{bug} Vertex Auth Support (#1302)

Co-authored-by: Tommaso Sciortino <[email protected]>

3 files changed, 62 insertions, 68 deletions

diff --git a/README.md b/README.md
index 74e17705..ed50cf8b 100644
--- a/README.md
+++ b/README.md
@@ -42,36 +42,15 @@ Or ask it to perform a task using its tools:
 > List files in the current directory.
 ```
 
-## API Key Setup
+## Authentication Setup
 
-The Gemini CLI requires you to authenticate with Google's AI services. You'll need to configure **one** of the following authentication methods:
+The Gemini CLI requires you to authenticate with Google's AI services. On initial startup you'll need to configure **one** of the following authentication methods:
 
-1.  **Gemini Code Assist:**
+1.  **Login with Google (Gemini Code Assist):**
 
-    - To enable this mode you only need set the GEMINI_CODE_ASSIST environment variable to true.
-      - You can temporarily set the environment variable in your current shell session using the following command:
-        ```bash
-        export GEMINI_CODE_ASSIST="true"
-        ```
-      - For repeated use, you can add the environment variable to your `.env` file (located in the project directory or user home directory) or your shell's configuration file (like `~/.bashrc`, `~/.zshrc`, or `~/.profile`). For example, the following command adds the environment variable to a `~/.bashrc` file:
-        ```bash
-        echo 'export GEMINI_CODE_ASSIST="true"' >> ~/.bashrc
-        source ~/.bashrc
-        ```
-    - There are two types of Google Accounts you can use with Gemini CLI:
-      - **Personal Google Account**: This is the standard, free account you use for services like Gmail, Google Photos, and Google Drive for personal use (e.g. [email protected]).
-      - **Google Workspace Account**: This is a paid service for businesses and organizations that provides a suite of productivity tools, including a custom email domain (e.g. [email protected]), enhanced security features, and administrative controls. These accounts are often managed by an employer or school.
-        - Google Workspace Account must configure a Google Cloud Project Id to use. You can temporarily set the environment variable in your current shell session using the following command:
-        ```bash
-        export GOOGLE_CLOUD_PROJECT_ID="YOUR_PROJECT_ID"
-        ```
-        - For repeated use, you can add the environment variable to your `.env` file (located in the project directory or user home directory) or your shell's configuration file (like `~/.bashrc`, `~/.zshrc`, or `~/.profile`). For example, the following command adds the environment variable to a `~/.bashrc` file:
-        ```bash
-        echo 'export GOOGLE_CLOUD_PROJECT_ID="YOUR_PROJECT_ID"' >> ~/.bashrc
-        source ~/.bashrc
-        ```
-    - During start up, Gemini CLI will direct you to a webpage for authentication. Once authenticated, your credentials will be cached locally so the web login can be skipped on subsequent runs. Cached credentials last about 20 hours before expiring.
-    - Note that the the web login must be done in a browser that can communicate with the machine Gemini Cli is being run from. (Specifically, the browser will be redirected to a localhost url that Gemini CLI will be listening on).
+    - Use this option to log in with the standard, free account you use for services like Gmail, Google Photos, and Google Drive for personal use (e.g. [email protected]).
+    - During initial startup, Gemini CLI will direct you to a webpage for authentication. Once authenticated, your credentials will be cached locally so the web login can be skipped on subsequent runs.
+    - Note that the web login must be done in a browser that can communicate with the machine Gemini CLI is being run from. (Specifically, the browser will be redirected to a localhost url that Gemini CLI will be listening on).
 
 2.  **Gemini API key:**
 
@@ -87,43 +66,56 @@ The Gemini CLI requires you to authenticate with Google's AI services. You'll ne
         source ~/.bashrc
         ```
 
-3.  **Google API Key (Vertex AI Express Mode):**
-
-    - You can use a general Google Cloud API key if it has been enabled for the Gemini API or Vertex AI.
