Configuring Automation.AI in AAKE after Deployment

This section outlines the configuration properties that you can set and/or change for the Automation.AI component after AAKE has been deployed. This includes enabling and/or disabling the deployment of the Automation.AI component as well as scaling it up or down.

Note: These changes are made in the values.yaml file and require you to restart the Automation.AI pod once you are done with your changes.

This page includes the following:

Enabling/Disabling the Automation.AI Installation

Automation.AI is one of the components that is provided as a pre-built container image and is installed by the Install Operator automatically. However, you can choose not to install the Automation.AI component with the AAKE cluster.

To do so, you have to disable the relevant parameter in the values.yaml file before the installation by setting it to false:

automation-ai:
  enabled: false

If you deploy AAKE initially without the Automation.AI component and you want to enable it later on, you can do so through a helm upgrade by simply changing this value to true:

automation-ai:
  enabled: true

If there were no other changes done in the values.yaml file, only the automation-ai pod is restarted while all other pods remain running. If the values.yaml file included more changes, the other pods are also restarted automatically.

For more information, see:

Scaling Automation.AI

Automation.AI supports running multiple pods to enable high availability, thus improving improving resilience and scalability. You configure this by setting the replica count in the values.yaml file, for example:

spec:
  automationAiReplicas: 2

The Automation.AI pods are restarted automatically after changing the number of replicas.

Securing Passwords in Automation.AI (application.properties)

You can encrypt all passwords in the application.properties file using the automatic password encryption feature. Automation.AI uses a FIPS 140-3 compliant, two-step cryptographic pipeline to secure sensitive properties. It combines PBKDF2WithHmacSHA512 to derive a strong 256-bit encryption key from a master password, and AES-256-GCM to ensure both data confidentiality and tamper detection.

This feature is turned off by default; therefore, no automatic changes occur in your system until you explicitly turn it on. To activate and configure automatic encryption, define the following parameters in your application.properties file:

  • automation.ai.encryption.enabled (Set to false by default)

    Activates the automatic encryption feature.

  • automation.ai.encryption.candidates

    Defines the regular expressions used to identify which properties require encryption (for example, .*\.password or .*\.secret).

  • automation.ai.encryption.secret.file

    Defines the exact path where the unique master password file should be stored.

Important:

  • Because AAKE uses Kubernetes secrets to securely manage credentials, this file-based encryption is unnecessary. If you are using AAKE, simply leave this feature in its default disabled state.

  • Unlike other components in the system, Automation.AI does not support manual password obfuscation (the UCYBCRYP utility). Automatic encryption is the only supported method for securing passwords in this file.

For more information, see Obfuscating and Encrypting Passwords.

Understanding MCP Servers, OpenAI Providers, and API Providers

Before configuring the communication properties, it is important to understand the core components of the Automation.AI integration and how they interact:

  • MCP Server: A Model Context Protocol (MCP) server acts as a standardized bridge between AI models and external data sources or tools. It enables secure, structured access to these resources, ensuring that the AI can interact with your environment safely and reliably.

  • OpenAI Provider: The OpenAI provider is the service (such as OpenAI, Azure OpenAI, and so on) that hosts the Large Language Models (LLMs). It processes the prompts and determines when and how to call the external tools made available through the MCP server.

  • API Providers: API providers are the individual external systems, APIs, or tools that contain the actual data or actions (for example, the Automic Automation Engine REST API, Rally, or Jira).

How they compose: To make external tools available to the AI, you configure one or more API providers. These API providers are then composed into an MCP server. When the OpenAI provider needs to fetch data or trigger an action, it queries the MCP server, which in turn routes the request to the appropriate configured API provider.

Modifying the application.properties File

You can modify all properties in the application.properties file, or, if used, the environment variables.

Configuration Categories for Automation.AI Setup

Setting up Gen AI involves configuring several application properties organized into four categories:

  • Required: These properties are essential for application startup and define the core configuration of the LLM, database, and AI model provider. They ensure that system components can communicate and the application can start, but no additional functionality is enabled at this stage.

    Important! These parameters should be set before the installation; otherwise, the application cannot start. For more information ,see AAKE: Preparing for the Automation.AI Installation

  • Recommended: These properties enable full application functionality by allowing communication with external systems, ensuring secure operations, and supporting effective monitoring. The MCP OpenAPI Provider Configuration allows integration with external OpenAPI-based services such as the AE REST API by defining one or more providers for external communication. The MCP Server Authentication Configuration manages secure access by validating incoming OAuth 2.0 tokens and controlling how authorization is forwarded to those external endpoints. The TLS/SSL Configuration secures the embedded server for production through appropriate certificate and protocol settings. The Logging Configuration manages log levels and output to ensure effective diagnostics and traceability. These include:

  • Optional: These properties have sensible defaults but can be customized to suit specific environments or preferences. They cover general server settings, MCP server and client behavior, chat memory management, and HTTP client configuration. Adjusting these values allows for fine-tuning performance, connection handling, and conversation retention while keeping default functionality intact. These include:

  • Restricted Properties (Do Not Change): These properties are preconfigured to keep the system stable, manage the database correctly, and ensure secure operation. They define critical internal functions and must not be modified; changing them can break core functionality or compromise system security. Only adjust them if absolutely necessary and with a full understanding of the consequences. These are split into three sub-categories:

    Internal configuration:

    • SPRING_JPA_HIBERNATE_DDLAUTO, set to none by default. Changing it can corrupt the database.

    • SPRING.LIQUIBASE_ENABLED, set to true by default. Disabling it will prevent schema updates.

    • SPRING.LIQUIBASE_CHANGELOG, set to classpath:db/changelog/db.changelog-master.yaml by default. Changing the path breaks migrations.

    • SPRINGDOC_APIDOCS_VERSION, set to the relevant openapi version by default. Changing it might break API clients.

    Spring AI internal settings:

    • SPRING_AI_CHAT_MEMORY_REPOSITORY_JDBC_INITIALIZESCHEMA, set to never by default. Changing the default will cause conflicts.

    • SPRING_AI_VERTEX_AI_GEMINI_TRANSPORT, set to REST by default. Changing the transport may cause compatibility issues.

    • SPRING_AI_MCP_CLIENT_TYPE, set to async by default. Changing to sync will cause blocking issues.

    TLS/ SSL security defaults:

    • AUTOMATION_AI_SERVER_SSL_ENABLEDPROTOCOLS, set to the supported TLS versions by default. Do not enable protocols that are not listed by default.

