. # Optional. Config for OAuth.
"clientId": "A String", # Required. The client ID from the OAuth provider.
"clientSecretVersion": "A String", # Required. The name of the SecretManager secret version resource storing the client secret. Format: `projects/{project}/secrets/{secret}/versions/{version}` Note: You should grant `roles/secretmanager.secretAccessor` role to the CES service agent `service-@gcp-sa-ces.iam.gserviceaccount.com`.
"oauthGrantType": "A String", # Required. OAuth grant types.
"scopes": [ # Optional. The OAuth scopes to grant.
"A String",
],
"tokenEndpoint": "A String", # Required. The token endpoint in the OAuth provider to exchange for an access token.
},
"serviceAccountAuthConfig": { # Configurations for authentication using a custom service account. # Optional. Config for service account authentication.
"scopes": [ # Optional. The OAuth scopes to grant. If not specified, the default scope `https://www.googleapis.com/auth/cloud-platform` is used.
"A String",
],
"serviceAccount": "A String", # Required. The email address of the service account used for authentication. CES uses this service account to exchange an access token and the access token is then sent in the `Authorization` header of the request. The service account must have the `roles/iam.serviceAccountTokenCreator` role granted to the CES service agent `service-@gcp-sa-ces.iam.gserviceaccount.com`.
},
"serviceAgentIdTokenAuthConfig": { # Configurations for authentication with [ID token](https://cloud.google.com/docs/authentication/token-types#id) generated from service agent. # Optional. Config for ID token auth generated from CES service agent.
},
},
"ignoreUnknownFields": True or False, # Optional. If true, the agent will ignore unknown fields in the API response for all operations defined in the OpenAPI schema.
"openApiSchema": "A String", # Required. The OpenAPI schema of the toolset.
"serviceDirectoryConfig": { # Configuration for tools using Service Directory. # Optional. Service Directory configuration.
"service": "A String", # Required. The name of [Service Directory](https://cloud.google.com/service-directory) service. Format: `projects/{project}/locations/{location}/namespaces/{namespace}/services/{service}`. Location of the service directory must be the same as the location of the app.
},
"tlsConfig": { # The TLS configuration. # Optional. The TLS configuration. Includes the custom server certificates
"caCerts": [ # Required. Specifies a list of allowed custom CA certificates for HTTPS verification.
{ # The CA certificate.
"cert": "A String", # Required. The allowed custom CA certificates (in DER format) for HTTPS verification. This overrides the default SSL trust store. If this is empty or unspecified, CES will use Google's default trust store to verify certificates. N.B. Make sure the HTTPS server certificates are signed with "subject alt name". For instance a certificate can be self-signed using the following command, openssl x509 -req -days 200 -in example.com.csr \ -signkey example.com.key \ -out example.com.crt \ -extfile <(printf "\nsubjectAltName='DNS:www.example.com'")
"displayName": "A String", # Required. The name of the allowed custom CA certificates. This can be used to disambiguate the custom CA certificates.
},
],
},
"url": "A String", # Optional. The server URL of the Open API schema. This field is only set in toolsets in the environment dependencies during the export process if the schema contains a server url. During the import process, if this url is present in the environment dependencies and the schema has the $env_var placeholder, it will replace the placeholder in the schema.
},
"toolFakeConfig": { # Configuration for tool behavior in fake mode. # Optional. Configuration for tools behavior in fake mode.
"codeBlock": { # A code block to be executed instead of a real tool call. # Optional. Code block which will be executed instead of a real tool call.
"pythonCode": "A String", # Required. Python code which will be invoked in tool fake mode. Expected Python function signature - To catch all tool calls: def fake_tool_call(tool: Tool, input: dict[str, Any], callback_context: CallbackContext) -> Optional[dict[str, Any]]: To catch a specific tool call: def fake_{tool_id}(tool: Tool, input: dict[str, Any], callback_context: CallbackContext) -> Optional[dict[str, Any]]: If the function returns None, the real tool will be invoked instead.
},
"enableFakeMode": True or False, # Optional. Whether the tool is using fake mode.
},
"updateTime": "A String", # Output only. Timestamp when the toolset was last updated.
}
toolsetId: string, Optional. The ID to use for the toolset, which will become the final component of the toolset's resource name. If not provided, a unique ID will be automatically assigned for the toolset.
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # A toolset represents a group of dynamically managed tools that can be used by the agent.
"connectorToolset": { # A toolset that generates tools from an Integration Connectors Connection. # Optional. A toolset that generates tools from an Integration Connectors Connection.
"authConfig": { # End-user authentication configuration used for Connection calls. The field values must be the names of context variables in the format `$context.variables.`. # Optional. Configures how authentication is handled in Integration Connectors. By default, an admin authentication is passed in the Integration Connectors API requests. You can override it with a different end-user authentication config. **Note**: The Connection must have authentication override enabled in order to specify an EUC configuration here - otherwise, the Toolset creation will fail. See: https://cloud.google.com/application-integration/docs/configure-connectors-task#configure-authentication-override
"oauth2AuthCodeConfig": { # Oauth 2.0 Authorization Code authentication configuration. # Oauth 2.0 Authorization Code authentication.
"oauthToken": "A String", # Required. Oauth token parameter name to pass through. Must be in the format `$context.variables.`.
},
"oauth2JwtBearerConfig": { # JWT Profile Oauth 2.0 Authorization Grant authentication configuration. # JWT Profile Oauth 2.0 Authorization Grant authentication.
"clientKey": "A String", # Required. Client parameter name to pass through. Must be in the format `$context.variables.`.
"issuer": "A String", # Required. Issuer parameter name to pass through. Must be in the format `$context.variables.`.
"subject": "A String", # Required. Subject parameter name to pass through. Must be in the format `$context.variables.`.
},
},
"connection": "A String", # Required. The full resource name of the referenced Integration Connectors Connection. Format: `projects/{project}/locations/{location}/connections/{connection}`
"connectorActions": [ # Required. The list of connector actions/entity operations to generate tools for.
{ # Configuration of an Action for the tool to use. Note: This can be either an Action or an Operation. See https://cloud.google.com/integration-connectors/docs/entities-operation-action for details.
"connectionActionId": "A String", # ID of a Connection action for the tool to use.
"entityOperation": { # Entity CRUD operation specification. # Entity operation configuration for the tool to use.
"entityId": "A String", # Required. ID of the entity.
"operation": "A String", # Required. Operation to perform on the entity.
},
"inputFields": [ # Optional. Entity fields to use as inputs for the operation. If no fields are specified, all fields of the Entity will be used.
"A String",
],
"outputFields": [ # Optional. Entity fields to return from the operation. If no fields are specified, all fields of the Entity will be returned.
"A String",
],
},
],
},
"createTime": "A String", # Output only. Timestamp when the toolset was created.
"description": "A String", # Optional. The description of the toolset.
"displayName": "A String", # Optional. The display name of the toolset. Must be unique within the same app.
"etag": "A String", # ETag used to ensure the object hasn't changed during a read-modify-write operation. If the etag is empty, the update will overwrite any concurrent changes.
"executionType": "A String", # Optional. The execution type of the tools in the toolset.
"mcpToolset": { # A toolset that contains a list of tools that are offered by the MCP server. # Optional. A toolset that contains a list of tools that are offered by the MCP server.
"apiAuthentication": { # Authentication information required for API calls. # Optional. Authentication information required to access tools and execute a tool against the MCP server. For bearer token authentication, the token applies only to tool execution, not to listing tools. This requires that tools can be listed without authentication.
"apiKeyConfig": { # Configurations for authentication with API key. # Optional. Config for API key auth.
"apiKeySecretVersion": "A String", # Required. The name of the SecretManager secret version resource storing the API key. Format: `projects/{project}/secrets/{secret}/versions/{version}` Note: You should grant `roles/secretmanager.secretAccessor` role to the CES service agent `service-@gcp-sa-ces.iam.gserviceaccount.com`.
"keyName": "A String", # Required. The parameter name or the header name of the API key. E.g., If the API request is "https://example.com/act?X-Api-Key=", "X-Api-Key" would be the parameter name.
"requestLocation": "A String", # Required. Key location in the request.
},
"bearerTokenConfig": { # Configurations for authentication with a bearer token. # Optional. Config for bearer token auth.
"token": "A String", # Required. The bearer token. Must be in the format `$context.variables.`.
},
"oauthConfig": { # Configurations for authentication with OAuth. # Optional. Config for OAuth.
"clientId": "A String", # Required. The client ID from the OAuth provider.
"clientSecretVersion": "A String", # Required. The name of the SecretManager secret version resource storing the client secret. Format: `projects/{project}/secrets/{secret}/versions/{version}` Note: You should grant `roles/secretmanager.secretAccessor` role to the CES service agent `service-@gcp-sa-ces.iam.gserviceaccount.com`.
"oauthGrantType": "A String", # Required. OAuth grant types.
"scopes": [ # Optional. The OAuth scopes to grant.
"A String",
],
"tokenEndpoint": "A String", # Required. The token endpoint in the OAuth provider to exchange for an access token.
},
"serviceAccountAuthConfig": { # Configurations for authentication using a custom service account. # Optional. Config for service account authentication.
"scopes": [ # Optional. The OAuth scopes to grant. If not specified, the default scope `https://www.googleapis.com/auth/cloud-platform` is used.
"A String",
],
"serviceAccount": "A String", # Required. The email address of the service account used for authentication. CES uses this service account to exchange an access token and the access token is then sent in the `Authorization` header of the request. The service account must have the `roles/iam.serviceAccountTokenCreator` role granted to the CES service agent `service-@gcp-sa-ces.iam.gserviceaccount.com`.
},
"serviceAgentIdTokenAuthConfig": { # Configurations for authentication with [ID token](https://cloud.google.com/docs/authentication/token-types#id) generated from service agent. # Optional. Config for ID token auth generated from CES service agent.
},
},
"serverAddress": "A String", # Required. The address of the MCP server, for example, "https://example.com/mcp/". If the server is built with the MCP SDK, the url should be suffixed with "/mcp/". Only Streamable HTTP transport based servers are supported. See https://modelcontextprotocol.io/specification/2025-03-26/basic/transports#streamable-http for more details.
"serviceDirectoryConfig": { # Configuration for tools using Service Directory. # Optional. Service Directory configuration for VPC-SC, used to resolve service names within a perimeter.
"service": "A String", # Required. The name of [Service Directory](https://cloud.google.com/service-directory) service. Format: `projects/{project}/locations/{location}/namespaces/{namespace}/services/{service}`. Location of the service directory must be the same as the location of the app.
},
"tlsConfig": { # The TLS configuration. # Optional. The TLS configuration. Includes the custom server certificates that the client should trust.
"caCerts": [ # Required. Specifies a list of allowed custom CA certificates for HTTPS verification.
{ # The CA certificate.
"cert": "A String", # Required. The allowed custom CA certificates (in DER format) for HTTPS verification. This overrides the default SSL trust store. If this is empty or unspecified, CES will use Google's default trust store to verify certificates. N.B. Make sure the HTTPS server certificates are signed with "subject alt name". For instance a certificate can be self-signed using the following command, openssl x509 -req -days 200 -in example.com.csr \ -signkey example.com.key \ -out example.com.crt \ -extfile <(printf "\nsubjectAltName='DNS:www.example.com'")
"displayName": "A String", # Required. The name of the allowed custom CA certificates. This can be used to disambiguate the custom CA certificates.
},
],
},
},
"name": "A String", # Identifier. The unique identifier of the toolset. Format: `projects/{project}/locations/{location}/apps/{app}/toolsets/{toolset}`
"openApiToolset": { # A toolset that contains a list of tools that are defined by an OpenAPI schema. # Optional. A toolset that contains a list of tools that are defined by an OpenAPI schema.
"apiAuthentication": { # Authentication information required for API calls. # Optional. Authentication information required by the API.
"apiKeyConfig": { # Configurations for authentication with API key. # Optional. Config for API key auth.
"apiKeySecretVersion": "A String", # Required. The name of the SecretManager secret version resource storing the API key. Format: `projects/{project}/secrets/{secret}/versions/{version}` Note: You should grant `roles/secretmanager.secretAccessor` role to the CES service agent `service-@gcp-sa-ces.iam.gserviceaccount.com`.
"keyName": "A String", # Required. The parameter name or the header name of the API key. E.g., If the API request is "https://example.com/act?X-Api-Key=", "X-Api-Key" would be the parameter name.
"requestLocation": "A String", # Required. Key location in the request.
},
"bearerTokenConfig": { # Configurations for authentication with a bearer token. # Optional. Config for bearer token auth.
"token": "A String", # Required. The bearer token. Must be in the format `$context.variables.`.
},
"oauthConfig": { # Configurations for authentication with OAuth. # Optional. Config for OAuth.
"clientId": "A String", # Required. The client ID from the OAuth provider.
"clientSecretVersion": "A String", # Required. The name of the SecretManager secret version resource storing the client secret. Format: `projects/{project}/secrets/{secret}/versions/{version}` Note: You should grant `roles/secretmanager.secretAccessor` role to the CES service agent `service-@gcp-sa-ces.iam.gserviceaccount.com`.
"oauthGrantType": "A String", # Required. OAuth grant types.
"scopes": [ # Optional. The OAuth scopes to grant.