-    - Set the `GOOGLE_API_KEY` and `GOOGLE_GENAI_USE_VERTEXAI` environment variables. In the following methods, replace `YOUR_GEMINI_API_KEY` with your Google Cloud API key:
-      - You can temporarily set these environment variables in your current shell session using the following commands:
-        ```bash
-        export GOOGLE_API_KEY="YOUR_GOOGLE_API_KEY"
-        export GOOGLE_GENAI_USE_VERTEXAI=true
-        ```
-      - For repeated use, you can add the environment variables to your `.env` file (located in the project directory or user home directory) or your shell's configuration file (like `~/.bashrc`, `~/.zshrc`, or `~/.profile`). For example, the following commands adds the environment variables to a `~/.bashrc` file:
-        ```bash
-        echo 'export GEMINI_API_KEY="YOUR_GEMINI_API_KEY"' >> ~/.bashrc
-        echo 'export GOOGLE_GENAI_USE_VERTEXAI=true' >> ~/.bashrc
-        source ~/.bashrc
-        ```
+3.  **Login with Google Work**
 
-4.  **Vertex AI (Project and Location):**
-    - Ensure you have a Google Cloud project and have enabled the Vertex AI API.
-    - Set up Application Default Credentials (ADC), using the following command:
+    - Use this option to log in with the **Google Workspace Accounts**. This is a paid service for businesses and organizations that provides a suite of productivity tools, including a custom email domain (e.g. [email protected]), enhanced security features, and administrative controls. These accounts are often managed by an employer or school.
+      - Google Workspace Account must configure a Google Cloud Project Id to use. You can temporarily set the environment variable in your current shell session using the following command:
       ```bash
-      gcloud auth application-default login
+      export GOOGLE_CLOUD_PROJECT_ID="YOUR_PROJECT_ID"
       ```
-      For more information, see [Set up Application Default Credentials for Google Cloud](https://cloud.google.com/docs/authentication/provide-credentials-adc).
-    - Set the `GOOGLE_CLOUD_PROJECT`, `GOOGLE_CLOUD_LOCATION`, and `GOOGLE_GENAI_USE_VERTEXAI` environment variables. In the following methods, replace `YOUR_PROJECT_ID` and `YOUR_PROJECT_LOCATION` with the relevant values for your project:
-      - You can temporarily set these environment variables in your current shell session using the following commands:
-        ```bash
-        export GOOGLE_CLOUD_PROJECT="YOUR_PROJECT_ID"
-        export GOOGLE_CLOUD_LOCATION="YOUR_PROJECT_LOCATION" # e.g., us-central1
-        export GOOGLE_GENAI_USE_VERTEXAI=true
-        ```
-      - For repeated use, you can add the environment variables to your `.env` file (located in the project directory or user home directory) or your shell's configuration file (like `~/.bashrc`, `~/.zshrc`, or `~/.profile`). For example, the following commands adds the environment variables to a `~/.bashrc` file:
+      - For repeated use, you can add the environment variable to your `.env` file (located in the project directory or user home directory) or your shell's configuration file (like `~/.bashrc`, `~/.zshrc`, or `~/.profile`). For example, the following command adds the environment variable to a `~/.bashrc` file:
+      ```bash
+      echo 'export GOOGLE_CLOUD_PROJECT_ID="YOUR_PROJECT_ID"' >> ~/.bashrc
+      source ~/.bashrc
+      ```
+    - During startup, Gemini CLI will direct you to a webpage for authentication. Once authenticated, your credentials will be cached locally so the web login can be skipped on subsequent runs.
+    - Note that the web login must be done in a browser that can communicate with the machine Gemini CLI is being run from. (Specifically, the browser will be redirected to a localhost url that Gemini CLI will be listening on).
+
+4.  **Vertex AI:**
+    - If not using express mode:
+      - Ensure you have a Google Cloud project and have enabled the Vertex AI API.
+      - Set up Application Default Credentials (ADC), using the following command:
         ```bash
-        echo 'export GOOGLE_CLOUD_PROJECT="YOUR_PROJECT_ID"' >> ~/.bashrc
-        echo 'export GOOGLE_CLOUD_LOCATION="YOUR_PROJECT_LOCATION"' >> ~/.bashrc
-        echo 'export GOOGLE_GENAI_USE_VERTEXAI=true' >> ~/.bashrc
-        source ~/.bashrc
+        gcloud auth application-default login
         ```
+        For more information, see [Set up Application Default Credentials for Google Cloud](https://cloud.google.com/docs/authentication/provide-credentials-adc).