    • AUTOMATION_AI_SERVER_SSL_EXCLUDECIPHERS, lists all excluded weak cipher suites. Do not remove any entries from the list.

Important! The documentation covers all configuration parameters relevant to using Automation.AI with the Automic MCP server. The Do Not Change guidelines apply to this setup as well, but you can use additional Spring parameters to extend or customize the configuration beyond the default Automation.AI integration.

Enabling and Defining TLS/SSL for Automation.AI

To secure the communication between Automation.AI and the Automation Engine as well as the communication between the Automation.AI and the AE REST API, you need to define the parameters listed below.

Important! Make sure you have all required certificates in place. For more information about using certificates and TLS/SSL in Automic Automation, see TLS/SSL Considerations for Automic Automation and TLS/SSL Communication and Encryption.

Server Certificate Configuration

This is the communication with the Automation Engine in which case, the Automation.AI component has a server role.

To use TLS/SSL you need to enable the function and define the path to the PEM certificate file along with the private key and key password:

  • AUTOMATION_AI_SERVER_SSL_ENABLED

    Set this parameter to true to enable TLS/SSL for secure communication to the server, for example:

    AUTOMATION_AI_SERVER_SSL_ENABLED=true

    Environment variable: AUTOMATION_AI_SERVER_SSL_ENABLED

  • AUTOMATION_AI_SERVER_SSL_CERTIFICATE

    Define the path to the server’s public TLS/SSL certificate. This is the server’s public certificate and allows the client (AE) to verify the server’s identity and establish a secure connection. While the file extension may vary (.crt, .cer, .pem and so on), the file must contain PEM-encoded data.

    Ensure the path is prefixed with file, for example:

    AUTOMATION_AI_SERVER_SSL_CERTIFICATE=<file:/path/to/cert.crt>

    Environment variable: AUTOMATION_AI_SERVER_SSL_CERTIFICATE

  • AUTOMATION_AI_SERVER_SSL_CERTIFICATEPRIVATEKEY

    Define the path to the private key to be used with the certificate. Make sure the path start with file, for example:

    AUTOMATION_AI_SERVER_SSL_CERTIFICATEPRIVATEKEY=<file:/path/to/private.key>

    Environment variable: AUTOMATION_AI_SERVER_SSL_CERTIFICATEPRIVATEKEY

  • AUTOMATION_AI_SERVER_SSL_KEYPASSWORD

    If applicable, enter the password for the private key, for example:

    AUTOMATION_AI_SERVER_SSL_KEYPASSWORD=changeit

    The correct value definition for this property depends on how the certificate was generated. Leave it blank if no password was set, or specify the password if one exists.

    Environment variable: AUTOMATION_AI_SERVER_SSL_KEYPASSWORD

Enabling and Defining TLS/SSL for the MCP Server

In this case, the Automation.AI component (MCP server) has a webclient role. To use TLS/SSL you need to configure the truststore with the server certificate.

You define the OpenAPI provider configuration per provider. To do so, set the following parameters:

Important! The placeholder <API_PROVIDER_NAME> can be replaced with any custom keyword, which must be unique and consistently used across all provider-related properties.

  • AUTOMATION_AI_MCP_OPENAPI_EXTERNAL_PROVIDERS_<API_PROVIDER_NAME>_SSL_API

    Define the name of security bundle to use with the given API of the Automation Engine, for example:

    AUTOMATION_AI_MCP_OPENAPI_EXTERNAL_PROVIDERS_AE-PROD_SSL_API=AE-API

    Environment variable: AUTOMATION_AI_MCP_OPENAPI_EXTERNAL_PROVIDERS_<API_PROVIDER_NAME>_SSL_API

  • AUTOMATION_AI_MCP_OPENAPI_EXTERNAL_PROVIDERS_<API_PROVIDER_NAME>_SSL_DEFINITION

    Define the name of security bundle to use with the given HTTP call for the Swagger documentation (.json), for example:

    AUTOMATION_AI_MCP_OPENAPI_EXTERNAL_PROVIDERS_AE-PROD_SSL_DEFINITION=aeswagger

    Environment variable: AUTOMATION_AI_MCP_OPENAPI_EXTERNAL_PROVIDERS_<API_PROVIDER_NAME>_SSL_DEFINITION

For the TLS/SSL authentication, you have the option of using either PEM certificates or a Java Keystore.

Using PEM Certificates

  • SPRING_SSL_BUNDLE_PEM_<AE-API_SSL_BUNDLE_NAME>_TRUSTSTORE_CERTIFICATE

    Define the location of the trusted PEM certificate which is the one used by the server API defined in the parameter AUTOMATION_AI_MCP_OPENAPI_EXTERNAL_PROVIDERS_<API_PROVIDER_NAME>_BASEURL, for example:

    SPRING_SSL_BUNDLE_PEM_AE-API_TRUSTSTORE_CERTIFICATE=/path/to/jcp-rest.crt

    Environment variable: SPRING_SSL_BUNDLE_PEM_<AE-API_SSL_BUNDLE_NAME>_TRUSTSTORE_CERTIFICATE

  • SPRING_SSL_BUNDLE_PEM_<SWAGGER_SSL_BUNDLE_NAME>_TRUSTSTORE_CERTIFICATE

    Define the location of the trusted PEM certificate which is the one used for the Swagger documentation as defined in the parameter AUTOMATION_AI_MCP_OPENAPI_EXTERNAL_PROVIDERS_<API_PROVIDER_NAME>_SSL_DEFINITION, for example:

    SPRING_SSL_BUNDLE_PEM_AE-SWAGGER_TRUSTSTORE_CERTIFICATE=/path/to/jcp-rest.crt

    Environment variable: SPRING_SSL_BUNDLE_PEM_<SWAGGER_SSL_BUNDLE_NAME>_TRUSTSTORE_CERTIFICATE

Using a Java Keystore

Important! If you use a Java keystore, you can rely on the default keystore location provided by the JRE. In that case, no additional configuration properties are required. However, if you prefer to use a custom keystore, specify both its file path and password. These parameters must be defined for:

  • The AE API endpoint ( AUTOMATION_AI_MCP_OPENAI_EXTERNAL_PROVIDERS_<API_PROVIDER_NAME>_BASEURL) and

  • The Swagger definition URL (AUTOMATION_AI_MCP_OPENAI_EXTERNAL_PROVIDERS_<API_PROVIDER_NAME>_SSL_DEFINITION)

