How to set up GenAI x Looker extension under 15 minutes | Vertex AI Action
If you, a Looker developer, have followed through this setup guide to install Vertex AI Action and find yourself stuck at a particular step and are googling for a solution, then you are looking at the right place! In this guide, I’ll list out all important steps (and way more detailed than the README file from Looker) that I wish someone had showed me before I started setting up Vertex AI Actions in Looker.
Introduction on Looker’s Actions
Looker’s Action API enables developers to define custom destinations for sending query results, dashboard results, or user interactions, which can then be used to send data from within Looker. You can read more about Action API and its use cases here.
What does Vertex AI Action do?
At first, you should expect how this feature works with Looker. It’s an action that use Looker Action API to allow Looker to communicate with Vertex AI via Cloud Functions. You’ll be able to generate a report sent to your email from a specific prompt. This uses PaLM API from Vertex AI to process your prompt, which provides you with two generative language models to choose from, including text-bison and code-bison models (the default model is text-bison). An expected use case, for example, is to generate a basic prediction report and have it sent to you as shown in the demo above. And the report would look like this:
Note that since this action use language model, specifically PaLM, it performs best on summarization, question answering, classification, sentiment analysis and entity extraction. You can find detail for the model’s use cases here. For forecasting and prediction purpose, you can use this as a reference and should do further consultation from other data sources.
Prerequisites
To start setting up this action, you want to make sure you have the following APIs enabled and roles assigned to your account:
For APIs:
For roles:
- Secret Manager Admin (refer to step 6 if your team/organization can’t grant you this role)
- Create Service Accounts (refer to step 7 if your team/organization can’t grant you this role)
- Project IAM Admin (refer to step 8 if your team/organization can’t grant you this role)
- Cloud Functions Admin (refer to step 10 if your team/organization can only grant you Cloud Functions Developer role)
- Looker Admin
You also need a SendGrid account and make sure you must have your sender verified (guide) or else it won’t work. You can create a free account if you haven’t had one. Note that for SendGrid free plan, it allows only 100 emails sent per day. Make sure you choose the right plan according to your demand. After that, you need to create a SendGrid API key (guide) and from there you can start the setup process via CloudShell in GCP.
Setup guide
Step 1: Access CloudShell and make sure we are in the correct project that we want to work on:
Step 2: Type in the terminal to set the variables as below. Setting the variables will save us time and effort in the following steps because we don’t have to type all these variables over and over again. You should replace REGION, PROJECT and EMAIL_SENDER with your own:
ACTION_LABEL="Vertex AI"
ACTION_NAME="vertex-ai"
REGION="us-central1"
PROJECT="my-project-id"
EMAIL_SENDER="my-sender-email-address@foo.com"
For example above, I set my REGION to asia-southeast1, PROJECT to joon-sandbox and EMAIL_SENDER to trung.vd@joonsolutions.com.
Step 3: Clone the repository and go to the folder directory:
git clone https://github.com/looker-open-source/vertex-ai-actions
cd vertex-ai-actions/
Step 4: Create an .env.yaml file with the variables declared from step 2 above. This file is the configuration for environment variables to deploy three functions in Cloud Functions for a later step:
printf "ACTION_LABEL: ${ACTION_LABEL}\nACTION_NAME: ${ACTION_NAME}\nREGION: ${REGION}\nPROJECT: ${PROJECT}\nEMAIL_SENDER: ${EMAIL_SENDER}" > .env.yaml
Step 5: Generate the LOOKER_AUTH_TOKEN secret, which can be any randomly generated string. Here we use openssl command. This secret will be used as an authorization configuration between Cloud Functions and Looker’s Action API. We also set the variable for SENDGRID_API_KEY to use for a function later on:
LOOKER_AUTH_TOKEN="`openssl rand -hex 64`"
SENDGRID_API_KEY="copy your sendgrid api key here"
Step 6: Create LOOKER_AUTH_TOKEN and SENDGRID_API_KEY secrets on Secret Manager. These secrets will be accessed for deploying functions on Cloud Functions. If your team/organization can’t grant you Secret Manager Admin role, you can give them these two secrets and ask your admin to create them for you.
printf ${SENDGRID_API_KEY} | gcloud secrets create SENDGRID_API_KEY --data-file=- --replication-policy=user-managed --locations=${REGION} --project=${PROJECT}
printf ${LOOKER_AUTH_TOKEN} | gcloud secrets create LOOKER_AUTH_TOKEN --data-file=- --replication-policy=user-managed --locations=${REGION} --project=${PROJECT}
Step 7: Create a service account and set the variable for it. If your team/organization can’t grant you Create Service Accounts role, you can ask them to provide you with a service account. If so, you just need to set the variable for the service account in this step:
gcloud iam service-accounts create vertex-ai-cloud-function --display-name="Vertex AI Actions Cloud Functions" --project=${PROJECT}
SERVICE_ACCOUNT_EMAIL=vertex-ai-cloud-function@${PROJECT}.iam.gserviceaccount.com
Step 8: Assign necessary roles to the service account and give it access to the secrets. The roles assigned to the service account include Cloud Functions Invoker, Secret Manager Secret Accessor and Vertex AI User. If your team/organization can’t grant you Project IAM Admin role, you can ask them to grant these three roles to the service account. It’s the same for Secret Manager; if you aren’t granted Secret Manager Admin role, you can ask your admin to grant Secret Manager Secret Accessor role to the service account for accessing SENDGRID_API_KEY and LOOKER_AUTH_TOKEN secrets.
