Configure your project's metadata store

Vertex ML Metadata lets you track and analyze the metadataproduced by your machine learning (ML) workflows. The first time you run aPipelineJob or create an experiment in the Vertex SDK, Vertex AI createsyour project'sMetadataStore.

If you want your metadata encrypted using acustomer-managed encryption key(CMEK), you must create your metadata store using a CMEKbefore you useVertex ML Metadata to track or analyze metadata.

After the metadata store has been created, the CMEK key that the metadata storeuses is independent of the CMEK key used by processes that log metadata,for example, a pipeline run.

Create a metadata store that uses a CMEK

Use the following instructions to create a CMEK and set up aVertex ML Metadata metadata store that uses this CMEK.

  1. Use Cloud Key Management Service to configure a customer-managed encryptionkey.

  2. Use the following REST call to create your project's default metadata storeusing your CMEK.

    Before using any of the request data, make the following replacements:

    • LOCATION_ID: Your region.
    • PROJECT_ID: Yourproject ID.
    • KEY_RING: The name of the Cloud Key Management Service key ring that your encryption key is on.
    • KEY_NAME: The name of the encryption key that you want to use for this metadata store.

    HTTP method and URL:

    POST https://LOCATION_ID-aiplatform.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION_ID/metadataStores?metadata_store_id=default

    Request JSON body:

    {  "encryption_spec": {    "kms_key_name": "projects/PROJECT_ID/locations/LOCATION_ID/keyRings/KEY_RING/cryptoKeys/KEY_NAME"  },}

    To send your request, expand one of these options:

    curl (Linux, macOS, or Cloud Shell)

    Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

    Save the request body in a file namedrequest.json. Run the following command in the terminal to create or overwrite this file in the current directory:

    cat > request.json<< 'EOF'{  "encryption_spec": {    "kms_key_name": "projects/PROJECT_ID/locations/LOCATION_ID/keyRings/KEY_RING/cryptoKeys/KEY_NAME"  },}EOF

    Then execute the following command to send your REST request:

    curl -X POST \
         -H "Authorization: Bearer $(gcloud auth print-access-token)" \
         -H "Content-Type: application/json; charset=utf-8" \
         -d @request.json \
         "https://LOCATION_ID-aiplatform.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION_ID/metadataStores?metadata_store_id=default"

    PowerShell (Windows)

    Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

    Save the request body in a file namedrequest.json. Run the following command in the terminal to create or overwrite this file in the current directory:

    @'{  "encryption_spec": {    "kms_key_name": "projects/PROJECT_ID/locations/LOCATION_ID/keyRings/KEY_RING/cryptoKeys/KEY_NAME"  },}'@  | Out-File -FilePath request.json -Encoding utf8

    Then execute the following command to send your REST request:

    $cred = gcloud auth print-access-token
    $headers = @{ "Authorization" = "Bearer $cred" }

    Invoke-WebRequest `
        -Method POST `
        -Headers $headers `
        -ContentType: "application/json; charset=utf-8" `
        -InFile request.json `
        -Uri "https://LOCATION_ID-aiplatform.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION_ID/metadataStores?metadata_store_id=default" | Select-Object -Expand Content

    You should receive a JSON response similar to the following:

    {  "name": "projects/PROJECT_ID/locations/LOCATION_ID/operations/OPERATIONS_ID",  "metadata": {    "@type": "type.googleapis.com/google.cloud.aiplatform.v1.CreateMetadataStoreOperationMetadata",    "genericMetadata": {      "createTime": "2021-05-18T18:47:14.494997Z",      "updateTime": "2021-05-18T18:47:14.494997Z"    }  }}

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.