To do so, define the following parameters:

  • SPRING_SSL_BUNDLE_JKS_<AE-API_SSL_BUNDLE_NAME>_TRUSTSTORE_LOCATION

    Define the location of the truststore which contains the trusted certificate used by the server API as defined in the parameter AUTOMATION_AI_MCP_OPENAPI_EXTERNAL_PROVIDERS_<API_PROVIDER_NAME>_BASEURL, for example:

    SPRING_SSL_BUNDLE_JKS_AE-API_TRUSTSTORE_LOCATION=${java.home}/lib/security/cacerts

    Environment variable: SPRING_SSL_BUNDLE_JKS_<AE-API_SSL_BUNDLE_NAME>_TRUSTSTORE_LOCATION

  • SPRING_SSL_BUNDLE_JKS_<AE-API_SSL_BUNDLE_NAME>_TRUSTSTORE_PASSWORD

    Define the password for the truststore, for example:

    SPRING_SSL_BUNDLE_JKS_AE-API_TRUSTSTORE_PASSWORD=changeit

    By default, the password is set as changeit, which is also used if no password has been set.

    Environment variable: SPRING_SSL_BUNDLE_JKS_<AE-API_SSL_BUNDLE_NAME>_TRUSTSTORE_PASSWORD

  • SPRING_SSL_BUNDLE_JKS_<SWAGGER_SSL_BUNDLE_NAME>_TRUSTSTORE_LOCATION

    Define the location of the truststore containing the trusted certificate which is the one used for the Swagger documentation as defined in the parameter AUTOMATION_AI_MCP_OPENAPI_EXTERNAL_PROVIDERS_<API_PROVIDER_NAME>_SSL_DEFINITION, for example:

    SPRING_SSL_BUNDLE_JKS_AE-SWAGGER_TRUSTSTORE_LOCATION=${java.home}/lib/security/cacerts

    Environment variable: SPRING_SSL_BUNDLE_JKS_<SWAGGER_SSL_BUNDLE_NAME>_TRUSTSTORE_LOCATION

  • SPRING_SSL_BUNDLE_JKS_<SWAGGER_SSL_BUNDLE_NAME>_TRUSTSTORE_PASSWORD

    Define the password for the truststore, for example:

    SPRING_SSL_BUNDLE_JKS_AE-SWAGGER_TRUSTSTORE_PASSWORD=changeit

    By default, the password is set as changeit, which is also used if no password has been set.

    Environment variable: SPRING_SSL_BUNDLE_JKS_<SWAGGER_SSL_BUNDLE_NAME>_TRUSTSTORE_PASSWORD

OpenAPI Provider Configuration

The MCP Server supports multiple API providers, such as Automation Engine (default), Rally, Jira, and so on. Each provider is defined by its own Swagger specification and base URL and must be explicitly configured in the properties file for every Automation.AI instance.

These properties control which tools and APIs are exposed to the LLM, enabling features such as Ask AI or the Automation Assistant in AWI. They also allow external MCP clients (like Cursor or MCP Jam) to connect directly to Automation.AI via the MCP API. Please note that these external clients can only access the tools registered here as OpenAPI providers; any other third-party MCP tools connected to Automation.AI remain completely hidden from them.

Important! The placeholder <API_PROVIDER_NAME> can be replaced with any custom keyword, which must be unique and consistently used across all provider-related properties.

  • automation_ai_mcp_openapi_external_providers_<API_PROVIDER_NAME>_definitionlocationurl

    Set the location of the AE REST API Swagger definition, for example:

    https://<api-provider-name>/ae/api/v1/openapi2/swagger.json

    Environment variable: AUTOMATION_AI_MCP_OPENAI_EXTERNAL_PROVIDERS_<API_PROVIDER_NAME>_DEFINITIONLOCATIONURL

  • automation_ai_mcp_openapi_external_providers_<API_PROVIDER_NAME>_baseurl

    Define the base URL of the endpoint, for example:

    https://<api-provider-name>/ae/api/v1

    Environment variable: AUTOMATION_AI_MCP_OPENAI_EXTERNAL_PROVIDERS_<API_PROVIDER_NAME>_BASEURL

  • automation_ai_mcp_openapi_external_providers_<API_PROVIDER_NAME>_includedmethodtypes

    Define the REST API request types, that is, specify the commaseparated HTTP methods to be used from the Swagger definition, for example:

    AUTOMATION_AI_MCP_OPENAI_EXTERNAL_PROVIDERS_AE-PROD_INCLUDEDMETHODTYPES=GET,POST

    All REST operations are supported as method type, that is GET, POST, PUT, DELETE, PATCH, TRACE, OPTIONS, HEAD requests.

    Environment variable: AUTOMATION_AI_MCP_OPENAI_EXTERNAL_PROVIDERS_<API_PROVIDER_NAME>_INCLUDEDMETHODTYPES

  • automation_ai_mcp_openapi_external_providers_<API_PROVIDER_NAME>_includedparametersincontext

    The parameters included in the context that Swagger should send to the Automation.AI component. There are defined by default and cannot be configured:

    AUTOMATION_AI_MCP_OPENAI_EXTERNAL_PROVIDERS_AE-PROD_INCLUDEDPARAMETERSINCONTEXT=client_id,Authorization

    Where:

    • client_id refers to the client ID of the REST API endpoint

    • Authorization refers to the header containing the relevant authorization

    Environment variable: AUTOMATION_AI_MCP_OPENAI_EXTERNAL_PROVIDERS_<API_PROVIDER_NAME>_INCLUDEDPARAMETERSINCONTEXT

Optionally, you can purposefully include or exclude specific REST API operations from being invoked by defining one or more relevant operation IDs, which can be provided as a commaseparated list. For more information about operation IDs, please refer to the official Swagger documentation.

Important! You can use one or the other. They cannot be used at the same time.

  • automation_ai_mcp_openapi_external_providers_<API_PROVIDER_NAME>_BLOCKLISToperationids

    For example, if you want to exclude the endpoint /{client_id}/executions/{run_id}/comments so that no list of comments for a given execution is listed, you can define the endpoint's operation ID to be excluded:

    automation_ai_mcp_openapi_external_providers_<API_PROVIDER_NAME>_BLOCKLISToperationids=list,ping

    If nothing has been defined for this parameter, all operations are included.