"A String",
],
"tokenEndpoint": "A String", # Required. The token endpoint in the OAuth provider to exchange for an access token.
},
"serviceAccountAuthConfig": { # Configurations for authentication using a custom service account. # Optional. Config for service account authentication.
"scopes": [ # Optional. The OAuth scopes to grant. If not specified, the default scope `https://www.googleapis.com/auth/cloud-platform` is used.
"A String",
],
"serviceAccount": "A String", # Required. The email address of the service account used for authentication. CES uses this service account to exchange an access token and the access token is then sent in the `Authorization` header of the request. The service account must have the `roles/iam.serviceAccountTokenCreator` role granted to the CES service agent `service-@gcp-sa-ces.iam.gserviceaccount.com`.
},
"serviceAgentIdTokenAuthConfig": { # Configurations for authentication with [ID token](https://cloud.google.com/docs/authentication/token-types#id) generated from service agent. # Optional. Config for ID token auth generated from CES service agent.
},
},
"ignoreUnknownFields": True or False, # Optional. If true, the agent will ignore unknown fields in the API response for all operations defined in the OpenAPI schema.
"openApiSchema": "A String", # Required. The OpenAPI schema of the toolset.
"serviceDirectoryConfig": { # Configuration for tools using Service Directory. # Optional. Service Directory configuration.
"service": "A String", # Required. The name of [Service Directory](https://cloud.google.com/service-directory) service. Format: `projects/{project}/locations/{location}/namespaces/{namespace}/services/{service}`. Location of the service directory must be the same as the location of the app.
},
"tlsConfig": { # The TLS configuration. # Optional. The TLS configuration. Includes the custom server certificates
"caCerts": [ # Required. Specifies a list of allowed custom CA certificates for HTTPS verification.
{ # The CA certificate.
"cert": "A String", # Required. The allowed custom CA certificates (in DER format) for HTTPS verification. This overrides the default SSL trust store. If this is empty or unspecified, CES will use Google's default trust store to verify certificates. N.B. Make sure the HTTPS server certificates are signed with "subject alt name". For instance a certificate can be self-signed using the following command, openssl x509 -req -days 200 -in example.com.csr \ -signkey example.com.key \ -out example.com.crt \ -extfile <(printf "\nsubjectAltName='DNS:www.example.com'")
"displayName": "A String", # Required. The name of the allowed custom CA certificates. This can be used to disambiguate the custom CA certificates.
},
],
},
"url": "A String", # Optional. The server URL of the Open API schema. This field is only set in toolsets in the environment dependencies during the export process if the schema contains a server url. During the import process, if this url is present in the environment dependencies and the schema has the $env_var placeholder, it will replace the placeholder in the schema.
},
"toolFakeConfig": { # Configuration for tool behavior in fake mode. # Optional. Configuration for tools behavior in fake mode.
"codeBlock": { # A code block to be executed instead of a real tool call. # Optional. Code block which will be executed instead of a real tool call.
"pythonCode": "A String", # Required. Python code which will be invoked in tool fake mode. Expected Python function signature - To catch all tool calls: def fake_tool_call(tool: Tool, input: dict[str, Any], callback_context: CallbackContext) -> Optional[dict[str, Any]]: To catch a specific tool call: def fake_{tool_id}(tool: Tool, input: dict[str, Any], callback_context: CallbackContext) -> Optional[dict[str, Any]]: If the function returns None, the real tool will be invoked instead.
},
"enableFakeMode": True or False, # Optional. Whether the tool is using fake mode.
},
"updateTime": "A String", # Output only. Timestamp when the toolset was last updated.
}
delete(name, etag=None, force=None, x__xgafv=None)
Deletes the specified toolset.
Args:
name: string, Required. The resource name of the toolset to delete. (required)
etag: string, Optional. The current etag of the toolset. If an etag is not provided, the deletion will overwrite any concurrent changes. If an etag is provided and does not match the current etag of the toolset, deletion will be blocked and an ABORTED error will be returned.
force: boolean, Optional. Indicates whether to forcefully delete the toolset, even if it is still referenced by app/agents. * If `force = false`, the deletion fails if any agents still reference the toolset. * If `force = true`, all existing references from agents will be removed and the toolset will be deleted.
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); }
}
get(name, x__xgafv=None)
Gets details of the specified toolset.
Args:
name: string, Required. The resource name of the toolset to retrieve. (required)
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # A toolset represents a group of dynamically managed tools that can be used by the agent.
"connectorToolset": { # A toolset that generates tools from an Integration Connectors Connection. # Optional. A toolset that generates tools from an Integration Connectors Connection.
"authConfig": { # End-user authentication configuration used for Connection calls. The field values must be the names of context variables in the format `$context.variables.`. # Optional. Configures how authentication is handled in Integration Connectors. By default, an admin authentication is passed in the Integration Connectors API requests. You can override it with a different end-user authentication config. **Note**: The Connection must have authentication override enabled in order to specify an EUC configuration here - otherwise, the Toolset creation will fail. See: https://cloud.google.com/application-integration/docs/configure-connectors-task#configure-authentication-override
"oauth2AuthCodeConfig": { # Oauth 2.0 Authorization Code authentication configuration. # Oauth 2.0 Authorization Code authentication.
"oauthToken": "A String", # Required. Oauth token parameter name to pass through. Must be in the format `$context.variables.`.
},
"oauth2JwtBearerConfig": { # JWT Profile Oauth 2.0 Authorization Grant authentication configuration. # JWT Profile Oauth 2.0 Authorization Grant authentication.
"clientKey": "A String", # Required. Client parameter name to pass through. Must be in the format `$context.variables.`.
"issuer": "A String", # Required. Issuer parameter name to pass through. Must be in the format `$context.variables.`.
"subject": "A String", # Required. Subject parameter name to pass through. Must be in the format `$context.variables.`.
},
},
"connection": "A String", # Required. The full resource name of the referenced Integration Connectors Connection. Format: `projects/{project}/locations/{location}/connections/{connection}`
"connectorActions": [ # Required. The list of connector actions/entity operations to generate tools for.
{ # Configuration of an Action for the tool to use. Note: This can be either an Action or an Operation. See https://cloud.google.com/integration-connectors/docs/entities-operation-action for details.
"connectionActionId": "A String", # ID of a Connection action for the tool to use.
"entityOperation": { # Entity CRUD operation specification. # Entity operation configuration for the tool to use.
"entityId": "A String", # Required. ID of the entity.
"operation": "A String", # Required. Operation to perform on the entity.
},
"inputFields": [ # Optional. Entity fields to use as inputs for the operation. If no fields are specified, all fields of the Entity will be used.
"A String",
],
"outputFields": [ # Optional. Entity fields to return from the operation. If no fields are specified, all fields of the Entity will be returned.
"A String",
],
},
],
},
"createTime": "A String", # Output only. Timestamp when the toolset was created.
"description": "A String", # Optional. The description of the toolset.
"displayName": "A String", # Optional. The display name of the toolset. Must be unique within the same app.
"etag": "A String", # ETag used to ensure the object hasn't changed during a read-modify-write operation. If the etag is empty, the update will overwrite any concurrent changes.
"executionType": "A String", # Optional. The execution type of the tools in the toolset.
"mcpToolset": { # A toolset that contains a list of tools that are offered by the MCP server. # Optional. A toolset that contains a list of tools that are offered by the MCP server.
"apiAuthentication": { # Authentication information required for API calls. # Optional. Authentication information required to access tools and execute a tool against the MCP server. For bearer token authentication, the token applies only to tool execution, not to listing tools. This requires that tools can be listed without authentication.
"apiKeyConfig": { # Configurations for authentication with API key. # Optional. Config for API key auth.
"apiKeySecretVersion": "A String", # Required. The name of the SecretManager secret version resource storing the API key. Format: `projects/{project}/secrets/{secret}/versions/{version}` Note: You should grant `roles/secretmanager.secretAccessor` role to the CES service agent `service-@gcp-sa-ces.iam.gserviceaccount.com`.
"keyName": "A String", # Required. The parameter name or the header name of the API key. E.g., If the API request is "https://example.com/act?X-Api-Key=", "X-Api-Key" would be the parameter name.
"requestLocation": "A String", # Required. Key location in the request.
},
"bearerTokenConfig": { # Configurations for authentication with a bearer token. # Optional. Config for bearer token auth.
"token": "A String", # Required. The bearer token. Must be in the format `$context.variables.`.
},
"oauthConfig": { # Configurations for authentication with OAuth. # Optional. Config for OAuth.
"clientId": "A String", # Required. The client ID from the OAuth provider.
"clientSecretVersion": "A String", # Required. The name of the SecretManager secret version resource storing the client secret. Format: `projects/{project}/secrets/{secret}/versions/{version}` Note: You should grant `roles/secretmanager.secretAccessor` role to the CES service agent `service-@gcp-sa-ces.iam.gserviceaccount.com`.
"oauthGrantType": "A String", # Required. OAuth grant types.
"scopes": [ # Optional. The OAuth scopes to grant.
"A String",
],
"tokenEndpoint": "A String", # Required. The token endpoint in the OAuth provider to exchange for an access token.
},
"serviceAccountAuthConfig": { # Configurations for authentication using a custom service account. # Optional. Config for service account authentication.
"scopes": [ # Optional. The OAuth scopes to grant. If not specified, the default scope `https://www.googleapis.com/auth/cloud-platform` is used.
"A String",
],
"serviceAccount": "A String", # Required. The email address of the service account used for authentication. CES uses this service account to exchange an access token and the access token is then sent in the `Authorization` header of the request. The service account must have the `roles/iam.serviceAccountTokenCreator` role granted to the CES service agent `service-@gcp-sa-ces.iam.gserviceaccount.com`.
},
"serviceAgentIdTokenAuthConfig": { # Configurations for authentication with [ID token](https://cloud.google.com/docs/authentication/token-types#id) generated from service agent. # Optional. Config for ID token auth generated from CES service agent.
},
},
"serverAddress": "A String", # Required. The address of the MCP server, for example, "https://example.com/mcp/". If the server is built with the MCP SDK, the url should be suffixed with "/mcp/". Only Streamable HTTP transport based servers are supported. See https://modelcontextprotocol.io/specification/2025-03-26/basic/transports#streamable-http for more details.
"serviceDirectoryConfig": { # Configuration for tools using Service Directory. # Optional. Service Directory configuration for VPC-SC, used to resolve service names within a perimeter.
"service": "A String", # Required. The name of [Service Directory](https://cloud.google.com/service-directory) service. Format: `projects/{project}/locations/{location}/namespaces/{namespace}/services/{service}`. Location of the service directory must be the same as the location of the app.
},
"tlsConfig": { # The TLS configuration. # Optional. The TLS configuration. Includes the custom server certificates that the client should trust.
"caCerts": [ # Required. Specifies a list of allowed custom CA certificates for HTTPS verification.
{ # The CA certificate.
"cert": "A String", # Required. The allowed custom CA certificates (in DER format) for HTTPS verification. This overrides the default SSL trust store. If this is empty or unspecified, CES will use Google's default trust store to verify certificates. N.B. Make sure the HTTPS server certificates are signed with "subject alt name". For instance a certificate can be self-signed using the following command, openssl x509 -req -days 200 -in example.com.csr \ -signkey example.com.key \ -out example.com.crt \ -extfile <(printf "\nsubjectAltName='DNS:www.example.com'")
"displayName": "A String", # Required. The name of the allowed custom CA certificates. This can be used to disambiguate the custom CA certificates.
},
],
},
},
"name": "A String", # Identifier. The unique identifier of the toolset. Format: `projects/{project}/locations/{location}/apps/{app}/toolsets/{toolset}`
"openApiToolset": { # A toolset that contains a list of tools that are defined by an OpenAPI schema. # Optional. A toolset that contains a list of tools that are defined by an OpenAPI schema.
"apiAuthentication": { # Authentication information required for API calls. # Optional. Authentication information required by the API.
"apiKeyConfig": { # Configurations for authentication with API key. # Optional. Config for API key auth.
"apiKeySecretVersion": "A String", # Required. The name of the SecretManager secret version resource storing the API key. Format: `projects/{project}/secrets/{secret}/versions/{version}` Note: You should grant `roles/secretmanager.secretAccessor` role to the CES service agent `service-@gcp-sa-ces.iam.gserviceaccount.com`.
"keyName": "A String", # Required. The parameter name or the header name of the API key. E.g., If the API request is "https://example.com/act?X-Api-Key=", "X-Api-Key" would be the parameter name.
"requestLocation": "A String", # Required. Key location in the request.
},
"bearerTokenConfig": { # Configurations for authentication with a bearer token. # Optional. Config for bearer token auth.
"token": "A String", # Required. The bearer token. Must be in the format `$context.variables.`.
},
"oauthConfig": { # Configurations for authentication with OAuth. # Optional. Config for OAuth.
"clientId": "A String", # Required. The client ID from the OAuth provider.
"clientSecretVersion": "A String", # Required. The name of the SecretManager secret version resource storing the client secret. Format: `projects/{project}/secrets/{secret}/versions/{version}` Note: You should grant `roles/secretmanager.secretAccessor` role to the CES service agent `service-@gcp-sa-ces.iam.gserviceaccount.com`.
"oauthGrantType": "A String", # Required. OAuth grant types.
"scopes": [ # Optional. The OAuth scopes to grant.
