"Permission denied on resource project" - Not able to call deployed model using cURL after service account has been activated

Question

I deployed a sklearn based model to GCP AI Platform using Predict. I was able to test the model successfully when using the "TEST & USE" tab in the GCP AI Platform console.

However, when testing using terminal, I got an error:

curl -X POST -d '{"instances": [[12.85, 3.27, 2.58, 22.0, 106.0, 1.65, 0.6, 0.6, 0.96, 5.58, 0.87, 2.11, 570.0], [12.08, 1.13, 2.51, 24.0, 78.0, 2.0, 1.58, 0.4, 1.4, 2.2, 1.31, 2.72, 630.0], [12.0, 0.92, 2.0, 19.0, 86.0, 2.42, 2.26, 0.3, 1.43, 2.5, 1.38, 3.12, 278.0]]}' https://ml.googleapis.com/v1/projects/ml_deployment_tutorials/models/sklearn/versions/v1_0:predict\?access_token\=$(gcloud auth application-default print-access-token)

{
  "error": {
    "code": 403,
    "message": "Permission denied on resource project ml_deployment_tutorials.",
    "status": "PERMISSION_DENIED",
    "details": [
      {
        "@type": "type.googleapis.com/google.rpc.Help",
        "links": [
          {
            "description": "Google developer console API key",
            "url": "https://console.developers.google.com/project/ml_deployment_tutorials/apiui/credential"
          }
        ]
      }
    ]
  }

Also, when testing in Postman, I got a similar error:

{
    "error": {
        "code": 401,
        "message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
        "status": "UNAUTHENTICATED"
    }
}

However, I did already login to gcloud sdk in the terminal since when running gcloud auth list, I got:

               Credentialed Accounts
ACTIVE  ACCOUNT
        ai-assets@appspot.gserviceaccount.com
        ***@***.com
        ***@gmail.com
*       ml-deploy@datakademy.iam.gserviceaccount.com

The service account "ml-deploy@datakademy.iam.gserviceaccount.com" was the one I just created, and I downloaded the key file and did export GOOGLE_APPLICATION_CREDENTIALS="/home/george/Documents/datakademy-ml.json" in terminal (when creating the service account, I also selected the role "ML Engine Admin", also tried "Owner"). This was successful since when I do gcloud auth application-default print-access-token, I get this long string below back:

ya29.c.Kp0B7gcRXl4cyLCWnc-olIZ3Bh3Ak-YQO-t0fDOp-1nx6BWS5xGOv-4Qa6tS7RPYYfIwBw-mRgzPHoIlCM-eCt67wKQhYbfEvEafsB_V-*****

After the service account was created, I also activated it in the terminal:

gcloud auth activate-service-account ml-deploy@datakademy.iam.gserviceaccount.com --key-file=/home/george/Documents/datakademy-ml.json

Activated service account credentials for: [ml-deploy@datakademy.iam.gserviceaccount.com]

Answer 1

On top the wrong project and model names pointed about by @Ricco D, it turns out the endpoint I used was wrong. Since my model was created in the "us-central1" region, I should have used the endpoint https://us-central1-ml.googleapis.com/ instead of https://ml.googleapis.com/. Once this is changed, using this below command, I was able to get predictions back now.

curl -X POST -d '{"instances": [[12.85, 3.27, 2.58, 22.0, 106.0, 1.65, 0.6, 0.6, 0.96, 5.58, 0.87, 2.11, 570.0], [12.08, 1.13, 2.51, 24.0, 78.0, 2.0, 1.58, 0.4, 1.4, 2.2, 1.31, 2.72, 630.0], [12.0, 0.92, 2.0, 19.0, 86.0, 2.42, 2.26, 0.3, 1.43, 2.5, 1.38, 3.12, 278.0]]}' https://us-central1-ml.googleapis.com/v1/projects/datakademy/models/sklearn_model/versions/v0_1:predict\?access_token\=$(gcloud auth application-default print-access-token)

Answer 2

I noticed on your screenshot that the model name is sklearn_model but on your AI Platform endpoint you used sklearn. Also it seems like the project ID used is incorrect since a project ID cannot contain underscores.

The project ID must be a unique string of 6 to 30 lowercase letters, digits, or hyphens. It must start with a letter, and cannot have a trailing hyphen.

Double check your project ID by going to GCP Home-> Dashboard. Your project ID should be there under "Project Info".

The correct structure of the endpoint should be:

https://ml.googleapis.com/v1/projects/your-project-id/models/your-model-name/versions/your-version-name:predict

Your end point should be something like this (just place your correct project ID):

https://ml.googleapis.com/v1/projects/your-project-id/models/sklearn_model/versions/v1_0:predict