hi, please clarify if we're allowed to use models from google vertex ai for openclaw?
#google provider
rough mountain
patent coralBOT
fleet jacinth
spice axleBOT
Yes, from OpenClaw’s side that’s supported.
If you want Gemini through Vertex AI, use the google-vertex provider, not google.
If you want Claude on Vertex, there’s also anthropic-vertex/*.
The main difference is auth:
google→ Gemini API keygoogle-vertex→ gcloud ADC / Vertex credentials
Docs:
If you want, I can also paste a minimal openclaw.json example for Vertex.
rough mountain
will it get my google account banned by using vertex models with openclaw? Wary due to recent ban-spree I saw from antigravity use with openclaw
spice axleBOT
I can’t promise “zero risk”, but I’d separate these pretty hard:
google-gemini-cli/google-antigravityare the sketchier bucketgoogle-vertexis the more official Google Cloud / Vertex path
What I can verify from the docs is:
- OpenClaw explicitly warns about possible Google account restrictions for Gemini CLI OAuth
- I do not see that same warning on Vertex
- Vertex auth is documented as gcloud ADC, not the unofficial OAuth flow
So if you’re wary because of the antigravity bans, Vertex is the safer choice from an account-risk perspective.
If you want to be extra careful, I’d use:
- a dedicated GCP project
- ideally a service account / non-critical account
- not your main personal Google account if you can avoid it
Docs:
If you want, I can paste the lowest-risk way to wire up google-vertex in OpenClaw.
rough mountain
yes please
spice axleBOT
Yep, lowest-risk setup would be:
- Use
google-vertex, notgoogle-antigravityorgoogle-gemini-cli - Auth with Vertex ADC
- preferably a service account
- or
gcloud auth application-default login
- Set these on the gateway host:
export GOOGLE_CLOUD_PROJECT="your-gcp-project" export GOOGLE_CLOUD_LOCATION="global" export GOOGLE_APPLICATION_CREDENTIALS="/path/to/service-account.json" # if using a service account - In
openclaw.json:{ agents: {
defaults: {
model: { primary: "google-vertex/gemini-3-flash-preview" },
},
},
}
Then verify with:
openclaw status
openclaw models status
If you want the cautious version, I’d use a dedicated GCP project + service account so your main personal Google account is not the thing directly tied to runtime traffic.
Relevant docs:
If you want, I can also give you a copy-paste example for service account JSON + systemd/docker envs.
twin saddle
Yep, lowest-risk setup would be:
1. **Use `google-vertex`, not `google-antigrav...
is there any cons about using vertex than cli
spice axleBOT
Yeah, mostly these:
Vertex cons vs CLI
- more setup, GCP project, ADC, env vars, sometimes service accounts
- more “cloud admin” overhead, billing/quota live in Google Cloud
- less plug-and-play for casual local use
- project/location misconfig can break requests in annoying ways
CLI pros
- easier if you already use
geminilocally - quick OAuth login, less infra to think about
But, for serious use I’d still lean Vertex, because:
- OpenClaw docs explicitly mark Gemini CLI OAuth as unofficial
- docs also mention some users saw Google account restrictions
- CLI is a separate text-inference surface, while other Google features stay on the normal
googleprovider
So my short version is:
- CLI = easier
- Vertex = safer / more official / better long-term choice
thin quail
I got error below (Docker) ,Please tell how to fix :LLM error: {
"error": {
"code": 401,
"message": "API keys are not supported by this API. Expected OAuth2 access token or other authentication credentials that assert a principal. See https://cloud.google.com/docs/authentication",
"status": "UNAUTHENTICATED",
"details": [
{
"@type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "CREDENTIALS_MISSING",
"domain": "googleapis.com",
"metadata": {
"method": "google.cloud.aiplatform.v1.PredictionService.StreamGenerateContent",
"service": "aiplatform.googleapis.com"
}
}
]
}
spice axleBOT
That error usually means you’re calling Vertex with an API key.
google-vertex/* does not use GEMINI_API_KEY / GOOGLE_API_KEY.
Vertex expects ADC / OAuth-style credentials that assert a principal.
Fix
Option A, you want Vertex
Use google-vertex/..., and give the container ADC credentials:
- set
GOOGLE_CLOUD_PROJECT - set
GOOGLE_CLOUD_LOCATION - mount a service-account JSON into the container
- set
GOOGLE_APPLICATION_CREDENTIALSto that mounted path
Example Docker env idea:
environment:
GOOGLE_CLOUD_PROJECT: your-project
GOOGLE_CLOUD_LOCATION: global
GOOGLE_APPLICATION_CREDENTIALS: /run/secrets/gcp-sa.json
volumes:
- ./gcp-service-account.json:/run/secrets/gcp-sa.json:ro
And your model should look like:
{
agents: {
defaults: {
model: { primary: "google-vertex/gemini-3-flash-preview" },
},
},
}
Option B, you want to use an API key
Then do not use google-vertex.