"A String",
],
"tokenEndpoint": "A String", # Required. The token endpoint in the OAuth provider to exchange for an access token.
},
"serviceAccountAuthConfig": { # Configurations for authentication using a custom service account. # Optional. Config for service account authentication.
"scopes": [ # Optional. The OAuth scopes to grant. If not specified, the default scope `https://www.googleapis.com/auth/cloud-platform` is used.
"A String",
],
"serviceAccount": "A String", # Required. The email address of the service account used for authentication. CES uses this service account to exchange an access token and the access token is then sent in the `Authorization` header of the request. The service account must have the `roles/iam.serviceAccountTokenCreator` role granted to the CES service agent `service-@gcp-sa-ces.iam.gserviceaccount.com`.
},
"serviceAgentIdTokenAuthConfig": { # Configurations for authentication with [ID token](https://cloud.google.com/docs/authentication/token-types#id) generated from service agent. # Optional. Config for ID token auth generated from CES service agent.
},
},
"ignoreUnknownFields": True or False, # Optional. If true, the agent will ignore unknown fields in the API response for all operations defined in the OpenAPI schema.
"openApiSchema": "A String", # Required. The OpenAPI schema of the toolset.
"serviceDirectoryConfig": { # Configuration for tools using Service Directory. # Optional. Service Directory configuration.
"service": "A String", # Required. The name of [Service Directory](https://cloud.google.com/service-directory) service. Format: `projects/{project}/locations/{location}/namespaces/{namespace}/services/{service}`. Location of the service directory must be the same as the location of the app.
},
"tlsConfig": { # The TLS configuration. # Optional. The TLS configuration. Includes the custom server certificates
"caCerts": [ # Required. Specifies a list of allowed custom CA certificates for HTTPS verification.
{ # The CA certificate.
"cert": "A String", # Required. The allowed custom CA certificates (in DER format) for HTTPS verification. This overrides the default SSL trust store. If this is empty or unspecified, CES will use Google's default trust store to verify certificates. N.B. Make sure the HTTPS server certificates are signed with "subject alt name". For instance a certificate can be self-signed using the following command, openssl x509 -req -days 200 -in example.com.csr \ -signkey example.com.key \ -out example.com.crt \ -extfile <(printf "\nsubjectAltName='DNS:www.example.com'")
"displayName": "A String", # Required. The name of the allowed custom CA certificates. This can be used to disambiguate the custom CA certificates.
},
],
},
"url": "A String", # Optional. The server URL of the Open API schema. This field is only set in toolsets in the environment dependencies during the export process if the schema contains a server url. During the import process, if this url is present in the environment dependencies and the schema has the $env_var placeholder, it will replace the placeholder in the schema.
},
"toolFakeConfig": { # Configuration for tool behavior in fake mode. # Optional. Configuration for tools behavior in fake mode.
"codeBlock": { # A code block to be executed instead of a real tool call. # Optional. Code block which will be executed instead of a real tool call.
"pythonCode": "A String", # Required. Python code which will be invoked in tool fake mode. Expected Python function signature - To catch all tool calls: def fake_tool_call(tool: Tool, input: dict[str, Any], callback_context: CallbackContext) -> Optional[dict[str, Any]]: To catch a specific tool call: def fake_{tool_id}(tool: Tool, input: dict[str, Any], callback_context: CallbackContext) -> Optional[dict[str, Any]]: If the function returns None, the real tool will be invoked instead.
},
"enableFakeMode": True or False, # Optional. Whether the tool is using fake mode.
},
"updateTime": "A String", # Output only. Timestamp when the toolset was last updated.
}
list(parent, filter=None, orderBy=None, pageSize=None, pageToken=None, x__xgafv=None)
Lists toolsets in the given app.
Args:
parent: string, Required. The resource name of the app to list toolsets from. (required)
filter: string, Optional. Filter to be applied when listing the toolsets. See https://google.aip.dev/160 for more details.
orderBy: string, Optional. Field to sort by. Only "name" and "create_time" is supported. See https://google.aip.dev/132#ordering for more details.
pageSize: integer, Optional. Requested page size. Server may return fewer items than requested. If unspecified, server will pick an appropriate default.
pageToken: string, Optional. The next_page_token value returned from a previous list AgentService.ListToolsets call.
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Response message for AgentService.ListToolsets.
"nextPageToken": "A String", # A token that can be sent as ListToolsetsRequest.page_token to retrieve the next page. Absence of this field indicates there are no subsequent pages.
"toolsets": [ # The list of toolsets.
{ # A toolset represents a group of dynamically managed tools that can be used by the agent.
"connectorToolset": { # A toolset that generates tools from an Integration Connectors Connection. # Optional. A toolset that generates tools from an Integration Connectors Connection.
"authConfig": { # End-user authentication configuration used for Connection calls. The field values must be the names of context variables in the format `$context.variables.`. # Optional. Configures how authentication is handled in Integration Connectors. By default, an admin authentication is passed in the Integration Connectors API requests. You can override it with a different end-user authentication config. **Note**: The Connection must have authentication override enabled in order to specify an EUC configuration here - otherwise, the Toolset creation will fail. See: https://cloud.google.com/application-integration/docs/configure-connectors-task#configure-authentication-override
"oauth2AuthCodeConfig": { # Oauth 2.0 Authorization Code authentication configuration. # Oauth 2.0 Authorization Code authentication.
"oauthToken": "A String", # Required. Oauth token parameter name to pass through. Must be in the format `$context.variables.`.
},
"oauth2JwtBearerConfig": { # JWT Profile Oauth 2.0 Authorization Grant authentication configuration. # JWT Profile Oauth 2.0 Authorization Grant authentication.
"clientKey": "A String", # Required. Client parameter name to pass through. Must be in the format `$context.variables.`.
"issuer": "A String", # Required. Issuer parameter name to pass through. Must be in the format `$context.variables.`.
"subject": "A String", # Required. Subject parameter name to pass through. Must be in the format `$context.variables.`.
},
},
"connection": "A String", # Required. The full resource name of the referenced Integration Connectors Connection. Format: `projects/{project}/locations/{location}/connections/{connection}`
"connectorActions": [ # Required. The list of connector actions/entity operations to generate tools for.
{ # Configuration of an Action for the tool to use. Note: This can be either an Action or an Operation. See https://cloud.google.com/integration-connectors/docs/entities-operation-action for details.
"connectionActionId": "A String", # ID of a Connection action for the tool to use.
"entityOperation": { # Entity CRUD operation specification. # Entity operation configuration for the tool to use.
"entityId": "A String", # Required. ID of the entity.
"operation": "A String", # Required. Operation to perform on the entity.
},
"inputFields": [ # Optional. Entity fields to use as inputs for the operation. If no fields are specified, all fields of the Entity will be used.
"A String",
],
"outputFields": [ # Optional. Entity fields to return from the operation. If no fields are specified, all fields of the Entity will be returned.
"A String",
],
},
],
},
"createTime": "A String", # Output only. Timestamp when the toolset was created.
"description": "A String", # Optional. The description of the toolset.
"displayName": "A String", # Optional. The display name of the toolset. Must be unique within the same app.
"etag": "A String", # ETag used to ensure the object hasn't changed during a read-modify-write operation. If the etag is empty, the update will overwrite any concurrent changes.
"executionType": "A String", # Optional. The execution type of the tools in the toolset.
"mcpToolset": { # A toolset that contains a list of tools that are offered by the MCP server. # Optional. A toolset that contains a list of tools that are offered by the MCP server.
"apiAuthentication": { # Authentication information required for API calls. # Optional. Authentication information required to access tools and execute a tool against the MCP server. For bearer token authentication, the token applies only to tool execution, not to listing tools. This requires that tools can be listed without authentication.
"apiKeyConfig": { # Configurations for authentication with API key. # Optional. Config for API key auth.
"apiKeySecretVersion": "A String", # Required. The name of the SecretManager secret version resource storing the API key. Format: `projects/{project}/secrets/{secret}/versions/{version}` Note: You should grant `roles/secretmanager.secretAccessor` role to the CES service agent `service-@gcp-sa-ces.iam.gserviceaccount.com`.
"keyName": "A String", # Required. The parameter name or the header name of the API key. E.g., If the API request is "https://example.com/act?X-Api-Key=", "X-Api-Key" would be the parameter name.
"requestLocation": "A String", # Required. Key location in the request.
},
"bearerTokenConfig": { # Configurations for authentication with a bearer token. # Optional. Config for bearer token auth.
"token": "A String", # Required. The bearer token. Must be in the format `$context.variables.`.
},
"oauthConfig": { # Configurations for authentication with OAuth. # Optional. Config for OAuth.
"clientId": "A String", # Required. The client ID from the OAuth provider.
"clientSecretVersion": "A String", # Required. The name of the SecretManager secret version resource storing the client secret. Format: `projects/{project}/secrets/{secret}/versions/{version}` Note: You should grant `roles/secretmanager.secretAccessor` role to the CES service agent `service-@gcp-sa-ces.iam.gserviceaccount.com`.
"oauthGrantType": "A String", # Required. OAuth grant types.
"scopes": [ # Optional. The OAuth scopes to grant.
"A String",
],
"tokenEndpoint": "A String", # Required. The token endpoint in the OAuth provider to exchange for an access token.
},
"serviceAccountAuthConfig": { # Configurations for authentication using a custom service account. # Optional. Config for service account authentication.
"scopes": [ # Optional. The OAuth scopes to grant. If not specified, the default scope `https://www.googleapis.com/auth/cloud-platform` is used.
"A String",
],
"serviceAccount": "A String", # Required. The email address of the service account used for authentication. CES uses this service account to exchange an access token and the access token is then sent in the `Authorization` header of the request. The service account must have the `roles/iam.serviceAccountTokenCreator` role granted to the CES service agent `service-@gcp-sa-ces.iam.gserviceaccount.com`.
},
"serviceAgentIdTokenAuthConfig": { # Configurations for authentication with [ID token](https://cloud.google.com/docs/authentication/token-types#id) generated from service agent. # Optional. Config for ID token auth generated from CES service agent.
},
},
"serverAddress": "A String", # Required. The address of the MCP server, for example, "https://example.com/mcp/". If the server is built with the MCP SDK, the url should be suffixed with "/mcp/". Only Streamable HTTP transport based servers are supported. See https://modelcontextprotocol.io/specification/2025-03-26/basic/transports#streamable-http for more details.
"serviceDirectoryConfig": { # Configuration for tools using Service Directory. # Optional. Service Directory configuration for VPC-SC, used to resolve service names within a perimeter.
"service": "A String", # Required. The name of [Service Directory](https://cloud.google.com/service-directory) service. Format: `projects/{project}/locations/{location}/namespaces/{namespace}/services/{service}`. Location of the service directory must be the same as the location of the app.
},
"tlsConfig": { # The TLS configuration. # Optional. The TLS configuration. Includes the custom server certificates that the client should trust.
"caCerts": [ # Required. Specifies a list of allowed custom CA certificates for HTTPS verification.
{ # The CA certificate.
"cert": "A String", # Required. The allowed custom CA certificates (in DER format) for HTTPS verification. This overrides the default SSL trust store. If this is empty or unspecified, CES will use Google's default trust store to verify certificates. N.B. Make sure the HTTPS server certificates are signed with "subject alt name". For instance a certificate can be self-signed using the following command, openssl x509 -req -days 200 -in example.com.csr \ -signkey example.com.key \ -out example.com.crt \ -extfile <(printf "\nsubjectAltName='DNS:www.example.com'")
"displayName": "A String", # Required. The name of the allowed custom CA certificates. This can be used to disambiguate the custom CA certificates.
},
],
},
},
"name": "A String", # Identifier. The unique identifier of the toolset. Format: `projects/{project}/locations/{location}/apps/{app}/toolsets/{toolset}`
"openApiToolset": { # A toolset that contains a list of tools that are defined by an OpenAPI schema. # Optional. A toolset that contains a list of tools that are defined by an OpenAPI schema.
"apiAuthentication": { # Authentication information required for API calls. # Optional. Authentication information required by the API.
"apiKeyConfig": { # Configurations for authentication with API key. # Optional. Config for API key auth.
"apiKeySecretVersion": "A String", # Required. The name of the SecretManager secret version resource storing the API key. Format: `projects/{project}/secrets/{secret}/versions/{version}` Note: You should grant `roles/secretmanager.secretAccessor` role to the CES service agent `service-@gcp-sa-ces.iam.gserviceaccount.com`.
"keyName": "A String", # Required. The parameter name or the header name of the API key. E.g., If the API request is "https://example.com/act?X-Api-Key=", "X-Api-Key" would be the parameter name.
"requestLocation": "A String", # Required. Key location in the request.
},
"bearerTokenConfig": { # Configurations for authentication with a bearer token. # Optional. Config for bearer token auth.
"token": "A String", # Required. The bearer token. Must be in the format `$context.variables.`.
},
"oauthConfig": { # Configurations for authentication with OAuth. # Optional. Config for OAuth.
"clientId": "A String", # Required. The client ID from the OAuth provider.
"clientSecretVersion": "A String", # Required. The name of the SecretManager secret version resource storing the client secret. Format: `projects/{project}/secrets/{secret}/versions/{version}` Note: You should grant `roles/secretmanager.secretAccessor` role to the CES service agent `service-@gcp-sa-ces.iam.gserviceaccount.com`.