eval gcloud projects add-iam-policy-binding ${PROJECT} --member=serviceAccount:${SERVICE_ACCOUNT_EMAIL} --role='roles/cloudfunctions.invoker'
eval gcloud projects add-iam-policy-binding ${PROJECT} --member=serviceAccount:${SERVICE_ACCOUNT_EMAIL} --role='roles/aiplatform.user'
eval gcloud projects add-iam-policy-binding ${PROJECT} --member=serviceAccount:${SERVICE_ACCOUNT_EMAIL} --role='roles/secretmanager.secretAccessor'
eval gcloud secrets add-iam-policy-binding SENDGRID_API_KEY --member=serviceAccount:${SERVICE_ACCOUNT_EMAIL} --role='roles/secretmanager.secretAccessor' --project=${PROJECT}
eval gcloud secrets add-iam-policy-binding LOOKER_AUTH_TOKEN --member=serviceAccount:${SERVICE_ACCOUNT_EMAIL} --role='roles/secretmanager.secretAccessor' --project=${PROJECT}
Step 9: Deploy 3 cloud functions for action_list, action_form and action_execute (this may take several minutes). To know more about what the endpoints do behind these functions, you can refer to this:
gcloud functions deploy vertex-ai-list --entry-point action_list --env-vars-file .env.yaml --trigger-http --runtime=python311 --allow-unauthenticated --timeout=540s --region=${REGION} --project=${PROJECT} --service-account ${SERVICE_ACCOUNT_EMAIL} --set-secrets 'LOOKER_AUTH_TOKEN=LOOKER_AUTH_TOKEN:latest'
gcloud functions deploy vertex-ai-form --entry-point action_form --env-vars-file .env.yaml --trigger-http --runtime=python311 --allow-unauthenticated --timeout=540s --region=${REGION} --project=${PROJECT} --service-account ${SERVICE_ACCOUNT_EMAIL} --set-secrets 'LOOKER_AUTH_TOKEN=LOOKER_AUTH_TOKEN:latest'
gcloud functions deploy vertex-ai-execute --entry-point action_execute --env-vars-file .env.yaml --trigger-http --runtime=python311 --allow-unauthenticated --timeout=540s --region=${REGION} --project=${PROJECT} --service-account ${SERVICE_ACCOUNT_EMAIL} --set-secrets 'LOOKER_AUTH_TOKEN=LOOKER_AUTH_TOKEN:latest,SENDGRID_API_KEY=SENDGRID_API_KEY:latest' --memory=1024MB
Step 10: Grant Cloud Functions Invoker role to allUsers for all three functions created above. If your team/organization can only grant you Cloud Functions Developer role, after deploying the three functions above, you can ask your admin to grant Cloud Functions Invoker role to allUsers. This allows users on Looker can have access :
gcloud functions add-iam-policy-binding vertex-ai-list --region=${REGION} --member=allUsers --role=roles/cloudfunctions.invoker
gcloud functions add-iam-policy-binding vertex-ai-form --region=${REGION} --member=allUsers --role=roles/cloudfunctions.invoker
gcloud functions add-iam-policy-binding vertex-ai-execute --region=${REGION} --member=allUsers --role=roles/cloudfunctions.invoker
Step 11: Copy Action Hub URL and LOOKER_AUTH_TOKEN to use it in next step:
echo Action Hub URL: https://${REGION}-${PROJECT}.cloudfunctions.net/${ACTION_NAME}-list
echo LOOKER_AUTH_TOKEN: $LOOKER_AUTH_TOKEN
Step 12: In Looker, go to Admin > Platform > Actions (I recommend using Chrome browser for this. I tried with Safari and it was glitchy where I can’t enable the action):
- Scroll to the bottom and click on Add Action Hub
- Enter the
Action Hub URLand click Add Action Hub. It might raise an error like the screenshot below
- Click Configure Authorization and enter the
LOOKER_AUTH_TOKENand click Update Token - You will see Vertex AI appears and click Enable. It might be glitchy here which Vertex AI doesn’t appear. You can try to refresh the page or remove the action and add it again
- Toggle on Enabled and click Save. Make sure Test Action passes
And voila! Now you can start writing prompt and get reports delivered to you as shown in the beginning of this blog! You can check your action if it’s successful or not by going to Admin > Alerts & Schedules > Schedule History on Looker. A successful action would look like this:
If you have any questions related to this setup guide or want to know how to fit this into your organization’s use cases, feel free to reach out to us at Joon Solutions and we are happy to help you. Please leave your contact info here and we will get back to you right away! Besides this, we also offer other extensions in the Looker x GenAI package, which are Explore Assistant and Dashboard Summary. You can also read our other blogs on Medium and visit our website to know more about us.