    Environment variable: AUTOMATION_AI_MCP_OPENAI_EXTERNAL_PROVIDERS_<API_PROVIDER_NAME>_BLOCKLISTOPERATIONIDS

  • automation_ai_mcp_openapi_external_providers_<API_PROVIDER_NAME>_ALLOWLISToperationids

    For example, if you want to include the endpoint /{client_id}/executions/{run_id}/comments so only the list of comments for a given execution is listed, you can define the endpoint's operation ID to be included:

    automation_ai_mcp_openapi_external_providers_<API_PROVIDER_NAME>_ALLOWLISToperationids=list,ping

    Environment variable: AUTOMATION_AI_MCP_OPENAI_EXTERNAL_PROVIDERS_<API_PROVIDER_NAME>_ALLOWLISTOPERATIONIDS

Note: You can configure or update the communication between the Automation.AI and the AE REST API at any time. Make sure you restart the Automation.AI component after doing so.

Example

Using the application.properties file:

# Provider 1: Automic Automation Engine
automation.ai.mcp.openapi.external.providers.automic.definition-location-url=https://ae.example.com/api-docs/swagger.json
automation.ai.mcp.openapi.external.providers.automic.base-url=https://ae.example.com
automation.ai.mcp.openapi.external.providers.automic.included-method-types=GET,POST,PUT,DELETE
automation.ai.mcp.openapi.external.providers.automic.included-parameters-in-context=client_id,Authorization

# Provider 2: Jira
automation.ai.mcp.openapi.external.providers.jira.definition-location-url=https://jira.example.com/swagger.json
automation.ai.mcp.openapi.external.providers.jira.base-url=https://jira.example.com
automation.ai.mcp.openapi.external.providers.jira.included-method-types=GET,POST
automation.ai.mcp.openapi.external.providers.jira.block-list-operation-ids=deleteIssue,deleteProject

Alternatively, you can also use the values.yaml file:

automation:
  ai:
    mcp:
      openapi:
        external:
          providers:
            automic:
              definition-location-url: https://ae.example.com/api-docs/swagger.json
              base-url: https://ae.example.com
              included-method-types: GET,POST,PUT,DELETE
              included-parameters-in-context: client_id,Authorization
            jira:
              definition-location-url: https://jira.example.com/swagger.json
              base-url: https://jira.example.com
              included-method-types: GET,POST
              block-list-operation-ids: deleteIssue,deleteProject

Securing MCP Server Communication (OAuth 2.0 and Basic Authentication)

To increase security and permission control when accessing the Automic MCP-Server, you can configure authentication for both incoming requests (from the client to the MCP server) and outgoing requests (from the MCP server to the remote REST endpoint).

Important! These settings can be applied globally as a default for all API providers, or they can be overridden individually for specific providers.

Depending on your goal, use one of the following two structures:

  • Global default: AUTOMATION_AI_MCP_PROVIDERS_DEFAULT_AUTH_<PROPERTY>

  • Provider-specific: AUTOMATION_AI_MCP_PROVIDERS_<API_PROVIDER_NAME>_DEFAULT_AUTH_<PROPERTY>

Note: The placeholder <API_PROVIDER_NAME> represents the custom name you assign to your API provider endpoint. This name acts as a unique identifier, grouping all related configuration settings for that specific provider.

Authentication is divided into two distinct configurations:

Authentication In: Validates the identity of the client calling the MCP Server. You secure incoming traffic by defining the primary authentication strategy. If you choose to enforce OAuth 2.0, you must also provide the necessary validation details.

  • AUTOMATION_AI_MCP_PROVIDERS_DEFAULT_AUTH_AUTH_IN (Global)

    AUTOMATION_AI_MCP_PROVIDERS_<API_PROVIDER_NAME>_DEFAULT_AUTH_AUTH_IN (Provider-specific)

    Defines the authentication method for incoming requests. You can set this parameter to one of the following values:

    • NONE: (Default) No authentication is enforced.

    • OAUTH2: The MCP server validates incoming bearer tokens.

    Examples

    Global:

    AUTOMATION_AI_MCP_PROVIDERS_DEFAULT_AUTH_AUTH_IN=OAUTH2

    Provider-specific:

    AUTOMATION_AI_MCP_PROVIDERS_AE-PROD_DEFAULT_AUTH_AUTH_IN=OAUTH2

    Environment variables:

    • Global: AUTOMATION_AI_MCP_PROVIDERS_DEFAULT_AUTH_AUTH_IN

    • Provider-specific: AUTOMATION_AI_MCP_PROVIDERS_<API_PROVIDER_NAME>_DEFAULT_AUTH_AUTH_IN

    If you set the AUTOMATION_AI_MCP_PROVIDERS_DEFAULT_AUTH_AUTH_IN parameter to OAUTH2, you are required to configure the following additional parameters so the server can verify the tokens:

    • AUTOMATION_AI_MCP_PROVIDERS_DEFAULT_AUTH_AUTH_IN_JWKSURL (Global)

      AUTOMATION_AI_MCP_PROVIDERS_<API_PROVIDER_NAME>_DEFAULT_AUTH_AUTH_IN_JWKSURL (Provider-specific)

      The URL to the JSON Web Key Set (JWKS) provided by your OAuth server (such as Microsoft Entra ID, Okta, and so on). The MCP server uses this URL to retrieve the public keys needed to validate the token's signature.

      Examples:

      Global:

      AUTOMATION_AI_MCP_PROVIDERS_DEFAULT_AUTH_AUTH_IN_JWKSURL=https://login.microsoftonline.com/{tenant_id}/discovery/v2.0/keys

      Provider-specific:

      AUTOMATION_AI_MCP_PROVIDERS_AE-PROD_DEFAULT_AUTH_AUTH_IN_JWKSURL=https://login.microsoftonline.com/{tenant_id}/discovery/v2.0/keys

      Environment variables:

      Global: AUTOMATION_AI_MCP_PROVIDERS_DEFAULT_AUTH_AUTH_IN_JWKSURL

      Provider-specific: AUTOMATION_AI_MCP_PROVIDERS_<API_PROVIDER_NAME>_DEFAULT_AUTH_AUTH_IN_JWKSURL

    • AUTOMATION_AI_MCP_PROVIDERS_DEFAULT_AUTH_AUTH_IN_ALLOWEDSCOPES (Global)

      AUTOMATION_AI_MCP_PROVIDERS_<API_PROVIDER_NAME>_DEFAULT_AUTH_AUTH_IN_ALLOWEDSCOPES (Provider-specific)

      Defines the specific OAuth 2.0 scopes a client must possess to be granted access to the MCP Server. If the token's scope is invalid or missing, the call is denied. This parameter is optional when AUTH-IN is set to OAUTH2.

