Stay organized with collections
Save and categorize content based on your preferences.
This page shows how to create a Google Cloud project, enable AML AI,
create
authentication credentials,
and grant your account one or more
IAM roles.
Sign in to your Google Cloud account. If you're new to
Google Cloud,
create an account to evaluate how our products perform in
real-world scenarios. New customers also get $300 in free credits to
run, test, and deploy workloads.
Grant roles to your user account. Run the following command once for each of the following
IAM roles:
roles/financialservices.admin, roles/cloudkms.admin, roles/bigquery.admin
Grant roles to your user account. Run the following command once for each of the following
IAM roles:
roles/financialservices.admin, roles/cloudkms.admin, roles/bigquery.admin
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eThis page details the process of setting up a Google Cloud project for AML AI, which includes enabling the API, creating authentication credentials, and granting necessary IAM roles.\u003c/p\u003e\n"],["\u003cp\u003eContacting a Google representative is required before the API is visible after project creation and to allowlist all AML AI functionality after the Financial Services API is enabled.\u003c/p\u003e\n"],["\u003cp\u003eSpecific permissions, such as creating and managing Cloud KMS resources, BigQuery datasets, and various AML AI components like instances, datasets, engine configurations, models, and backtests, are necessary.\u003c/p\u003e\n"],["\u003cp\u003eThe documentation details how to perform different actions, including creating, getting, updating, setting IAM policies on, or deleting specific elements, such as AML AI resources, Big Query datasets and jobs, or Cloud KMS resources.\u003c/p\u003e\n"]]],[],null,["# Set up a project and permissions\n\nThis page shows how to create a Google Cloud project, enable AML AI,\ncreate\n[authentication credentials](/financial-services/anti-money-laundering/docs/authentication),\nand grant your account one or more\n[IAM roles](/financial-services/anti-money-laundering/docs/access-control#roles).\n| **Important:** After you create your project, the API is not automatically visible. You must contact your Google representative before you can enable the API.\n\n- Sign in to your Google Cloud account. If you're new to Google Cloud, [create an account](https://console.cloud.google.com/freetrial) to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.\n-\n [Install](/sdk/docs/install) the Google Cloud CLI.\n\n- If you're using an external identity provider (IdP), you must first\n [sign in to the gcloud CLI with your federated identity](/iam/docs/workforce-log-in-gcloud).\n\n-\n To [initialize](/sdk/docs/initializing) the gcloud CLI, run the following command:\n\n ```bash\n gcloud init\n ```\n- [Create or select a Google Cloud project](https://cloud.google.com/resource-manager/docs/creating-managing-projects).\n\n | **Note**: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n - Create a Google Cloud project:\n\n ```\n gcloud projects create PROJECT_ID\n ```\n\n Replace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with a name for the Google Cloud project you are creating.\n - Select the Google Cloud project that you created:\n\n ```\n gcloud config set project PROJECT_ID\n ```\n\n Replace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with your Google Cloud project name.\n-\n [Verify that billing is enabled for your Google Cloud project](/billing/docs/how-to/verify-billing-enabled#confirm_billing_is_enabled_on_a_project).\n\n-\n\n\n Enable the required APIs:\n\n\n ```bash\n gcloud services enable financialservices.googleapis.com bigquery.googleapis.com cloudkms.googleapis.com\n ```\n-\n\n If you're using a local shell, then create local authentication credentials for your user\n account:\n\n ```bash\n gcloud auth application-default login\n ```\n\n You don't need to do this if you're using Cloud Shell.\n\n\n If an authentication error is returned, and you are using an external identity provider\n (IdP), confirm that you have\n [signed in to the gcloud CLI with your federated identity](/iam/docs/workforce-log-in-gcloud).\n-\n Grant roles to your user account. Run the following command once for each of the following\n IAM roles:\n `roles/financialservices.admin, roles/cloudkms.admin, roles/bigquery.admin`\n\n ```bash\n gcloud projects add-iam-policy-binding PROJECT_ID --member=\"user:\u003cvar translate=\"no\"\u003eUSER_IDENTIFIER\u003c/var\u003e\" --role=ROLE\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: your project ID.\n - \u003cvar translate=\"no\"\u003eUSER_IDENTIFIER\u003c/var\u003e: the identifier for your user account---for example, `myemail@example.com`.\n - \u003cvar translate=\"no\"\u003eROLE\u003c/var\u003e: the IAM role that you grant to your user account.\n\n-\n [Install](/sdk/docs/install) the Google Cloud CLI.\n\n- If you're using an external identity provider (IdP), you must first\n [sign in to the gcloud CLI with your federated identity](/iam/docs/workforce-log-in-gcloud).\n\n-\n To [initialize](/sdk/docs/initializing) the gcloud CLI, run the following command:\n\n ```bash\n gcloud init\n ```\n- [Create or select a Google Cloud project](https://cloud.google.com/resource-manager/docs/creating-managing-projects).\n\n | **Note**: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n - Create a Google Cloud project:\n\n ```\n gcloud projects create PROJECT_ID\n ```\n\n Replace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with a name for the Google Cloud project you are creating.\n - Select the Google Cloud project that you created:\n\n ```\n gcloud config set project PROJECT_ID\n ```\n\n Replace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with your Google Cloud project name.\n-\n [Verify that billing is enabled for your Google Cloud project](/billing/docs/how-to/verify-billing-enabled#confirm_billing_is_enabled_on_a_project).\n\n-\n\n\n Enable the required APIs:\n\n\n ```bash\n gcloud services enable financialservices.googleapis.com bigquery.googleapis.com cloudkms.googleapis.com\n ```\n-\n\n If you're using a local shell, then create local authentication credentials for your user\n account:\n\n ```bash\n gcloud auth application-default login\n ```\n\n You don't need to do this if you're using Cloud Shell.\n\n\n If an authentication error is returned, and you are using an external identity provider\n (IdP), confirm that you have\n [signed in to the gcloud CLI with your federated identity](/iam/docs/workforce-log-in-gcloud).\n-\n Grant roles to your user account. Run the following command once for each of the following\n IAM roles:\n `roles/financialservices.admin, roles/cloudkms.admin, roles/bigquery.admin`\n\n ```bash\n gcloud projects add-iam-policy-binding PROJECT_ID --member=\"user:\u003cvar translate=\"no\"\u003eUSER_IDENTIFIER\u003c/var\u003e\" --role=ROLE\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: your project ID.\n - \u003cvar translate=\"no\"\u003eUSER_IDENTIFIER\u003c/var\u003e: the identifier for your user account---for example, `myemail@example.com`.\n - \u003cvar translate=\"no\"\u003eROLE\u003c/var\u003e: the IAM role that you grant to your user account.\n\nThese roles fulfill the following required permissions:\n\n#### Required permissions\n\nThe following permissions are required to complete the\n[quickstart](/financial-services/anti-money-laundering/docs/train-models-to-detect-money-laundering)\nand are needed to perform many vital operations in AML AI.\n\n\u003cbr /\u003e\n\n| **Important:** After you enable the Financial Services API, you must contact your Google representative to allowlist all AML AI functionality before proceeding to [Create an AML AI instance](/financial-services/anti-money-laundering/docs/set-up-instance). Make sure to inform the representative of the [location](/financial-services/anti-money-laundering/docs/locations) in which you want to create your API resources."]]