"oauthGrantType": "A String", # Required. OAuth grant types.
"scopes": [ # Optional. The OAuth scopes to grant.
"A String",
],
"tokenEndpoint": "A String", # Required. The token endpoint in the OAuth provider to exchange for an access token.
},
"serviceAccountAuthConfig": { # Configurations for authentication using a custom service account. # Optional. Config for service account authentication.
"scopes": [ # Optional. The OAuth scopes to grant. If not specified, the default scope `https://www.googleapis.com/auth/cloud-platform` is used.
"A String",
],
"serviceAccount": "A String", # Required. The email address of the service account used for authentication. CES uses this service account to exchange an access token and the access token is then sent in the `Authorization` header of the request. The service account must have the `roles/iam.serviceAccountTokenCreator` role granted to the CES service agent `service-@gcp-sa-ces.iam.gserviceaccount.com`.
},
"serviceAgentIdTokenAuthConfig": { # Configurations for authentication with [ID token](https://cloud.google.com/docs/authentication/token-types#id) generated from service agent. # Optional. Config for ID token auth generated from CES service agent.
},
},
"ignoreUnknownFields": True or False, # Optional. If true, the agent will ignore unknown fields in the API response for all operations defined in the OpenAPI schema.
"openApiSchema": "A String", # Required. The OpenAPI schema of the toolset.
"serviceDirectoryConfig": { # Configuration for tools using Service Directory. # Optional. Service Directory configuration.
"service": "A String", # Required. The name of [Service Directory](https://cloud.google.com/service-directory) service. Format: `projects/{project}/locations/{location}/namespaces/{namespace}/services/{service}`. Location of the service directory must be the same as the location of the app.
},
"tlsConfig": { # The TLS configuration. # Optional. The TLS configuration. Includes the custom server certificates
"caCerts": [ # Required. Specifies a list of allowed custom CA certificates for HTTPS verification.
{ # The CA certificate.
"cert": "A String", # Required. The allowed custom CA certificates (in DER format) for HTTPS verification. This overrides the default SSL trust store. If this is empty or unspecified, CES will use Google's default trust store to verify certificates. N.B. Make sure the HTTPS server certificates are signed with "subject alt name". For instance a certificate can be self-signed using the following command, openssl x509 -req -days 200 -in example.com.csr \ -signkey example.com.key \ -out example.com.crt \ -extfile <(printf "\nsubjectAltName='DNS:www.example.com'")
"displayName": "A String", # Required. The name of the allowed custom CA certificates. This can be used to disambiguate the custom CA certificates.
},
],
},
"url": "A String", # Optional. The server URL of the Open API schema. This field is only set in toolsets in the environment dependencies during the export process if the schema contains a server url. During the import process, if this url is present in the environment dependencies and the schema has the $env_var placeholder, it will replace the placeholder in the schema.
},
"toolFakeConfig": { # Configuration for tool behavior in fake mode. # Optional. Configuration for tools behavior in fake mode.
"codeBlock": { # A code block to be executed instead of a real tool call. # Optional. Code block which will be executed instead of a real tool call.
"pythonCode": "A String", # Required. Python code which will be invoked in tool fake mode. Expected Python function signature - To catch all tool calls: def fake_tool_call(tool: Tool, input: dict[str, Any], callback_context: CallbackContext) -> Optional[dict[str, Any]]: To catch a specific tool call: def fake_{tool_id}(tool: Tool, input: dict[str, Any], callback_context: CallbackContext) -> Optional[dict[str, Any]]: If the function returns None, the real tool will be invoked instead.
},
"enableFakeMode": True or False, # Optional. Whether the tool is using fake mode.
},
"updateTime": "A String", # Output only. Timestamp when the toolset was last updated.
},
],
}
list_next()
Retrieves the next page of results.
Args:
previous_request: The request for the previous page. (required)
previous_response: The response from the request for the previous page. (required)
Returns:
A request object that you can call 'execute()' on to request the next
page. Returns None if there are no more items in the collection.
patch(name, body=None, updateMask=None, x__xgafv=None)
Updates the specified toolset.
Args:
name: string, Identifier. The unique identifier of the toolset. Format: `projects/{project}/locations/{location}/apps/{app}/toolsets/{toolset}` (required)
body: object, The request body.
The object takes the form of:
{ # A toolset represents a group of dynamically managed tools that can be used by the agent.
"connectorToolset": { # A toolset that generates tools from an Integration Connectors Connection. # Optional. A toolset that generates tools from an Integration Connectors Connection.
"authConfig": { # End-user authentication configuration used for Connection calls. The field values must be the names of context variables in the format `$context.variables.`. # Optional. Configures how authentication is handled in Integration Connectors. By default, an admin authentication is passed in the Integration Connectors API requests. You can override it with a different end-user authentication config. **Note**: The Connection must have authentication override enabled in order to specify an EUC configuration here - otherwise, the Toolset creation will fail. See: https://cloud.google.com/application-integration/docs/configure-connectors-task#configure-authentication-override
"oauth2AuthCodeConfig": { # Oauth 2.0 Authorization Code authentication configuration. # Oauth 2.0 Authorization Code authentication.
"oauthToken": "A String", # Required. Oauth token parameter name to pass through. Must be in the format `$context.variables.`.
},
"oauth2JwtBearerConfig": { # JWT Profile Oauth 2.0 Authorization Grant authentication configuration. # JWT Profile Oauth 2.0 Authorization Grant authentication.
"clientKey": "A String", # Required. Client parameter name to pass through. Must be in the format `$context.variables.`.
"issuer": "A String", # Required. Issuer parameter name to pass through. Must be in the format `$context.variables.`.
"subject": "A String", # Required. Subject parameter name to pass through. Must be in the format `$context.variables.`.
},
},
"connection": "A String", # Required. The full resource name of the referenced Integration Connectors Connection. Format: `projects/{project}/locations/{location}/connections/{connection}`
"connectorActions": [ # Required. The list of connector actions/entity operations to generate tools for.
{ # Configuration of an Action for the tool to use. Note: This can be either an Action or an Operation. See https://cloud.google.com/integration-connectors/docs/entities-operation-action for details.
"connectionActionId": "A String", # ID of a Connection action for the tool to use.
"entityOperation": { # Entity CRUD operation specification. # Entity operation configuration for the tool to use.
"entityId": "A String", # Required. ID of the entity.
"operation": "A String", # Required. Operation to perform on the entity.
},
"inputFields": [ # Optional. Entity fields to use as inputs for the operation. If no fields are specified, all fields of the Entity will be used.
"A String",
],
"outputFields": [ # Optional. Entity fields to return from the operation. If no fields are specified, all fields of the Entity will be returned.
"A String",
],
},
],
},
"createTime": "A String", # Output only. Timestamp when the toolset was created.
"description": "A String", # Optional. The description of the toolset.
"displayName": "A String", # Optional. The display name of the toolset. Must be unique within the same app.
"etag": "A String", # ETag used to ensure the object hasn't changed during a read-modify-write operation. If the etag is empty, the update will overwrite any concurrent changes.
"executionType": "A String", # Optional. The execution type of the tools in the toolset.
"mcpToolset": { # A toolset that contains a list of tools that are offered by the MCP server. # Optional. A toolset that contains a list of tools that are offered by the MCP server.
"apiAuthentication": { # Authentication information required for API calls. # Optional. Authentication information required to access tools and execute a tool against the MCP server. For bearer token authentication, the token applies only to tool execution, not to listing tools. This requires that tools can be listed without authentication.
"apiKeyConfig": { # Configurations for authentication with API key. # Optional. Config for API key auth.
"apiKeySecretVersion": "A String", # Required. The name of the SecretManager secret version resource storing the API key. Format: `projects/{project}/secrets/{secret}/versions/{version}` Note: You should grant `roles/secretmanager.secretAccessor` role to the CES service agent `service-@gcp-sa-ces.iam.gserviceaccount.com`.
"keyName": "A String", # Required. The parameter name or the header name of the API key. E.g., If the API request is "https://example.com/act?X-Api-Key=", "X-Api-Key" would be the parameter name.
"requestLocation": "A String", # Required. Key location in the request.
},
"bearerTokenConfig": { # Configurations for authentication with a bearer token. # Optional. Config for bearer token auth.
"token": "A String", # Required. The bearer token. Must be in the format `$context.variables.`.
},
"oauthConfig": { # Configurations for authentication with OAuth. # Optional. Config for OAuth.
"clientId": "A String", # Required. The client ID from the OAuth provider.
"clientSecretVersion": "A String", # Required. The name of the SecretManager secret version resource storing the client secret. Format: `projects/{project}/secrets/{secret}/versions/{version}` Note: You should grant `roles/secretmanager.secretAccessor` role to the CES service agent `service-@gcp-sa-ces.iam.gserviceaccount.com`.
"oauthGrantType": "A String", # Required. OAuth grant types.
"scopes": [ # Optional. The OAuth scopes to grant.
"A String",
],
"tokenEndpoint": "A String", # Required. The token endpoint in the OAuth provider to exchange for an access token.
},
"serviceAccountAuthConfig": { # Configurations for authentication using a custom service account. # Optional. Config for service account authentication.
"scopes": [ # Optional. The OAuth scopes to grant. If not specified, the default scope `https://www.googleapis.com/auth/cloud-platform` is used.
"A String",
],
"serviceAccount": "A String", # Required. The email address of the service account used for authentication. CES uses this service account to exchange an access token and the access token is then sent in the `Authorization` header of the request. The service account must have the `roles/iam.serviceAccountTokenCreator` role granted to the CES service agent `service-@gcp-sa-ces.iam.gserviceaccount.com`.
},
"serviceAgentIdTokenAuthConfig": { # Configurations for authentication with [ID token](https://cloud.google.com/docs/authentication/token-types#id) generated from service agent. # Optional. Config for ID token auth generated from CES service agent.
},
},
"serverAddress": "A String", # Required. The address of the MCP server, for example, "https://example.com/mcp/". If the server is built with the MCP SDK, the url should be suffixed with "/mcp/". Only Streamable HTTP transport based servers are supported. See https://modelcontextprotocol.io/specification/2025-03-26/basic/transports#streamable-http for more details.
"serviceDirectoryConfig": { # Configuration for tools using Service Directory. # Optional. Service Directory configuration for VPC-SC, used to resolve service names within a perimeter.
"service": "A String", # Required. The name of [Service Directory](https://cloud.google.com/service-directory) service. Format: `projects/{project}/locations/{location}/namespaces/{namespace}/services/{service}`. Location of the service directory must be the same as the location of the app.
},
"tlsConfig": { # The TLS configuration. # Optional. The TLS configuration. Includes the custom server certificates that the client should trust.
"caCerts": [ # Required. Specifies a list of allowed custom CA certificates for HTTPS verification.
{ # The CA certificate.
"cert": "A String", # Required. The allowed custom CA certificates (in DER format) for HTTPS verification. This overrides the default SSL trust store. If this is empty or unspecified, CES will use Google's default trust store to verify certificates. N.B. Make sure the HTTPS server certificates are signed with "subject alt name". For instance a certificate can be self-signed using the following command, openssl x509 -req -days 200 -in example.com.csr \ -signkey example.com.key \ -out example.com.crt \ -extfile <(printf "\nsubjectAltName='DNS:www.example.com'")
"displayName": "A String", # Required. The name of the allowed custom CA certificates. This can be used to disambiguate the custom CA certificates.
},
],
},
},
"name": "A String", # Identifier. The unique identifier of the toolset. Format: `projects/{project}/locations/{location}/apps/{app}/toolsets/{toolset}`
"openApiToolset": { # A toolset that contains a list of tools that are defined by an OpenAPI schema. # Optional. A toolset that contains a list of tools that are defined by an OpenAPI schema.
"apiAuthentication": { # Authentication information required for API calls. # Optional. Authentication information required by the API.
"apiKeyConfig": { # Configurations for authentication with API key. # Optional. Config for API key auth.
"apiKeySecretVersion": "A String", # Required. The name of the SecretManager secret version resource storing the API key. Format: `projects/{project}/secrets/{secret}/versions/{version}` Note: You should grant `roles/secretmanager.secretAccessor` role to the CES service agent `service-@gcp-sa-ces.iam.gserviceaccount.com`.
"keyName": "A String", # Required. The parameter name or the header name of the API key. E.g., If the API request is "https://example.com/act?X-Api-Key=", "X-Api-Key" would be the parameter name.
"requestLocation": "A String", # Required. Key location in the request.
},
"bearerTokenConfig": { # Configurations for authentication with a bearer token. # Optional. Config for bearer token auth.
"token": "A String", # Required. The bearer token. Must be in the format `$context.variables.`.
},
"oauthConfig": { # Configurations for authentication with OAuth. # Optional. Config for OAuth.
"clientId": "A String", # Required. The client ID from the OAuth provider.
"clientSecretVersion": "A String", # Required. The name of the SecretManager secret version resource storing the client secret. Format: `projects/{project}/secrets/{secret}/versions/{version}` Note: You should grant `roles/secretmanager.secretAccessor` role to the CES service agent `service-@gcp-sa-ces.iam.gserviceaccount.com`.
"oauthGrantType": "A String", # Required. OAuth grant types.
"scopes": [ # Optional. The OAuth scopes to grant.