      Examples:

      Global:

      AUTOMATION_AI_MCP_PROVIDERS_DEFAULT_AUTH_AUTH_IN_ALLOWEDSCOPES=mcp-access

      Provider-specific:

      AUTOMATION_AI_MCP_PROVIDERS_AE-PROD_DEFAULT_AUTH_AUTH_IN_ALLOWEDSCOPES=mcp-access

      Environment variables:

      Global: AUTOMATION_AI_MCP_PROVIDERS_DEFAULT_AUTH_AUTH_IN_ALLOWEDSCOPES

      Provider-specific: AUTOMATION_AI_MCP_PROVIDERS_<API_PROVIDER_NAME>_DEFAULT_AUTH_AUTH_IN_ALLOWEDSCOPES

Authentication Out: Determines how the MCP Server handles authorization headers before forwarding a request to the remote REST endpoint. You use these settings to control whether the server passes the client's original token through, enforces a specific token type, or injects its own hardcoded credentials.

  • AUTOMATION_AI_MCP_PROVIDERS_DEFAULT_AUTH_AUTH_OUT (Global)

    AUTOMATION_AI_MCP_PROVIDERS_<API_PROVIDER_NAME>_DEFAULT_AUTH_AUTH_OUT (Provider-specific)

    Defines the outbound authentication strategy. You can set this parameter to one of the following values:

    • NONE: No authentication is sent to the remote endpoint. Any incoming BASIC or Bearer tokens are dropped before forwarding.

    • FORWARD: (Default) Forwards whatever authentication was received in the incoming request. If no authentication was provided by the client, no authentication is forwarded.

    • MUST_FORWARD: Forwards whatever authentication was received. If the client did not provide any authentication, the MCP server raises an error and denies the request.

    • BEARER_FORWARD: Forwards only Bearer token authentication. If the incoming request used BASIC authentication or no authentication at all, an error is raised.

    • BASIC_FORWARD: Forwards only BASIC authentication. If the incoming request used a Bearer token or no authentication at all, an error is raised.

    • BASIC_HARDCODED: Clears any incoming authorization headers and replaces them with a configured, hardcoded BASIC authentication header before sending the request to the remote endpoint.

    Examples:

    Global:

    AUTOMATION_AI_MCP_PROVIDERS_DEFAULT_AUTH_AUTH_OUT=FORWARD

    Provider-specific:

    AUTOMATION_AI_MCP_PROVIDERS_AE-PROD_DEFAULT_AUTH_AUTH_OUT=FORWARD

    Environment variables:

    Global: AUTOMATION_AI_MCP_PROVIDERS_DEFAULT_AUTH_AUTH_OUT

    Provider-specific: AUTOMATION_AI_MCP_PROVIDERS_<API_PROVIDER_NAME>_DEFAULT_AUTH_AUTH_OUT

    If you set the AUTH_OUT parameter to BASIC_HARDCODED, you are required to configure the following additional parameters to provide the necessary credentials:

  • AUTOMATION_AI_MCP_PROVIDERS_DEFAULT_AUTH_AUTH_OUT_USERNAME (Global)

    AUTOMATION_AI_MCP_PROVIDERS_<API_PROVIDER_NAME>_DEFAULT_AUTH_AUTH_OUT_USERNAME (Provider-specific)

    The username of the service account required to authenticate with the destination REST endpoint.

    Environment variables:

    Global: AUTOMATION_AI_MCP_PROVIDERS_DEFAULT_AUTH_AUTH_OUT_USERNAME

    Provider-specific: AUTOMATION_AI_MCP_PROVIDERS_<API_PROVIDER_NAME>_DEFAULT_AUTH_AUTH_OUT_USERNAME

  • AUTOMATION_AI_MCP_PROVIDERS_DEFAULT_AUTH_AUTH_OUT_PASSWORD (Global)

    AUTOMATION_AI_MCP_PROVIDERS_<API_PROVIDER_NAME>_DEFAULT_AUTH_AUTH_OUT_PASSWORD (Provider-specific)

    The password associated with the service account.

    Environment variables:

    Global: AUTOMATION_AI_MCP_PROVIDERS_DEFAULT_AUTH_AUTH_OUT_PASSWORD

    Provider-specific: AUTOMATION_AI_MCP_PROVIDERS_<API_PROVIDER_NAME>_DEFAULT_AUTH_AUTH_OUT_PASSWORD

    Note: You can override the global default settings for a specific provider. The following example applies hardcoded basic authentication exclusively to the provider named rally:

    AUTOMATION_AI_MCP_PROVIDERS_RALLY_DEFAULT_AUTH_AUTH_OUT=BASIC_HARDCODED
AUTOMATION_AI_MCP_PROVIDERS_RALLY_DEFAULT_AUTH_AUTH_OUT_USERNAME=your_service_user
AUTOMATION_AI_MCP_PROVIDERS_RALLY_DEFAULT_AUTH_AUTH_OUT_PASSWORD=your_encrypted_password

Defining the Logging Configuration

The Automation.AI component leverages Logback (the Spring Boot default) for all system logging. This implementation is fully compatible with standard Spring Boot Logging Reference properties, which can be customized by modifying the logging.properties file located at {$AUTOMIC_AUTOMATION}/Automation.AI/Engine/logging.properties.

By default, the log includes the timestamp, log level, trace/span IDs, and the message content. The log pattern produces messages in the following format:

2026-02-04 13:53:40.132 INFO [Automation-AI, traceId=04851954-829a-4dad-b2fc-f32839bf26eb, spanId=881788dd-bfc8-4051-9faf-e628641005cf] [boundedElastic-4] c.a.ai.AutomationAiChatService - No chatId provided, creating a new one: a9c823b0-d5e1-44a7-ae48-00078d67a040

The logging behavior is managed via Spring Profiles, allowing for distinct configurations based on the use case. The supported profiles are:

  • console: Directs logs to standard output (STDOUT).

  • file: Enables standard file-based logging.

  • full: Enables comprehensive logging across all available appenders.

When the file profile is active, logs are written to the local file system with the following default configuration:

  • Log Directory: logs

  • File Name: automation-ai.log

  • Rotation and Retention: To ensure system stability and prevent disk exhaustion, the following rotation policies are applied:

    • Maximum File Size: 800MB

      A new log file is created once this limit is reached.

