Reputation: 63
Authenticate Custom Training Job in Vertex AI with Service Account
I am trying to run a Custom Training Job to deploy my model in Vertex AI directly from a Jupyterlab. This Jupyterlab is instantiated from a Vertex AI Managed Notebook where I already specified the service account.
My aim is to deploy the training script that I specify to the method CustomTrainingJob directly from the cells of my notebook. This would be equivalent to pushing an image that contains my script to container registry and deploying the Training Job manually from the UI of Vertex AI (in this way, by specifying the service account, I was able to corectly deploy the training job). However, I need everything to be executed from the same notebook.
In order to specify the credentials to the CustomTrainingJob of aiplatform, I execute the following cell, where all variables are correctly set:
import google.auth
from google.cloud import aiplatform
from google.auth import impersonated_credentials
source_credentials = google.auth.default()
target_credentials = impersonated_credentials.Credentials(
source_credentials=source_credentials,
target_principal='SERVICE_ACCOUNT.iam.gserviceaccount.com',
target_scopes = ['https://www.googleapis.com/auth/cloud-platform'])
aiplatform.init(project=PROJECT_ID, location=REGION, staging_bucket=BUCKET_NAME)
job = aiplatform.CustomTrainingJob(
display_name=JOB_NAME,
script_path=SCRIPT_PATH,
container_uri=MODEL_TRAINING_IMAGE,
credentials=target_credentials
)
When after the job.run() command is executed it seems that the credentials are not correctly set. In particular, the following error is returned:
/opt/conda/lib/python3.7/site-packages/google/auth/impersonated_credentials.py in _update_token(self, request)
254
255 # Refresh our source credentials if it is not valid.
--> 256 if not self._source_credentials.valid:
257 self._source_credentials.refresh(request)
258
AttributeError: 'tuple' object has no attribute 'valid'
I also tried different ways to configure the credentials of my service account but none of them seem to work. In this case it looks like the tuple that contains the source credentials is missing the 'valid' attribute, even if the method google.auth.default() only returns two values.
Upvotes: 3
Views: 5693
Answers (2)
Reputation: 425
Using service account credentials from details stored as a Json file.
- create a credential.json from your service account (add file to .gitignore)
- load Service Account file as an object with
from google.oauth2 import service_account
credentials = service_account.Credentials.from_service_account_file(credentials.json)
- initialize aiplatform instance
aiplatform.init(project=project, location=location, credentials=credentials)
Note that this question doesn't mention neither Kubeflow nor Pipeline, if Kubeflow sdk is needed, the authentication with aiplatform is not valid or enough for kfp.
Upvotes: 3
Reputation: 31
To run the custom training job using a service account, you could try using the service_account argument for job.run(), instead of trying to set credentials. As long as the notebook executes as a user that has act-as permissions for the chosen service account, this should let you run the custom training job as that service account.
Upvotes: 1
Related Questions
- GCP Vertex AI Service Agent access to GCR image Error
- Porting custom job from GCP AI Platform to Vertex AI - how to get state and logs of job?
- Cannot use `gcloud auth print-identity-token` from within Vertex AI Custom Job
- Vertex AI Custom Container Training Job python SDK - google.api_core.exceptions.FailedPrecondition: 400 '
- How to build custom pipeline in GCP using Vertex AI
- Permission Denied using Google AiPlatform ModelServiceClient
- GCP cannot create Managed Notebook on Vertex AI
- Vertex AI - cannot create managed notebook instance
- How to schedule repeated runs of a custom training job in Vertex AI
- How can I grant AI Platform training jobs access to Cloud SQL resources in the same project?