"A String",
],
"tokenEndpoint": "A String", # Required. The token endpoint in the OAuth provider to exchange for an access token.
},
"serviceAccountAuthConfig": { # Configurations for authentication using a custom service account. # Optional. Config for service account authentication.
"scopes": [ # Optional. The OAuth scopes to grant. If not specified, the default scope `https://www.googleapis.com/auth/cloud-platform` is used.
"A String",
],
"serviceAccount": "A String", # Required. The email address of the service account used for authentication. CES uses this service account to exchange an access token and the access token is then sent in the `Authorization` header of the request. The service account must have the `roles/iam.serviceAccountTokenCreator` role granted to the CES service agent `service-@gcp-sa-ces.iam.gserviceaccount.com`.
},
"serviceAgentIdTokenAuthConfig": { # Configurations for authentication with [ID token](https://cloud.google.com/docs/authentication/token-types#id) generated from service agent. # Optional. Config for ID token auth generated from CES service agent.
},
},
"ignoreUnknownFields": True or False, # Optional. If true, the agent will ignore unknown fields in the API response for all operations defined in the OpenAPI schema.
"openApiSchema": "A String", # Required. The OpenAPI schema of the toolset.
"serviceDirectoryConfig": { # Configuration for tools using Service Directory. # Optional. Service Directory configuration.
"service": "A String", # Required. The name of [Service Directory](https://cloud.google.com/service-directory) service. Format: `projects/{project}/locations/{location}/namespaces/{namespace}/services/{service}`. Location of the service directory must be the same as the location of the app.
},
"tlsConfig": { # The TLS configuration. # Optional. The TLS configuration. Includes the custom server certificates
"caCerts": [ # Required. Specifies a list of allowed custom CA certificates for HTTPS verification.
{ # The CA certificate.
"cert": "A String", # Required. The allowed custom CA certificates (in DER format) for HTTPS verification. This overrides the default SSL trust store. If this is empty or unspecified, CES will use Google's default trust store to verify certificates. N.B. Make sure the HTTPS server certificates are signed with "subject alt name". For instance a certificate can be self-signed using the following command, openssl x509 -req -days 200 -in example.com.csr \ -signkey example.com.key \ -out example.com.crt \ -extfile <(printf "\nsubjectAltName='DNS:www.example.com'")
"displayName": "A String", # Required. The name of the allowed custom CA certificates. This can be used to disambiguate the custom CA certificates.
},
],
},
"url": "A String", # Optional. The server URL of the Open API schema. This field is only set in toolsets in the environment dependencies during the export process if the schema contains a server url. During the import process, if this url is present in the environment dependencies and the schema has the $env_var placeholder, it will replace the placeholder in the schema.
},
"toolFakeConfig": { # Configuration for tool behavior in fake mode. # Optional. Configuration for tools behavior in fake mode.
"codeBlock": { # A code block to be executed instead of a real tool call. # Optional. Code block which will be executed instead of a real tool call.
"pythonCode": "A String", # Required. Python code which will be invoked in tool fake mode. Expected Python function signature - To catch all tool calls: def fake_tool_call(tool: Tool, input: dict[str, Any], callback_context: CallbackContext) -> Optional[dict[str, Any]]: To catch a specific tool call: def fake_{tool_id}(tool: Tool, input: dict[str, Any], callback_context: CallbackContext) -> Optional[dict[str, Any]]: If the function returns None, the real tool will be invoked instead.
},
"enableFakeMode": True or False, # Optional. Whether the tool is using fake mode.
},
"updateTime": "A String", # Output only. Timestamp when the toolset was last updated.
}
updateMask: string, Optional. Field mask is used to control which fields get updated. If the mask is not present, all fields will be updated.
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # A toolset represents a group of dynamically managed tools that can be used by the agent.
"connectorToolset": { # A toolset that generates tools from an Integration Connectors Connection. # Optional. A toolset that generates tools from an Integration Connectors Connection.
"authConfig": { # End-user authentication configuration used for Connection calls. The field values must be the names of context variables in the format `$context.variables.`. # Optional. Configures how authentication is handled in Integration Connectors. By default, an admin authentication is passed in the Integration Connectors API requests. You can override it with a different end-user authentication config. **Note**: The Connection must have authentication override enabled in order to specify an EUC configuration here - otherwise, the Toolset creation will fail. See: https://cloud.google.com/application-integration/docs/configure-connectors-task#configure-authentication-override
"oauth2AuthCodeConfig": { # Oauth 2.0 Authorization Code authentication configuration. # Oauth 2.0 Authorization Code authentication.
"oauthToken": "A String", # Required. Oauth token parameter name to pass through. Must be in the format `$context.variables.`.
},
"oauth2JwtBearerConfig": { # JWT Profile Oauth 2.0 Authorization Grant authentication configuration. # JWT Profile Oauth 2.0 Authorization Grant authentication.
"clientKey": "A String", # Required. Client parameter name to pass through. Must be in the format `$context.variables.`.
"issuer": "A String", # Required. Issuer parameter name to pass through. Must be in the format `$context.variables.`.
"subject": "A String", # Required. Subject parameter name to pass through. Must be in the format `$context.variables.`.
},
},
"connection": "A String", # Required. The full resource name of the referenced Integration Connectors Connection. Format: `projects/{project}/locations/{location}/connections/{connection}`
"connectorActions": [ # Required. The list of connector actions/entity operations to generate tools for.
{ # Configuration of an Action for the tool to use. Note: This can be either an Action or an Operation. See https://cloud.google.com/integration-connectors/docs/entities-operation-action for details.
"connectionActionId": "A String", # ID of a Connection action for the tool to use.
"entityOperation": { # Entity CRUD operation specification. # Entity operation configuration for the tool to use.
"entityId": "A String", # Required. ID of the entity.
"operation": "A String", # Required. Operation to perform on the entity.
},
"inputFields": [ # Optional. Entity fields to use as inputs for the operation. If no fields are specified, all fields of the Entity will be used.
"A String",
],
"outputFields": [ # Optional. Entity fields to return from the operation. If no fields are specified, all fields of the Entity will be returned.
"A String",
],
},
],
},
"createTime": "A String", # Output only. Timestamp when the toolset was created.
"description": "A String", # Optional. The description of the toolset.
"displayName": "A String", # Optional. The display name of the toolset. Must be unique within the same app.
"etag": "A String", # ETag used to ensure the object hasn't changed during a read-modify-write operation. If the etag is empty, the update will overwrite any concurrent changes.
"executionType": "A String", # Optional. The execution type of the tools in the toolset.
"mcpToolset": { # A toolset that contains a list of tools that are offered by the MCP server. # Optional. A toolset that contains a list of tools that are offered by the MCP server.
"apiAuthentication": { # Authentication information required for API calls. # Optional. Authentication information required to access tools and execute a tool against the MCP server. For bearer token authentication, the token applies only to tool execution, not to listing tools. This requires that tools can be listed without authentication.
"apiKeyConfig": { # Configurations for authentication with API key. # Optional. Config for API key auth.
"apiKeySecretVersion": "A String", # Required. The name of the SecretManager secret version resource storing the API key. Format: `projects/{project}/secrets/{secret}/versions/{version}` Note: You should grant `roles/secretmanager.secretAccessor` role to the CES service agent `service-@gcp-sa-ces.iam.gserviceaccount.com`.
"keyName": "A String", # Required. The parameter name or the header name of the API key. E.g., If the API request is "https://example.com/act?X-Api-Key=", "X-Api-Key" would be the parameter name.
"requestLocation": "A String", # Required. Key location in the request.
},
"bearerTokenConfig": { # Configurations for authentication with a bearer token. # Optional. Config for bearer token auth.
"token": "A String", # Required. The bearer token. Must be in the format `$context.variables.`.
},
"oauthConfig": { # Configurations for authentication with OAuth. # Optional. Config for OAuth.
"clientId": "A String", # Required. The client ID from the OAuth provider.
"clientSecretVersion": "A String", # Required. The name of the SecretManager secret version resource storing the client secret. Format: `projects/{project}/secrets/{secret}/versions/{version}` Note: You should grant `roles/secretmanager.secretAccessor` role to the CES service agent `service-@gcp-sa-ces.iam.gserviceaccount.com`.
"oauthGrantType": "A String", # Required. OAuth grant types.
"scopes": [ # Optional. The OAuth scopes to grant.
"A String",
],
"tokenEndpoint": "A String", # Required. The token endpoint in the OAuth provider to exchange for an access token.
},
"serviceAccountAuthConfig": { # Configurations for authentication using a custom service account. # Optional. Config for service account authentication.
"scopes": [ # Optional. The OAuth scopes to grant. If not specified, the default scope `https://www.googleapis.com/auth/cloud-platform` is used.
"A String",
],
"serviceAccount": "A String", # Required. The email address of the service account used for authentication. CES uses this service account to exchange an access token and the access token is then sent in the `Authorization` header of the request. The service account must have the `roles/iam.serviceAccountTokenCreator` role granted to the CES service agent `service-@gcp-sa-ces.iam.gserviceaccount.com`.
},
"serviceAgentIdTokenAuthConfig": { # Configurations for authentication with [ID token](https://cloud.google.com/docs/authentication/token-types#id) generated from service agent. # Optional. Config for ID token auth generated from CES service agent.
},
},
"serverAddress": "A String", # Required. The address of the MCP server, for example, "https://example.com/mcp/". If the server is built with the MCP SDK, the url should be suffixed with "/mcp/". Only Streamable HTTP transport based servers are supported. See https://modelcontextprotocol.io/specification/2025-03-26/basic/transports#streamable-http for more details.
"serviceDirectoryConfig": { # Configuration for tools using Service Directory. # Optional. Service Directory configuration for VPC-SC, used to resolve service names within a perimeter.
"service": "A String", # Required. The name of [Service Directory](https://cloud.google.com/service-directory) service. Format: `projects/{project}/locations/{location}/namespaces/{namespace}/services/{service}`. Location of the service directory must be the same as the location of the app.
},
"tlsConfig": { # The TLS configuration. # Optional. The TLS configuration. Includes the custom server certificates that the client should trust.
"caCerts": [ # Required. Specifies a list of allowed custom CA certificates for HTTPS verification.
{ # The CA certificate.
"cert": "A String", # Required. The allowed custom CA certificates (in DER format) for HTTPS verification. This overrides the default SSL trust store. If this is empty or unspecified, CES will use Google's default trust store to verify certificates. N.B. Make sure the HTTPS server certificates are signed with "subject alt name". For instance a certificate can be self-signed using the following command, openssl x509 -req -days 200 -in example.com.csr \ -signkey example.com.key \ -out example.com.crt \ -extfile <(printf "\nsubjectAltName='DNS:www.example.com'")
"displayName": "A String", # Required. The name of the allowed custom CA certificates. This can be used to disambiguate the custom CA certificates.
},
],
},
},
"name": "A String", # Identifier. The unique identifier of the toolset. Format: `projects/{project}/locations/{location}/apps/{app}/toolsets/{toolset}`
"openApiToolset": { # A toolset that contains a list of tools that are defined by an OpenAPI schema. # Optional. A toolset that contains a list of tools that are defined by an OpenAPI schema.
"apiAuthentication": { # Authentication information required for API calls. # Optional. Authentication information required by the API.
"apiKeyConfig": { # Configurations for authentication with API key. # Optional. Config for API key auth.
"apiKeySecretVersion": "A String", # Required. The name of the SecretManager secret version resource storing the API key. Format: `projects/{project}/secrets/{secret}/versions/{version}` Note: You should grant `roles/secretmanager.secretAccessor` role to the CES service agent `service-@gcp-sa-ces.iam.gserviceaccount.com`.
"keyName": "A String", # Required. The parameter name or the header name of the API key. E.g., If the API request is "https://example.com/act?X-Api-Key=", "X-Api-Key" would be the parameter name.
"requestLocation": "A String", # Required. Key location in the request.
},
"bearerTokenConfig": { # Configurations for authentication with a bearer token. # Optional. Config for bearer token auth.
"token": "A String", # Required. The bearer token. Must be in the format `$context.variables.`.
},
"oauthConfig": { # Configurations for authentication with OAuth. # Optional. Config for OAuth.
"clientId": "A String", # Required. The client ID from the OAuth provider.
"clientSecretVersion": "A String", # Required. The name of the SecretManager secret version resource storing the client secret. Format: `projects/{project}/secrets/{secret}/versions/{version}` Note: You should grant `roles/secretmanager.secretAccessor` role to the CES service agent `service-@gcp-sa-ces.iam.gserviceaccount.com`.
"oauthGrantType": "A String", # Required. OAuth grant types.
"scopes": [ # Optional. The OAuth scopes to grant.
"A String",
],
"tokenEndpoint": "A String", # Required. The token endpoint in the OAuth provider to exchange for an access token.
},
"serviceAccountAuthConfig": { # Configurations for authentication using a custom service account. # Optional. Config for service account authentication.
"scopes": [ # Optional. The OAuth scopes to grant. If not specified, the default scope `https://www.googleapis.com/auth/cloud-platform` is used.
"A String",
],
"serviceAccount": "A String", # Required. The email address of the service account used for authentication. CES uses this service account to exchange an access token and the access token is then sent in the `Authorization` header of the request. The service account must have the `roles/iam.serviceAccountTokenCreator` role granted to the CES service agent `service-@gcp-sa-ces.iam.gserviceaccount.com`.