    • Maximum History: 9 files

      The system retains up to 9 archived log files before deleting the oldest ones.

    Example:

    logging.file.path=logs

    logging.file.name=${logging.file.path:logs}/automation-ai.log

    logging.logback.rollingpolicy.max-file-size=800MB

    logging.logback.rollingpolicy.max-history=9

While the defaults are optimized for standard operations, you can customize the log rotation behavior in the logging.properties file using standard Spring Boor properties. For example, you can adjust logging.logback.rollingpolicy.max-file-size to control how quickly files rotate or logging.logback.rollingpolicy.max-history to extend the log retention period. For more information, see File Rotation.

You can also configure the following properties to print additional information in the log at the INFO level without enabling full DEBUG or TRACE modes.

  • OpenAPI Tool Responses: Logs the output of the open-api-mcp-server provider tool calls (the default call to the AE REST API).

    # Allows logging output of the openapi-mcp-server tool call at the INFO level

    automation.ai.log-openapi-tool-call-response=false

  • Extra Tool Responses: Logs the output of tool calls belonging to extraTools passed in the request.

    # Allows logging output of the extraTools tool call at the INFO level

    automation.ai.log-extra-tool-call-response=false

To update your configuration, modify the logging.properties file or adjust the active Spring profile and restart Automation.AI to apply the changes.

For a comprehensive list of supported properties and advanced customization, refer to the official Spring Boot documentation at Spring Boot Logging Reference.

Defining the Spring Application Name

You can override the default settings by specifying the application parameters and the Spring application name used by the Automation.AI component.

  • SPRING_APPLICATION_NAME

    Define the application name. Automation-AI is used by default

    SPRING_APPLICATION_NAME=Automation-AI

    Environment variable: SPRING_APPLICATION_NAME

Defining the MCP Server Settings

To leverage the AE REST API and enhance your LLM to get answers about your Automic Automation system, you need to make sure that your Automation.AI component can communicate with the AE REST API. To do so, you need to enable the MCP server and set different properties. If you want to secure the communication using TLS/SSL, you need to enable it for the MCP Server.

The MCP Server integrates with the Automation Engine to enable AI-driven interactions. These settings are configured exclusively through the application.properties file and apply per Automation.AI instance. Each instance must be configured separately.

  • AUTOMATION_AI_MCP_SERVER_ENABLED

    Enable (true) or disable (false) the MCP server functionality. It is enabled by default:

    AUTOMATION_AI_MCP_SERVER_ENABLED=true

    Environment variable: AUTOMATION_AI_MCP_SERVER_ENABLED

  • AUTOMATION_AI_MCP_SERVER_NAME

    Define the base name of the MCP server. AE MCP Server is the default definition:

    AUTOMATION_AI_MCP_SERVER_NAME=AE MCP Server

    You can also define your custom MCP server:

    automation.ai.mcp.server.name=My Custom MCP Server

    Environment variable: AUTOMATION_AI_MCP_SERVER_NAME

  • AUTOMATION_AI_MCP_SERVER_VERSION

    Define the version of the MCP server.

    AUTOMATION_AI_MCP_SERVER_VERSION=1.0.0

    Environment variable: AUTOMATION_AI_MCP_SERVER_VERSION

  • AUTOMATION_AI_MCP_SERVER_INSTRUCTIONS

    Define if you want to use optional instructions or descriptions for the MCP server. These instructions provide the LLM with a short description of what the MCP server is responsible for and the context in which its tools should be used.

    Note: You do not need to list the available tools within these instructions. The MCP protocol automatically handles the connection handshake and dynamically requests the list of supported tools directly from the server.

    By default, no instructions are used (null), but you can customize this definition to guide the LLM's interactions.

    AUTOMATION_AI_MCP_SERVER_INSTRUCTIONS=null

    AUTOMATION_AI_MCP_SERVER_INSTRUCTIONS=This server provides automation tools.

    Environment variable: AUTOMATION_AI_MCP_SERVER_INSTRUCTIONS

  • AUTOMATION_AI_MCP_SERVER_REQUESTTIMEOUT

    Define the timeout in seconds for the MCP requests. By default, this setting is set to 30 seconds:

    AUTOMATION_AI_MCP_SERVER_REQUESTTIMEOUT= 30

    Environment variable: AUTOMATION_AI_MCP_SERVER_REQUESTTIMEOUT

Defining the MCP Client Settings

The MCP Client section defines how the Automation.AI component communicates with third-party MCP servers. In this scenario, Automation.AI plays the role of the MCP client, which allows it to make third-party tools visible to the LLM when the Automation Engine makes a request to the /chat endpoint.

Global Connection Health Check Properties

The following properties govern the connection health check, startup behavior, and timeout parameters for the MCP clients. These settings apply globally to all MCP clients.

Note: These properties are not included in the application.properties file by default. However, you can explicitly add them to override the standard behavior.

  • SPRING_AI_MCP_CLIENT_REQUESTTIMEOUT

    Defines the timeout duration for the connection to the MCP client before an exception is thrown. By default, this is set to 20 seconds.

    SPRING_AI_MCP_CLIENT_REQUESTTIMEOUT=20s

    Environment variable: SPRING_AI_MCP_CLIENT_REQUESTTIMEOUT

  • AUTOMATION_AI_MCP_CLIENT_CONNECTION_HEALTHCHECKPERIOD

    Defines the period between background health check loop iterations. This unified background job handles restoring connections and refreshing the list of tools from MCP servers.

    By default, this is set to 30 seconds. The definition cannot be less than the definition of the SPRING_AI_MCP_CLIENT_REQUESTTIMEOUT property plus 1 second. If a smaller value is configured, it is forcibly overridden at startup and a warning is logged.

    AUTOMATION_AI_MCP_CLIENT_CONNECTION_HEALTHCHECKPERIOD=30s

    Environment variable: AUTOMATION_AI_MCP_CLIENT_CONNECTION_HEALTHCHECKPERIOD

  • AUTOMATION_AI_MCP_CLIENT_CONNECTION_ALLOWFAILUREONSTARTUP

    Defines whether the application is allowed to start if one or more MCP connections fail during initial startup.

    AUTOMATION_AI_MCP_CLIENT_CONNECTION_ALLOWFAILUREONSTARTUP=true

    If set to true (the default), failed connections are ignored, the application starts, and a background loop constantly retries connecting. If set to false, the application will abort startup and throw an error if the connection fails.