+      - Set the `GOOGLE_CLOUD_PROJECT`, `GOOGLE_CLOUD_LOCATION`, and `GOOGLE_GENAI_USE_VERTEXAI` environment variables. In the following methods, replace `YOUR_PROJECT_ID` and `YOUR_PROJECT_LOCATION` with the relevant values for your project:
+        - You can temporarily set these environment variables in your current shell session using the following commands:
+          ```bash
+          export GOOGLE_CLOUD_PROJECT="YOUR_PROJECT_ID"
+          export GOOGLE_CLOUD_LOCATION="YOUR_PROJECT_LOCATION" # e.g., us-central1
+          export GOOGLE_GENAI_USE_VERTEXAI=true
+          ```
+        - For repeated use, you can add the environment variables to your `.env` file (located in the project directory or user home directory) or your shell's configuration file (like `~/.bashrc`, `~/.zshrc`, or `~/.profile`). For example, the following commands adds the environment variables to a `~/.bashrc` file:
+          ```bash
+          echo 'export GOOGLE_CLOUD_PROJECT="YOUR_PROJECT_ID"' >> ~/.bashrc
+          echo 'export GOOGLE_CLOUD_LOCATION="YOUR_PROJECT_LOCATION"' >> ~/.bashrc
+          echo 'export GOOGLE_GENAI_USE_VERTEXAI=true' >> ~/.bashrc
+          source ~/.bashrc
+          ```
+    - If using express mode:
+      - Set the `GOOGLE_API_KEY` environment variables. In the following methods, replace `YOUR_GOOGLE_API_KEY` with your Vertex AI API key provided by express mode:
+        - You can temporarily set these environment variables in your current shell session using the following commands:
+          ```bash
+          export GOOGLE_API_KEY="YOUR_GOOGLE_API_KEY"
+          export GOOGLE_GENAI_USE_VERTEXAI=true
+          ```
+        - For repeated use, you can add the environment variables to your `.env` file (located in the project directory or user home directory) or your shell's configuration file (like `~/.bashrc`, `~/.zshrc`, or `~/.profile`). For example, the following commands adds the environment variables to a `~/.bashrc` file:
+          ```bash
+          echo 'export GOOGLE_API_KEY="YOUR_GOOGLE_API_KEY"' >> ~/.bashrc
+          echo 'export GOOGLE_GENAI_USE_VERTEXAI=true' >> ~/.bashrc
+          source ~/.bashrc
+          ```
 
 ### Next Steps
 
diff --git a/packages/cli/src/config/auth.ts b/packages/cli/src/config/auth.ts
index 6153044e..da4234e0 100644
--- a/packages/cli/src/config/auth.ts
+++ b/packages/cli/src/config/auth.ts
@@ -28,14 +28,16 @@ export const validateAuthMethod = (authMethod: string): string | null => {
   }
 
   if (authMethod === AuthType.USE_VERTEX_AI) {
-    if (!process.env.GOOGLE_API_KEY) {
-      return 'GOOGLE_API_KEY environment variable not found. Add that to your .env and try again, no reload needed!';
-    }
-    if (!process.env.GOOGLE_CLOUD_PROJECT) {
-      return 'GOOGLE_CLOUD_PROJECT environment variable not found. Add that to your .env and try again, no reload needed!';
-    }
-    if (!process.env.GOOGLE_CLOUD_LOCATION) {
-      return 'GOOGLE_CLOUD_LOCATION environment variable not found. Add that to your .env and try again, no reload needed!';
+    const hasVertexProjectLocationConfig =
+      !!process.env.GOOGLE_CLOUD_PROJECT && !!process.env.GOOGLE_CLOUD_LOCATION;
+    const hasGoogleApiKey = !!process.env.GOOGLE_API_KEY;
+    if (!hasVertexProjectLocationConfig && !hasGoogleApiKey) {
+      return (
+        'Must specify GOOGLE_GENAI_USE_VERTEXAI=true and either:\n' +
+        '• GOOGLE_CLOUD_PROJECT and GOOGLE_CLOUD_LOCATION environment variables.\n' +
+        '• GOOGLE_API_KEY environment variable (if using express mode).\n' +
+        'Update your .env and try again, no reload needed!'
+      );
     }
     return null;
   }
diff --git a/packages/cli/src/ui/components/AuthDialog.tsx b/packages/cli/src/ui/components/AuthDialog.tsx
index be36da8a..7ae8b7ee 100644
--- a/packages/cli/src/ui/components/AuthDialog.tsx
+++ b/packages/cli/src/ui/components/AuthDialog.tsx
@@ -38,7 +38,7 @@ export function AuthDialog({
       label: 'Login with Google Work',
       value: AuthType.LOGIN_WITH_GOOGLE_ENTERPRISE,
     },
-    { label: 'Vertex API Key', value: AuthType.USE_VERTEX_AI },
+    { label: 'Vertex AI', value: AuthType.USE_VERTEX_AI },
   ];
 
   const isSelectedAuthInMore = allAuthItems