},
"serviceAgentIdTokenAuthConfig": { # Configurations for authentication with [ID token](https://cloud.google.com/docs/authentication/token-types#id) generated from service agent. # Optional. Config for ID token auth generated from CES service agent.
},
},
"ignoreUnknownFields": True or False, # Optional. If true, the agent will ignore unknown fields in the API response for all operations defined in the OpenAPI schema.
"openApiSchema": "A String", # Required. The OpenAPI schema of the toolset.
"serviceDirectoryConfig": { # Configuration for tools using Service Directory. # Optional. Service Directory configuration.
"service": "A String", # Required. The name of [Service Directory](https://cloud.google.com/service-directory) service. Format: `projects/{project}/locations/{location}/namespaces/{namespace}/services/{service}`. Location of the service directory must be the same as the location of the app.
},
"tlsConfig": { # The TLS configuration. # Optional. The TLS configuration. Includes the custom server certificates
"caCerts": [ # Required. Specifies a list of allowed custom CA certificates for HTTPS verification.
{ # The CA certificate.
"cert": "A String", # Required. The allowed custom CA certificates (in DER format) for HTTPS verification. This overrides the default SSL trust store. If this is empty or unspecified, CES will use Google's default trust store to verify certificates. N.B. Make sure the HTTPS server certificates are signed with "subject alt name". For instance a certificate can be self-signed using the following command, openssl x509 -req -days 200 -in example.com.csr \ -signkey example.com.key \ -out example.com.crt \ -extfile <(printf "\nsubjectAltName='DNS:www.example.com'")
"displayName": "A String", # Required. The name of the allowed custom CA certificates. This can be used to disambiguate the custom CA certificates.
},
],
},
"url": "A String", # Optional. The server URL of the Open API schema. This field is only set in toolsets in the environment dependencies during the export process if the schema contains a server url. During the import process, if this url is present in the environment dependencies and the schema has the $env_var placeholder, it will replace the placeholder in the schema.
},
"toolFakeConfig": { # Configuration for tool behavior in fake mode. # Optional. Configuration for tools behavior in fake mode.
"codeBlock": { # A code block to be executed instead of a real tool call. # Optional. Code block which will be executed instead of a real tool call.
"pythonCode": "A String", # Required. Python code which will be invoked in tool fake mode. Expected Python function signature - To catch all tool calls: def fake_tool_call(tool: Tool, input: dict[str, Any], callback_context: CallbackContext) -> Optional[dict[str, Any]]: To catch a specific tool call: def fake_{tool_id}(tool: Tool, input: dict[str, Any], callback_context: CallbackContext) -> Optional[dict[str, Any]]: If the function returns None, the real tool will be invoked instead.
},
"enableFakeMode": True or False, # Optional. Whether the tool is using fake mode.
},
"updateTime": "A String", # Output only. Timestamp when the toolset was last updated.
}
retrieveTools(toolset, body=None, x__xgafv=None)
Retrieve the list of tools included in the specified toolset.
Args:
toolset: string, Required. The name of the toolset to retrieve the tools for. Format: `projects/{project}/locations/{location}/apps/{app}/toolsets/{toolset}` (required)
body: object, The request body.
The object takes the form of:
{ # Request message for ToolService.RetrieveTools.
"toolIds": [ # Optional. The identifiers of the tools to retrieve from the toolset. If empty, all tools in the toolset will be returned.
"A String",
],
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Response message for ToolService.RetrieveTools.
"tools": [ # Required. The list of tools that are included in the specified toolset.
{ # A tool represents an action that the CES agent can take to achieve certain goals.
"clientFunction": { # Represents a client-side function that the agent can invoke. When the tool is chosen by the agent, control is handed off to the client. The client is responsible for executing the function and returning the result as a ToolResponse to continue the interaction with the agent. # Optional. The client function.
"description": "A String", # Optional. The function description.
"name": "A String", # Required. The function name.
"parameters": { # Represents a select subset of an OpenAPI 3.0 schema object. # Optional. The schema of the function parameters.
"additionalProperties": # Object with schema name: Schema # Optional. Can either be a boolean or an object, controls the presence of additional properties.
"anyOf": [ # Optional. The value should be validated against any (one or more) of the subschemas in the list.
# Object with schema name: Schema
],
"default": "", # Optional. Default value of the data.
"defs": { # Optional. A map of definitions for use by `ref`. Only allowed at the root of the schema.
"a_key": # Object with schema name: Schema
},
"description": "A String", # Optional. The description of the data.
"enum": [ # Optional. Possible values of the element of primitive type with enum format. Examples: 1. We can define direction as : {type:STRING, format:enum, enum:["EAST", NORTH", "SOUTH", "WEST"]} 2. We can define apartment number as : {type:INTEGER, format:enum, enum:["101", "201", "301"]}
"A String",
],
"items": # Object with schema name: Schema # Optional. Schema of the elements of Type.ARRAY.
"maxItems": "A String", # Optional. Maximum number of the elements for Type.ARRAY.
"maximum": 3.14, # Optional. Maximum value for Type.INTEGER and Type.NUMBER.
"minItems": "A String", # Optional. Minimum number of the elements for Type.ARRAY.
"minimum": 3.14, # Optional. Minimum value for Type.INTEGER and Type.NUMBER.
"nullable": True or False, # Optional. Indicates if the value may be null.
"prefixItems": [ # Optional. Schemas of initial elements of Type.ARRAY.
# Object with schema name: Schema
],
"properties": { # Optional. Properties of Type.OBJECT.
"a_key": # Object with schema name: Schema
},
"ref": "A String", # Optional. Allows indirect references between schema nodes. The value should be a valid reference to a child of the root `defs`. For example, the following schema defines a reference to a schema node named "Pet": type: object properties: pet: ref: #/defs/Pet defs: Pet: type: object properties: name: type: string The value of the "pet" property is a reference to the schema node named "Pet". See details in https://json-schema.org/understanding-json-schema/structuring.
"required": [ # Optional. Required properties of Type.OBJECT.
"A String",
],
"title": "A String", # Optional. The title of the schema.
"type": "A String", # Required. The type of the data.
"uniqueItems": True or False, # Optional. Indicate the items in the array must be unique. Only applies to TYPE.ARRAY.
},
"response": { # Represents a select subset of an OpenAPI 3.0 schema object. # Optional. The schema of the function response.
"additionalProperties": # Object with schema name: Schema # Optional. Can either be a boolean or an object, controls the presence of additional properties.
"anyOf": [ # Optional. The value should be validated against any (one or more) of the subschemas in the list.
# Object with schema name: Schema
],
"default": "", # Optional. Default value of the data.
"defs": { # Optional. A map of definitions for use by `ref`. Only allowed at the root of the schema.
"a_key": # Object with schema name: Schema
},
"description": "A String", # Optional. The description of the data.
"enum": [ # Optional. Possible values of the element of primitive type with enum format. Examples: 1. We can define direction as : {type:STRING, format:enum, enum:["EAST", NORTH", "SOUTH", "WEST"]} 2. We can define apartment number as : {type:INTEGER, format:enum, enum:["101", "201", "301"]}
"A String",
],
"items": # Object with schema name: Schema # Optional. Schema of the elements of Type.ARRAY.
"maxItems": "A String", # Optional. Maximum number of the elements for Type.ARRAY.
"maximum": 3.14, # Optional. Maximum value for Type.INTEGER and Type.NUMBER.
"minItems": "A String", # Optional. Minimum number of the elements for Type.ARRAY.
"minimum": 3.14, # Optional. Minimum value for Type.INTEGER and Type.NUMBER.
"nullable": True or False, # Optional. Indicates if the value may be null.
"prefixItems": [ # Optional. Schemas of initial elements of Type.ARRAY.
# Object with schema name: Schema
],
"properties": { # Optional. Properties of Type.OBJECT.
"a_key": # Object with schema name: Schema
},
"ref": "A String", # Optional. Allows indirect references between schema nodes. The value should be a valid reference to a child of the root `defs`. For example, the following schema defines a reference to a schema node named "Pet": type: object properties: pet: ref: #/defs/Pet defs: Pet: type: object properties: name: type: string The value of the "pet" property is a reference to the schema node named "Pet". See details in https://json-schema.org/understanding-json-schema/structuring.
"required": [ # Optional. Required properties of Type.OBJECT.
"A String",
],
"title": "A String", # Optional. The title of the schema.
"type": "A String", # Required. The type of the data.
"uniqueItems": True or False, # Optional. Indicate the items in the array must be unique. Only applies to TYPE.ARRAY.
},
},
"connectorTool": { # A ConnectorTool allows connections to different integrations. See: https://cloud.google.com/integration-connectors/docs/overview. # Optional. The Integration Connector tool.
"action": { # Configuration of an Action for the tool to use. Note: This can be either an Action or an Operation. See https://cloud.google.com/integration-connectors/docs/entities-operation-action for details. # Required. Action for the tool to use.
"connectionActionId": "A String", # ID of a Connection action for the tool to use.
"entityOperation": { # Entity CRUD operation specification. # Entity operation configuration for the tool to use.
"entityId": "A String", # Required. ID of the entity.
"operation": "A String", # Required. Operation to perform on the entity.
},
"inputFields": [ # Optional. Entity fields to use as inputs for the operation. If no fields are specified, all fields of the Entity will be used.
"A String",
],
"outputFields": [ # Optional. Entity fields to return from the operation. If no fields are specified, all fields of the Entity will be returned.
"A String",
],
},
"authConfig": { # End-user authentication configuration used for Connection calls. The field values must be the names of context variables in the format `$context.variables.`. # Optional. Configures how authentication is handled in Integration Connectors. By default, an admin authentication is passed in the Integration Connectors API requests. You can override it with a different end-user authentication config. **Note**: The Connection must have authentication override enabled in order to specify an EUC configuration here - otherwise, the ConnectorTool creation will fail. See https://cloud.google.com/application-integration/docs/configure-connectors-task#configure-authentication-override for details.
"oauth2AuthCodeConfig": { # Oauth 2.0 Authorization Code authentication configuration. # Oauth 2.0 Authorization Code authentication.
"oauthToken": "A String", # Required. Oauth token parameter name to pass through. Must be in the format `$context.variables.`.
},
"oauth2JwtBearerConfig": { # JWT Profile Oauth 2.0 Authorization Grant authentication configuration. # JWT Profile Oauth 2.0 Authorization Grant authentication.
"clientKey": "A String", # Required. Client parameter name to pass through. Must be in the format `$context.variables.`.
"issuer": "A String", # Required. Issuer parameter name to pass through. Must be in the format `$context.variables.`.
"subject": "A String", # Required. Subject parameter name to pass through. Must be in the format `$context.variables.`.
},
},
"connection": "A String", # Required. The full resource name of the referenced Integration Connectors Connection. Format: `projects/{project}/locations/{location}/connections/{connection}`
"description": "A String", # Optional. The description of the tool that can be used by the Agent to decide whether to call this ConnectorTool.
"name": "A String", # Optional. The name of the tool that can be used by the Agent to decide whether to call this ConnectorTool.
},
"createTime": "A String", # Output only. Timestamp when the tool was created.
"dataStoreTool": { # Tool to retrieve from Vertex AI Search datastore or engine for grounding. Accepts either a datastore or an engine, but not both. See Vertex AI Search: https://cloud.google.com/generative-ai-app-builder/docs/enterprise-search-introduction. # Optional. The data store tool.
"boostSpecs": [ # Optional. Boost specification to boost certain documents.
{ # Boost specifications to boost certain documents. For more information, please refer to https://cloud.google.com/generative-ai-app-builder/docs/boosting.
"dataStores": [ # Required. The Data Store where the boosting configuration is applied. Full resource name of DataStore, such as projects/{project}/locations/{location}/collections/{collection}/dataStores/{dataStore}.
"A String",
],
"spec": [ # Required. A list of boosting specifications.
{ # Boost specification to boost certain documents.
"conditionBoostSpecs": [ # Required. A list of boosting specifications.
{ # Boost specification for a condition.
"boost": 3.14, # Optional. Strength of the boost, which should be in [-1, 1]. Negative boost means demotion. Default is 0.0. Setting to 1.0 gives the suggestions a big promotion. However, it does not necessarily mean that the top result will be a boosted suggestion. Setting to -1.0 gives the suggestions a big demotion. However, other suggestions that are relevant might still be shown. Setting to 0.0 means no boost applied. The boosting condition is ignored.
"boostControlSpec": { # Specification for custom ranking based on customer specified attribute value. It provides more controls for customized ranking than the simple (condition, boost) combination above. # Optional. Complex specification for custom ranking based on customer defined attribute value.
"attributeType": "A String", # Optional. The attribute type to be used to determine the boost amount. The attribute value can be derived from the field value of the specified field_name. In the case of numerical it is straightforward i.e. attribute_value = numerical_field_value. In the case of freshness however, attribute_value = (time.now() - datetime_field_value).
"controlPoints": [ # Optional. The control points used to define the curve. The monotonic function (defined through the interpolation_type above) passes through the control points listed here.
{ # The control points used to define the curve. The curve defined through these control points can only be monotonically increasing or decreasing(constant values are acceptable).
"attributeValue": "A String", # Optional. Can be one of: 1. The numerical field value. 2. The duration spec for freshness: The value must be formatted as an XSD `dayTimeDuration` value (a restricted subset of an ISO 8601 duration value). The pattern for this is: `nDnM]`.
"boostAmount": 3.14, # Optional. The value between -1 to 1 by which to boost the score if the attribute_value evaluates to the value specified above.
},
],
"fieldName": "A String", # Optional. The name of the field whose value will be used to determine the boost amount.
"interpolationType": "A String", # Optional. The interpolation type to be applied to connect the control points listed below.
},
"condition": "A String", # Required. An expression which specifies a boost condition. The syntax is the same as filter expression syntax. Currently, the only supported condition is a list of BCP-47 lang codes. Example: To boost suggestions in languages en or fr: (lang_code: ANY("en", "fr"))
},
],
},
],
},
],
"dataStoreSource": { # Configuration for searching within a specific DataStore. # Optional. Search within a single specific DataStore.
"dataStore": { # A DataStore resource in Vertex AI Search. # Optional. The data store.
"connectorConfig": { # The connector config for the data store connection. # Output only. The connector config for the data store connection.
"collection": "A String", # Resource name of the collection the data store belongs to.
"collectionDisplayName": "A String", # Display name of the collection the data store belongs to.
"dataSource": "A String", # The name of the data source. Example: `salesforce`, `jira`, `confluence`, `bigquery`.
},
"createTime": "A String", # Output only. Timestamp when the data store was created.
"displayName": "A String", # Output only. The display name of the data store.
"documentProcessingMode": "A String", # Output only. The document processing mode for the data store connection. Only set for PUBLIC_WEB and UNSTRUCTURED data stores.
"name": "A String", # Required. Full resource name of the DataStore. Format: `projects/{project}/locations/{location}/collections/{collection}/dataStores/{dataStore}`
"type": "A String", # Output only. The type of the data store. This field is readonly and populated by the server.
},
"filter": "A String", # Optional. Filter specification for the DataStore. See: https://cloud.google.com/generative-ai-app-builder/docs/filter-search-metadata
},
"description": "A String", # Optional. The tool description.
"engineSource": { # Configuration for searching within an Engine, potentially targeting specific DataStores. # Optional. Search within an Engine (potentially across multiple DataStores).
"dataStoreSources": [ # Optional. Use to target specific DataStores within the Engine. If empty, the search applies to all DataStores associated with the Engine.
{ # Configuration for searching within a specific DataStore.
"dataStore": { # A DataStore resource in Vertex AI Search. # Optional. The data store.
"connectorConfig": { # The connector config for the data store connection. # Output only. The connector config for the data store connection.
"collection": "A String", # Resource name of the collection the data store belongs to.
"collectionDisplayName": "A String", # Display name of the collection the data store belongs to.
"dataSource": "A String", # The name of the data source. Example: `salesforce`, `jira`, `confluence`, `bigquery`.
},
"createTime": "A String", # Output only. Timestamp when the data store was created.
"displayName": "A String", # Output only. The display name of the data store.
"documentProcessingMode": "A String", # Output only. The document processing mode for the data store connection. Only set for PUBLIC_WEB and UNSTRUCTURED data stores.
"name": "A String", # Required. Full resource name of the DataStore. Format: `projects/{project}/locations/{location}/collections/{collection}/dataStores/{dataStore}`
"type": "A String", # Output only. The type of the data store. This field is readonly and populated by the server.
},
"filter": "A String", # Optional. Filter specification for the DataStore. See: https://cloud.google.com/generative-ai-app-builder/docs/filter-search-metadata
},
],
"engine": "A String", # Required. Full resource name of the Engine. Format: `projects/{project}/locations/{location}/collections/{collection}/engines/{engine}`
"filter": "A String", # Optional. A filter applied to the search across the Engine. Not relevant and not used if 'data_store_sources' is provided. See: https://cloud.google.com/generative-ai-app-builder/docs/filter-search-metadata
},
"filterParameterBehavior": "A String", # Optional. The filter parameter behavior.
"modalityConfigs": [ # Optional. The modality configs for the data store.
{ # If specified, will apply the given configuration for the specified modality.
"groundingConfig": { # Grounding configuration. # Optional. The grounding configuration.
"disabled": True or False, # Optional. Whether grounding is disabled.
"groundingLevel": 3.14, # Optional. The groundedness threshold of the answer based on the retrieved sources. The value has a configurable range of [1, 5]. The level is used to threshold the groundedness of the answer, meaning that all responses with a groundedness score below the threshold will fall back to returning relevant snippets only. For example, a level of 3 means that the groundedness score must be 3 or higher for the response to be returned.
},
"modalityType": "A String", # Required. The modality type.
"rewriterConfig": { # Rewriter configuration. # Optional. The rewriter config.
"disabled": True or False, # Optional. Whether the rewriter is disabled.
"modelSettings": { # Model settings contains various configurations for the LLM model. # Required. Configurations for the LLM model.
"model": "A String", # Optional. The LLM model that the agent should use. If not set, the agent will inherit the model from its parent agent.
"temperature": 3.14, # Optional. If set, this temperature will be used for the LLM model. Temperature controls the randomness of the model's responses. Lower temperatures produce responses that are more predictable. Higher temperatures produce responses that are more creative.
},
"prompt": "A String", # Optional. The prompt definition. If not set, default prompt will be used.
},
"summarizationConfig": { # Summarization configuration. # Optional. The summarization config.
"disabled": True or False, # Optional. Whether summarization is disabled.
"modelSettings": { # Model settings contains various configurations for the LLM model. # Optional. Configurations for the LLM model.
"model": "A String", # Optional. The LLM model that the agent should use. If not set, the agent will inherit the model from its parent agent.
"temperature": 3.14, # Optional. If set, this temperature will be used for the LLM model. Temperature controls the randomness of the model's responses. Lower temperatures produce responses that are more predictable. Higher temperatures produce responses that are more creative.
},
"prompt": "A String", # Optional. The prompt definition. If not set, default prompt will be used.
},
},
],
"name": "A String", # Required. The data store tool name.
},
"displayName": "A String", # Output only. The display name of the tool, derived based on the tool's type. For example, display name of a ClientFunction is derived from its `name` property.
"etag": "A String", # Etag used to ensure the object hasn't changed during a read-modify-write operation. If the etag is empty, the update will overwrite any concurrent changes.
"executionType": "A String", # Optional. The execution type of the tool.
"fileSearchTool": { # The file search tool allows the agent to search across the files uploaded by the app/agent developer. It has presets to give relatively good quality search over the uploaded files and summarization of the retrieved results. # Optional. The file search tool.
"corpusType": "A String", # Optional. The type of the corpus. Default is FULLY_MANAGED.
"description": "A String", # Optional. The tool description.
"fileCorpus": "A String", # Optional. The corpus where files are stored. Format: projects/{project}/locations/{location}/ragCorpora/{rag_corpus}
"name": "A String", # Required. The tool name.
},
"generatedSummary": "A String", # Output only. If the tool is generated by the LLM assistant, this field contains a descriptive summary of the generation.
"googleSearchTool": { # Represents a tool to perform Google web searches for grounding. See https://cloud.google.com/customer-engagement-ai/conversational-agents/ps/tool#google-search. # Optional. The google search tool.
"contextUrls": [ # Optional. Content will be fetched directly from these URLs for context and grounding. Example: "https://example.com/path.html". A maximum of 20 URLs are allowed.
"A String",
],
"description": "A String", # Optional. Description of the tool's purpose.
"excludeDomains": [ # Optional. List of domains to be excluded from the search results. Example: "example.com". A maximum of 2000 domains can be excluded.
"A String",
],
"name": "A String", # Required. The name of the tool.
"preferredDomains": [ # Optional. Specifies domains to restrict search results to. Example: "example.com", "another.site". A maximum of 20 domains can be specified.
"A String",
],
"promptConfig": { # Prompt settings used by the model when processing or summarizing the google search results. # Optional. Prompt instructions passed to planner on how the search results should be processed for text and voice.
"textPrompt": "A String", # Optional. Defines the prompt used for the system instructions when interacting with the agent in chat conversations. If not set, default prompt will be used.
"voicePrompt": "A String", # Optional. Defines the prompt used for the system instructions when interacting with the agent in voice conversations. If not set, default prompt will be used.
},
},
"mcpTool": { # An MCP tool. See https://modelcontextprotocol.io/specification/2025-06-18/server/tools for more details. # Optional. The MCP tool. An MCP tool cannot be created or updated directly and is managed by the MCP toolset.
"apiAuthentication": { # Authentication information required for API calls. # Optional. Authentication information required to execute the tool against the MCP server. For bearer token authentication, the token applies only to tool execution, not to listing tools. This requires that tools can be listed without authentication.
"apiKeyConfig": { # Configurations for authentication with API key. # Optional. Config for API key auth.
"apiKeySecretVersion": "A String", # Required. The name of the SecretManager secret version resource storing the API key. Format: `projects/{project}/secrets/{secret}/versions/{version}` Note: You should grant `roles/secretmanager.secretAccessor` role to the CES service agent `service-@gcp-sa-ces.iam.gserviceaccount.com`.
"keyName": "A String", # Required. The parameter name or the header name of the API key. E.g., If the API request is "https://example.com/act?X-Api-Key=", "X-Api-Key" would be the parameter name.
"requestLocation": "A String", # Required. Key location in the request.
},
"bearerTokenConfig": { # Configurations for authentication with a bearer token. # Optional. Config for bearer token auth.
"token": "A String", # Required. The bearer token. Must be in the format `$context.variables.`.
},
"oauthConfig": { # Configurations for authentication with OAuth. # Optional. Config for OAuth.
"clientId": "A String", # Required. The client ID from the OAuth provider.
"clientSecretVersion": "A String", # Required. The name of the SecretManager secret version resource storing the client secret. Format: `projects/{project}/secrets/{secret}/versions/{version}` Note: You should grant `roles/secretmanager.secretAccessor` role to the CES service agent `service-@gcp-sa-ces.iam.gserviceaccount.com`.
"oauthGrantType": "A String", # Required. OAuth grant types.
"scopes": [ # Optional. The OAuth scopes to grant.
"A String",
],
"tokenEndpoint": "A String", # Required. The token endpoint in the OAuth provider to exchange for an access token.
},
"serviceAccountAuthConfig": { # Configurations for authentication using a custom service account. # Optional. Config for service account authentication.
"scopes": [ # Optional. The OAuth scopes to grant. If not specified, the default scope `https://www.googleapis.com/auth/cloud-platform` is used.
"A String",
],
"serviceAccount": "A String", # Required. The email address of the service account used for authentication. CES uses this service account to exchange an access token and the access token is then sent in the `Authorization` header of the request. The service account must have the `roles/iam.serviceAccountTokenCreator` role granted to the CES service agent `service-@gcp-sa-ces.iam.gserviceaccount.com`.
},
"serviceAgentIdTokenAuthConfig": { # Configurations for authentication with [ID token](https://cloud.google.com/docs/authentication/token-types#id) generated from service agent. # Optional. Config for ID token auth generated from CES service agent.
},
},
"description": "A String", # Optional. The description of the MCP tool.
"inputSchema": { # Represents a select subset of an OpenAPI 3.0 schema object. # Optional. The schema of the input arguments of the MCP tool.
"additionalProperties": # Object with schema name: Schema # Optional. Can either be a boolean or an object, controls the presence of additional properties.
"anyOf": [ # Optional. The value should be validated against any (one or more) of the subschemas in the list.
# Object with schema name: Schema
],
"default": "", # Optional. Default value of the data.
"defs": { # Optional. A map of definitions for use by `ref`. Only allowed at the root of the schema.
"a_key": # Object with schema name: Schema
},
"description": "A String", # Optional. The description of the data.
"enum": [ # Optional. Possible values of the element of primitive type with enum format. Examples: 1. We can define direction as : {type:STRING, format:enum, enum:["EAST", NORTH", "SOUTH", "WEST"]} 2. We can define apartment number as : {type:INTEGER, format:enum, enum:["101", "201", "301"]}
"A String",
],
"items": # Object with schema name: Schema # Optional. Schema of the elements of Type.ARRAY.
"maxItems": "A String", # Optional. Maximum number of the elements for Type.ARRAY.
"maximum": 3.14, # Optional. Maximum value for Type.INTEGER and Type.NUMBER.
"minItems": "A String", # Optional. Minimum number of the elements for Type.ARRAY.
"minimum": 3.14, # Optional. Minimum value for Type.INTEGER and Type.NUMBER.
"nullable": True or False, # Optional. Indicates if the value may be null.
"prefixItems": [ # Optional. Schemas of initial elements of Type.ARRAY.
# Object with schema name: Schema
],
"properties": { # Optional. Properties of Type.OBJECT.
"a_key": # Object with schema name: Schema
},
"ref": "A String", # Optional. Allows indirect references between schema nodes. The value should be a valid reference to a child of the root `defs`. For example, the following schema defines a reference to a schema node named "Pet": type: object properties: pet: ref: #/defs/Pet defs: Pet: type: object properties: name: type: string The value of the "pet" property is a reference to the schema node named "Pet". See details in https://json-schema.org/understanding-json-schema/structuring.
"required": [ # Optional. Required properties of Type.OBJECT.
"A String",
],
"title": "A String", # Optional. The title of the schema.
"type": "A String", # Required. The type of the data.
"uniqueItems": True or False, # Optional. Indicate the items in the array must be unique. Only applies to TYPE.ARRAY.
},
"name": "A String", # Required. The name of the MCP tool.
"outputSchema": { # Represents a select subset of an OpenAPI 3.0 schema object. # Optional. The schema of the output arguments of the MCP tool.
"additionalProperties": # Object with schema name: Schema # Optional. Can either be a boolean or an object, controls the presence of additional properties.
"anyOf": [ # Optional. The value should be validated against any (one or more) of the subschemas in the list.
# Object with schema name: Schema
],
"default": "", # Optional. Default value of the data.
"defs": { # Optional. A map of definitions for use by `ref`. Only allowed at the root of the schema.
"a_key": # Object with schema name: Schema
},
"description": "A String", # Optional. The description of the data.
"enum": [ # Optional. Possible values of the element of primitive type with enum format. Examples: 1. We can define direction as : {type:STRING, format:enum, enum:["EAST", NORTH", "SOUTH", "WEST"]} 2. We can define apartment number as : {type:INTEGER, format:enum, enum:["101", "201", "301"]}
"A String",
],
"items": # Object with schema name: Schema # Optional. Schema of the elements of Type.ARRAY.
"maxItems": "A String", # Optional. Maximum number of the elements for Type.ARRAY.
"maximum": 3.14, # Optional. Maximum value for Type.INTEGER and Type.NUMBER.
"minItems": "A String", # Optional. Minimum number of the elements for Type.ARRAY.
"minimum": 3.14, # Optional. Minimum value for Type.INTEGER and Type.NUMBER.
"nullable": True or False, # Optional. Indicates if the value may be null.
"prefixItems": [ # Optional. Schemas of initial elements of Type.ARRAY.
# Object with schema name: Schema
],
"properties": { # Optional. Properties of Type.OBJECT.
"a_key": # Object with schema name: Schema
},
"ref": "A String", # Optional. Allows indirect references between schema nodes. The value should be a valid reference to a child of the root `defs`. For example, the following schema defines a reference to a schema node named "Pet": type: object properties: pet: ref: #/defs/Pet defs: Pet: type: object properties: name: type: string The value of the "pet" property is a reference to the schema node named "Pet". See details in https://json-schema.org/understanding-json-schema/structuring.
"required": [ # Optional. Required properties of Type.OBJECT.
"A String",
],
"title": "A String", # Optional. The title of the schema.
"type": "A String", # Required. The type of the data.
"uniqueItems": True or False, # Optional. Indicate the items in the array must be unique. Only applies to TYPE.ARRAY.
},
"serverAddress": "A String", # Required. The server address of the MCP server, e.g., "https://example.com/mcp/". If the server is built with the MCP SDK, the url should be suffixed with "/mcp/". Only Streamable HTTP transport based servers are supported. This is the same as the server_address in the McpToolset. See https://modelcontextprotocol.io/specification/2025-03-26/basic/transports#streamable-http for more details.
"serviceDirectoryConfig": { # Configuration for tools using Service Directory. # Optional. Service Directory configuration for VPC-SC, used to resolve service names within a perimeter.
"service": "A String", # Required. The name of [Service Directory](https://cloud.google.com/service-directory) service. Format: `projects/{project}/locations/{location}/namespaces/{namespace}/services/{service}`. Location of the service directory must be the same as the location of the app.
},
"tlsConfig": { # The TLS configuration. # Optional. The TLS configuration. Includes the custom server certificates that the client should trust.
"caCerts": [ # Required. Specifies a list of allowed custom CA certificates for HTTPS verification.
{ # The CA certificate.
"cert": "A String", # Required. The allowed custom CA certificates (in DER format) for HTTPS verification. This overrides the default SSL trust store. If this is empty or unspecified, CES will use Google's default trust store to verify certificates. N.B. Make sure the HTTPS server certificates are signed with "subject alt name". For instance a certificate can be self-signed using the following command, openssl x509 -req -days 200 -in example.com.csr \ -signkey example.com.key \ -out example.com.crt \ -extfile <(printf "\nsubjectAltName='DNS:www.example.com'")
"displayName": "A String", # Required. The name of the allowed custom CA certificates. This can be used to disambiguate the custom CA certificates.
},
],
},
},
"name": "A String", # Identifier. The unique identifier of the tool. Format: - `projects/{project}/locations/{location}/apps/{app}/tools/{tool}` for ## standalone tools. `projects/{project}/locations/{location}/apps/{app}/toolsets/{toolset}/tools/{tool}` for tools retrieved from a toolset. These tools are dynamic and output-only, they cannot be referenced directly where a tool is expected.
"openApiTool": { # A remote API tool defined by an OpenAPI schema. # Optional. The open API tool.
"apiAuthentication": { # Authentication information required for API calls. # Optional. Authentication information required by the API.
"apiKeyConfig": { # Configurations for authentication with API key. # Optional. Config for API key auth.
"apiKeySecretVersion": "A String", # Required. The name of the SecretManager secret version resource storing the API key. Format: `projects/{project}/secrets/{secret}/versions/{version}` Note: You should grant `roles/secretmanager.secretAccessor` role to the CES service agent `service-@gcp-sa-ces.iam.gserviceaccount.com`.
"keyName": "A String", # Required. The parameter name or the header name of the API key. E.g., If the API request is "https://example.com/act?X-Api-Key=", "X-Api-Key" would be the parameter name.
"requestLocation": "A String", # Required. Key location in the request.
},
"bearerTokenConfig": { # Configurations for authentication with a bearer token. # Optional. Config for bearer token auth.
"token": "A String", # Required. The bearer token. Must be in the format `$context.variables.`.
},
"oauthConfig": { # Configurations for authentication with OAuth. # Optional. Config for OAuth.
"clientId": "A String", # Required. The client ID from the OAuth provider.
"clientSecretVersion": "A String", # Required. The name of the SecretManager secret version resource storing the client secret. Format: `projects/{project}/secrets/{secret}/versions/{version}` Note: You should grant `roles/secretmanager.secretAccessor` role to the CES service agent `service-@gcp-sa-ces.iam.gserviceaccount.com`.
"oauthGrantType": "A String", # Required. OAuth grant types.
"scopes": [ # Optional. The OAuth scopes to grant.
"A String",
],
"tokenEndpoint": "A String", # Required. The token endpoint in the OAuth provider to exchange for an access token.
},
"serviceAccountAuthConfig": { # Configurations for authentication using a custom service account. # Optional. Config for service account authentication.
"scopes": [ # Optional. The OAuth scopes to grant. If not specified, the default scope `https://www.googleapis.com/auth/cloud-platform` is used.
"A String",
],
"serviceAccount": "A String", # Required. The email address of the service account used for authentication. CES uses this service account to exchange an access token and the access token is then sent in the `Authorization` header of the request. The service account must have the `roles/iam.serviceAccountTokenCreator` role granted to the CES service agent `service-@gcp-sa-ces.iam.gserviceaccount.com`.
},
"serviceAgentIdTokenAuthConfig": { # Configurations for authentication with [ID token](https://cloud.google.com/docs/authentication/token-types#id) generated from service agent. # Optional. Config for ID token auth generated from CES service agent.
},
},
"description": "A String", # Optional. The description of the tool. If not provided, the description of the tool will be derived from the OpenAPI schema, from `operation.description` or `operation.summary`.
"ignoreUnknownFields": True or False, # Optional. If true, the agent will ignore unknown fields in the API response.
"name": "A String", # Optional. The name of the tool. If not provided, the name of the tool will be derived from the OpenAPI schema, from `operation.operationId`.
"openApiSchema": "A String", # Required. The OpenAPI schema in JSON or YAML format.
"serviceDirectoryConfig": { # Configuration for tools using Service Directory. # Optional. Service Directory configuration.
"service": "A String", # Required. The name of [Service Directory](https://cloud.google.com/service-directory) service. Format: `projects/{project}/locations/{location}/namespaces/{namespace}/services/{service}`. Location of the service directory must be the same as the location of the app.
},
"tlsConfig": { # The TLS configuration. # Optional. The TLS configuration. Includes the custom server certificates that the client will trust.
"caCerts": [ # Required. Specifies a list of allowed custom CA certificates for HTTPS verification.
{ # The CA certificate.
"cert": "A String", # Required. The allowed custom CA certificates (in DER format) for HTTPS verification. This overrides the default SSL trust store. If this is empty or unspecified, CES will use Google's default trust store to verify certificates. N.B. Make sure the HTTPS server certificates are signed with "subject alt name". For instance a certificate can be self-signed using the following command, openssl x509 -req -days 200 -in example.com.csr \ -signkey example.com.key \ -out example.com.crt \ -extfile <(printf "\nsubjectAltName='DNS:www.example.com'")
"displayName": "A String", # Required. The name of the allowed custom CA certificates. This can be used to disambiguate the custom CA certificates.
},
],
},
"url": "A String", # Optional. The server URL of the Open API schema. This field is only set in tools in the environment dependencies during the export process if the schema contains a server url. During the import process, if this url is present in the environment dependencies and the schema has the $env_var placeholder, it will replace the placeholder in the schema.
},
"pythonFunction": { # A Python function tool. # Optional. The python function tool.
"description": "A String", # Output only. The description of the Python function, parsed from the python code's docstring.
"name": "A String", # Optional. The name of the Python function to execute. Must match a Python function name defined in the python code. Case sensitive. If the name is not provided, the first function defined in the python code will be used.
"pythonCode": "A String", # Optional. The Python code to execute for the tool.
},
"systemTool": { # Pre-defined system tool. # Optional. The system tool.
"description": "A String", # Output only. The description of the system tool.
"name": "A String", # Required. The name of the system tool.
},
"toolFakeConfig": { # Configuration for tool behavior in fake mode. # Optional. Configuration for tool behavior in fake mode.
"codeBlock": { # A code block to be executed instead of a real tool call. # Optional. Code block which will be executed instead of a real tool call.
"pythonCode": "A String", # Required. Python code which will be invoked in tool fake mode. Expected Python function signature - To catch all tool calls: def fake_tool_call(tool: Tool, input: dict[str, Any], callback_context: CallbackContext) -> Optional[dict[str, Any]]: To catch a specific tool call: def fake_{tool_id}(tool: Tool, input: dict[str, Any], callback_context: CallbackContext) -> Optional[dict[str, Any]]: If the function returns None, the real tool will be invoked instead.
},
"enableFakeMode": True or False, # Optional. Whether the tool is using fake mode.
},
"updateTime": "A String", # Output only. Timestamp when the tool was last updated.
"widgetTool": { # Represents a widget tool that the agent can invoke. When the tool is chosen by the agent, agent will return the widget to the client. The client is responsible for processing the widget and generating the next user query to continue the interaction with the agent. # Optional. The widget tool.
"description": "A String", # Optional. The description of the widget tool.
"name": "A String", # Required. The display name of the widget tool.
"parameters": { # Represents a select subset of an OpenAPI 3.0 schema object. # Optional. The input parameters of the widget tool.
"additionalProperties": # Object with schema name: Schema # Optional. Can either be a boolean or an object, controls the presence of additional properties.
"anyOf": [ # Optional. The value should be validated against any (one or more) of the subschemas in the list.
# Object with schema name: Schema
],
"default": "", # Optional. Default value of the data.
"defs": { # Optional. A map of definitions for use by `ref`. Only allowed at the root of the schema.
"a_key": # Object with schema name: Schema
},
"description": "A String", # Optional. The description of the data.
"enum": [ # Optional. Possible values of the element of primitive type with enum format. Examples: 1. We can define direction as : {type:STRING, format:enum, enum:["EAST", NORTH", "SOUTH", "WEST"]} 2. We can define apartment number as : {type:INTEGER, format:enum, enum:["101", "201", "301"]}
"A String",
],
"items": # Object with schema name: Schema # Optional. Schema of the elements of Type.ARRAY.
"maxItems": "A String", # Optional. Maximum number of the elements for Type.ARRAY.
"maximum": 3.14, # Optional. Maximum value for Type.INTEGER and Type.NUMBER.
"minItems": "A String", # Optional. Minimum number of the elements for Type.ARRAY.
"minimum": 3.14, # Optional. Minimum value for Type.INTEGER and Type.NUMBER.
"nullable": True or False, # Optional. Indicates if the value may be null.
"prefixItems": [ # Optional. Schemas of initial elements of Type.ARRAY.
# Object with schema name: Schema
],
"properties": { # Optional. Properties of Type.OBJECT.
"a_key": # Object with schema name: Schema
},
"ref": "A String", # Optional. Allows indirect references between schema nodes. The value should be a valid reference to a child of the root `defs`. For example, the following schema defines a reference to a schema node named "Pet": type: object properties: pet: ref: #/defs/Pet defs: Pet: type: object properties: name: type: string The value of the "pet" property is a reference to the schema node named "Pet". See details in https://json-schema.org/understanding-json-schema/structuring.
"required": [ # Optional. Required properties of Type.OBJECT.
"A String",
],
"title": "A String", # Optional. The title of the schema.
"type": "A String", # Required. The type of the data.
"uniqueItems": True or False, # Optional. Indicate the items in the array must be unique. Only applies to TYPE.ARRAY.
},
"widgetType": "A String", # Optional. The type of the widget tool. If not specified, the default type will be CUSTOMIZED.
},
},
],
}