    Environment variable: AUTOMATION_AI_MCP_CLIENT_CONNECTION_ALLOWFAILUREONSTARTUP

  • AUTOMATION_AI_MCP_CLIENT_CONNECTION_REMOVEFAILEDONSTARTUP

    Defines whether to remove database-stored MCP configurations that fail to connect during the initial startup reconciliation. This acts as a safety mechanism. If a configured MCP server is permanently broken, setting this to true will remove the failed server's configuration from the database during startup to prevent a deadlock. Note that property-file configurations are never removed.

    By default, this is set to false.

    AUTOMATION_AI_MCP_CLIENT_CONNECTION_REMOVEFAILEDONSTARTUP=false

    Environment variable: AUTOMATION_AI_MCP_CLIENT_CONNECTION_REMOVEFAILEDONSTARTUP

What happens if an MCP server connection fails during startup?

When the application starts and a connection failure is detected, the system's fallback behavior is dictated by how you have configured these two properties:

  • Step 1: Does the system clean up the failure? (REMOVEFAILEDONSTARTUP)

    This is evaluated first.

    • If true: The system actively cleans up by deleting the failed configurations from the database.

    • If false: It leaves the broken configurations exactly as they are.

  • Step 2: Can the application survive the failure? (ALLOWFAILUREONSTARTUP)

    This is evaluated immediately after the cleanup step.

    • If true: The application ignores the remaining errors, successfully finishes booting, and kicks off a background health-check loop (which will attempt to restore any lingering failed connections).

    • If false (and failures still exist): The application completely aborts the startup process and throws an IllegalStateException.

In short, REMOVEFAILEDONSTARTUP dictates whether the system should clean up the broken connections, while ALLOWFAILUREONSTARTUP dictates whether the application is allowed to survive and run despite them.

Transport Properties per MCP Provider

The key parameters for the MCP client configuration are the communication protocol (transport) properties as defined in the Spring AI documentation. These settings are configured individually per MCP provider.

There are three transport properties supported: STDIO, SSE and Streamable-HTTP. For more information about these settings, please refer to the corresponding Transport Properties sections of the Spring AI documentation, see MCP Client Boot Starter.

STDIO Transport Properties:

  • SPRING_AI_MCP_CLIENT_STDIO_CONNECTIONS_<NAME>_COMMAND

    Defines the command to execute for the MCP server.

    Important! When configuring STDIO connections, any command you specify in SPRING_AI_MCP_CLIENT_STDIO_CONNECTIONS_<NAME>_COMMAND will execute on the host filesystem inheriting the execution permissions of the Automation.AI process. You must configure these commands with caution to avoid unintended system impact or security risks.

    SPRING_AI_MCP_CLIENT_STDIO_CONNECTIONS_SERVER1_COMMAND=/path/to/server

    Environment variable: SPRING_AI_MCP_CLIENT_STDIO_CONNECTIONS_<NAME>_COMMAND

  • SPRING_AI_MCP_CLIENT_STDIO_CONNECTIONS_<NAME>_ARGS

    Defines a comma-separated list of command arguments for the MCP server.

    SPRING_AI_MCP_CLIENT_STDIO_CONNECTIONS_SERVER1_ARGS=--port=8080

    Environment variable: SPRING_AI_MCP_CLIENT_STDIO_CONNECTIONS_<NAME>_ARGS

  • SPRING_AI_MCP_CLIENT_STDIO_CONNECTIONS_<NAME>_ENV

    Defines a map of environment variables for the server process.

    SPRING_AI_MCP_CLIENT_STDIO_CONNECTIONS_SERVER1_ENV_API_KEY=your-api-key

    Environment variable: SPRING_AI_MCP_CLIENT_STDIO_CONNECTIONS_<NAME>_ENV

SSE Transport Properties:

  • SPRING_AI_MCP_CLIENT_SSE_CONNECTIONS_<NAME>_URL

    Defines the base URL endpoint for SSE communication with the MCP server.

    SPRING_AI_MCP_CLIENT_SSE_CONNECTIONS_SERVER1_URL=http://localhost:8080

    Environment variable: SPRING_AI_MCP_CLIENT_SSE_CONNECTIONS_<NAME>_URL

  • SPRING_AI_MCP_CLIENT_SSE_CONNECTIONS_<NAME>_SSEENDPOINT

    Defines the SSE endpoint (as a URL suffix) to use for the connection.

    sSPRING_AI_MCP_CLIENT_SSE_CONNECTIONS_SERVER1_SSEENDPOINT=/sse

    Environment variable: SPRING_AI_MCP_CLIENT_SSE_CONNECTIONS_<NAME>_SSEENDPOINT

Streamable-HTTP Transport Properties:

  • SPRING_AI_MCP_CLIENT_STREAMABLEHTTP_CONNECTIONS

    Defines a map of named Streamable-HTTP connection configurations.

    SPRING_AI_MCP_CLIENT_STREAMABLEHTTP_CONNECTIONS=SERVER1

    Environment variable: SPRING_AI_MCP_CLIENT_STREAMABLEHTTP_CONNECTIONS

  • SPRING_AI_MCP_CLIENT_STREAMABLEHTTP_CONNECTIONS_<NAME>_URL

    Defines the base URL endpoint for Streamable-HTTP communication with the MCP server.

    SPRING_AI_MCP_CLIENT_STREAMABLEHTTP_CONNECTIONS_SERVER1_URL=http://localhost:8083

    Environment variable: SPRING_AI_MCP_CLIENT_STREAMABLEHTTP_CONNECTIONS_<NAME>_URL

  • SPRING_AI_MCP_CLIENT_STREAMABLEHTTP_CONNECTIONS_<NAME>_ENDPOINT

    Defines the Streamable-HTTP endpoint (as a URL suffix) to use for the connection.

    PRING_AI_MCP_CLIENT_STREAMABLEHTTP_CONNECTIONS_SERVER1_ENDPOINT=/mcp

    Environment variable: SPRING_AI_MCP_CLIENT_STREAMABLEHTTP_CONNECTIONS_<NAME>_ENDPOINT

Custom Headers for SSE and Streamable-HTTP Transports: 

Some target MCP servers require specific headers—such as authorization tokens or user-agent strings—to successfully establish a connection. To address this, a custom configuration property (SPRING_AI_MCP_CLIENT_<TRANSPORT>_CONENCTIONS_<NAME>_HEADERS_<HEADERNAME>) allows you to pass additional HTTP headers to the target MCP server: 

  • SPRING_AI_MCP_CLIENT_SSE_CONNECTIONS_<NAME>_HEADERS_<HEADERNAME>

    Defines a custom header (such as Authorization or User-Agent) for an SSE connection.