Use the normal Google provider instead:
{
agents: {
defaults: {
model: { primary: "google/gemini-3-flash-preview" },
},
},
}
with GEMINI_API_KEY or GOOGLE_API_KEY.
Short version
google-vertex/*→ ADC / service account, no API keygoogle/*→ API key
Docs:
Also, please paste:
openclaw --version
and which model string you set, google/... or google-vertex/...
That’ll confirm which side you’re on.
thin quail
I alreay set ADC according to the above method and not setting api key. I put into enviroment variable
spice axleBOT
Got it, then the next likely issue is:
the env var is set, but the ADC file is not actually visible inside the container.
For google-vertex, OpenClaw needs all of these inside Docker:
GOOGLE_CLOUD_PROJECTGOOGLE_CLOUD_LOCATION- a real credentials file at
GOOGLE_APPLICATION_CREDENTIALSinside the container- or the default ADC file at
/home/node/.config/gcloud/application_default_credentials.json
- or the default ADC file at
Just setting the env var is not enough if the file path points to the host and isn’t mounted.
Please check this inside the container
docker compose exec openclaw-gateway sh -lc '
echo "GOOGLE_APPLICATION_CREDENTIALS=$GOOGLE_APPLICATION_CREDENTIALS"
echo "GOOGLE_CLOUD_PROJECT=$GOOGLE_CLOUD_PROJECT"
echo "GOOGLE_CLOUD_LOCATION=$GOOGLE_CLOUD_LOCATION"
ls -l "$GOOGLE_APPLICATION_CREDENTIALS" || true
test -f "$GOOGLE_APPLICATION_CREDENTIALS" && echo "ADC file exists" || echo "ADC file missing"
'
Common fix
Mount the JSON into the container and use the container path:
environment:
GOOGLE_CLOUD_PROJECT: your-project
GOOGLE_CLOUD_LOCATION: global
GOOGLE_APPLICATION_CREDENTIALS: /run/secrets/gcp-sa.json
volumes:
- /absolute/host/path/gcp-service-account.json:/run/secrets/gcp-sa.json:ro
Or, if you used gcloud auth application-default login on the host, mount the ADC dir:
volumes:
- /absolute/host/path/.config/gcloud:/home/node/.config/gcloud:ro
environment:
GOOGLE_CLOUD_PROJECT: your-project
GOOGLE_CLOUD_LOCATION: global
Also please paste:
openclaw --version
and the output of that Docker check above, then I can tell you exactly which piece is missing.
thin quail
OpenClaw 2026.4.21
Auth overview
Auth store : ~/.openclaw/agents/main/agent/auth-profiles.json
Shell env : off
Providers w/ OAuth/tokens (0): -
- google-vertex effective=env:gcp-vert...dentials | env=gcp-vert...dentials | source=gcloud adc
- minimax effective=source=env: MINIMAX_API_KEY | models.json=$M...EY | source=models.json: ~/.openclaw/agents/main/agent/models.json
- minimax-portal effective=env:source=env: MINIMAX_API_KEY
OAuth/token status
- none
sheepdee@Macau_Disk:/volume3/docker$ sudo docker compose exec openclaw-gateway sh -lc '
echo "GOOGLE_APPLICATION_CREDENTIALS=$GOOGLE_APPLICATION_CREDENTIALS"
echo "GOOGLE_CLOUD_PROJECT=$GOOGLE_CLOUD_PROJECT"
echo "GOOGLE_CLOUD_LOCATION=$GOOGLE_CLOUD_LOCATION"
ls -l "$GOOGLE_APPLICATION_CREDENTIALS" || true
CATION_CREDENTIA> test -f "$GOOGLE_APPLICATION_CREDENTIALS" && echo "ADC file exists" || echo "ADC file missing"
'
GOOGLE_APPLICATION_CREDENTIALS=/home/node/.openclaw/sercets/ADC_KEY.json
GOOGLE_CLOUD_PROJECT=project5,
GOOGLE_CLOUD_LOCATION=us-central1,
-rw-r--r-- 1 1026 users 2398 Apr 21 07:10 /home/node/.openclaw/sercets/ADC_KEY.json
ADC file exists