    SPRING_AI_MCP_CLIENT_SSE_CONNECTIONS_SERVER1_HEADERS_AUTHORIZATION=Bearer <token>

    Environment variable: SPRING_AI_MCP_CLIENT_SSE_CONNECTIONS_<NAME>_HEADERS_<HEADERNAME>

  • SPRING_AI_MCP_CLIENT_STREAMABLEHTTP_CONNECTIONS_<NAME>_HEADERS_<HEADERNAME>

    Defines a custom header (such as Authorization or User-Agent) for a Streamable-HTTP connection.

    SPRING_AI_MCP_CLIENT_STREAMABLEHTTP_CONNECTIONS_SERVER1_HEADERS_AUTHORIZATION=Bearer <token>

    Environment variable: SPRING_AI_MCP_CLIENT_STREAMABLEHTTP_CONNECTIONS_<NAME>_HEADERS_<HEADERNAME>

Important!

  • While these properties use the SPRING_AI_MCP prefix to maintain consistency with standard Spring AI configurations, they are a custom implementation specific to Automation.AI and are not part of the default Spring framework.

  • This mechanism is strictly available for the SSE and Streamable-HTTP transport protocols. It does not work for the STDIO transport protocol. STDIO communicates via standard input/output streams over the file system rather than HTTP, meaning it has no definition or support for HTTP headers. For servers using STDIO, you must pass any necessary configuration using the environment variables (SPRING_AI_MCP_CLIENT_STDIO_CONNECTIONS_<NAME>_ENV) and arguments (SPRING_AI_MCP_CLIENT_STDIO_CONNECTIONS_<NAME>_ARGS) properties instead.

Defining the HTTP Client Properties

You can use the User-Agent header to specify the value included with all outgoing HTTP requests made by the webclient.

  • AUTOMATION_AI_HTTP_USERAGENT

    Define the User-Agent header value for all outgoing HTTP requests made by the webclient, for example:

    AUTOMATION_AI_HTTP_USERAGENT=Automation-AI/1.0.0

    This header also supports property placeholders like ${app.version}, for example:

    AUTOMATION_AI_HTTP_USERAGENT=Automation-AI/${app.version}

    The default configuration for this parameter is Automation-AI/${app.version}.

    Environment variable: AUTOMATION_AI_HTTP_USERAGENT

Important! If your AAKE instance uses automatically generated NGINX ingresses, make sure that NGINX allows the use of underscores in HTTP header names as NGINX drops headers containing underscores by default. To prevent this, set the enable-underscores-in-headers parameter to true in the ConfigMap of the Ingress Controller.

Example 

apiVersion: v1
kind: ConfigMap
metadata:
  name: <name of nginx ingress controller config map>
  namespace: <namespace of nginx controller>
data:
  enable-underscores-in-headers: "true"

Defining the Chat History Memory

You also have the option to define the lifetime of the messages in the chat history, how often the system should check if any conversations timed out and the maximum number of messages the Automation.AI should remember using the following parameters:

  • AUTOMATION_AI_CHAT_CONVERSATIONTIMEOUT

    Define the conversation cleanup timeout in minutes, for example:

    AUTOMATION_AI_CHAT_CONVERSATIONTIMEOUT: "1440"

    Environment variable: AUTOMATION_AI_CHAT_CONVERSATIONTIMEOUT

  • AUTOMATION_AI_CHAT_CHECKPERIOD

    Define in minutes how often should the system check for conversations, for example:

    AUTOMATION_AI_CHAT_CHECKPERIOD= "60"

    Environment variable: AUTOMATION_AI_CHAT_CHECKPERIOD

  • AUTOMATION_AI_CHAT_MEMORY_MESSAGES_MAX (default 100)

    Define the number of messages that the LLM should remember, for example:

    AUTOMATION_AI_CHATMEMORY_MESSAGES_MAX= "300"

    Environment variable: AUTOMATION_AI_CHATMEMORY_MESSAGES_MAX

Environment Variables for Automation.AI in AAKE

After your system is successfully provisioned, you can also use the automation-ai section of the configmap to change the settings relevant to the Automation.AI component, for example, using the following kubectl command to edit it:

kubectl edit configmap automation-ai

You can set all relevant parameters using environment variables.

Example of the automation-ai configmap 

apiVersion: v1
data:
 AUTOMATION_AI_MODEL_NAME: vertex.ai.gemini
 AUTOMATION_AI_HTTP_USERAGENT=Automation-AI/1.0.0
 AUTOMATION_AI_CHAT_CONVERSATION-TIMEOUT: "1440"
 SPRING_AI_VERTEX_AI_GEMINI_PROJECTID: <your GCP project id>
 SPRING_AI_VERTEX_AI_GEMINI_LOCATION: <your GCP location>
 AUTOMATION_AI_MCP_OPENAPI_EXTERNAL_PROVIDERS_AE-PROD_DEFINITIONLOCATIONURL: https://ae-prod:8080/ae/api/v1/openapi2/swagger.json
 AUTOMATION_AI_MCP_OPENAPI_EXTERNAL_PROVIDERS_AE-PROD_BASEURL: https://ae_prod:8080/ae/api/v1
 AUTOMATION_AI_MCP_OPENAPI_EXTERNAL_PROVIDERS_AE-PROD_INCLUDEMETHODTYPES: GET
 AUTOMATION_AI_MCP_OPENAPI_EXTERNAL_PROVIDERS_AE-PROD_INCLUDEPARAMETERSINCONTEXT: client_id,Authorization
 AUTOMATION_AI_MCP_OPENAPI_EXTERNAL_PROVIDERS_AE-PROD_EXCLUDEOPERATIONIDS:
kind: ConfigMap
metadata:
 name: "automation-ai"
 namespace: "<your namespace>"

Example of automation-ai secret

Use the following kubectl command to create the automation-ai secret in your Kubernetes namespace:

kubectl --namespace <your namespace> create secret generic automation-ai
 --from-file=SPRING_AI_VERTEX_AI_GEMINI_CREDENTIALS=<path to your credentials file>.json

The content of the secret and configmap are mapped as environment variables to the automation-ai pod.

See also: