Reputation: 4539
using vertex ai in custom python script outside AI workbench and collab fails with permission denied
I'm trying to use GCP Vertex AI outside of a GCP managed AI Workbench notebook environment or Google Collab notebook environment. Specifically I am trying to run in an self hosted jupyter notebook environment. Here is my setup and problem:
Setup
Setup GCP and shell running python
We used info from two primary sources:
- CloudSkillsBoost.google GenAI learning path to create a service account and setup permissions for the service account
- GoogleCloudPlatform/generative-ai github repo to model the python code
install gcloud
This is using a Debian linux environment
$ sudo apt-get install apt-transport-https ca-certificates gnupg curl sudo
$ echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" | sudo tee -a /etc/apt/sources.list.d/google-cloud-sdk.list
$ curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key --keyring /usr/share/keyrings/cloud.google.gpg add -
$ sudo apt-get update && sudo apt-get install google-cloud-cli
$ gcloud init
setup authentication and authorization
These api enables are a bit overkill, but you are not charged for enabling the api's. Charges only incur based upon usage.
Enable services
$ gcloud services enable \
compute.googleapis.com \
iam.googleapis.com \
iamcredentials.googleapis.com \
monitoring.googleapis.com \
logging.googleapis.com \
notebooks.googleapis.com \
aiplatform.googleapis.com \
bigquery.googleapis.com \
artifactregistry.googleapis.com \
cloudbuild.googleapis.com \
container.googleapis.com
Create custom service account
Authentication
$ SERVICE_ACCOUNT_ID=vertex-custom-training-sa
$ gcloud iam service-accounts create $SERVICE_ACCOUNT_ID \
--description="A custom service account for Vertex custom training with Tensorboard" \
--display-name="Vertex AI Custom Training"
Authorization
Grant for Vertex AI to run model training, deployment and prediction
$ gcloud projects add-iam-policy-binding $PROJECT_ID \
--member=serviceAccount:$SERVICE_ACCOUNT_ID@$PROJECT_ID.iam.gserviceaccount.com \
--role="roles/aiplatform.user"
Lastly, from this guide
# orig from guide
# $ gcloud auth application-default login --impersonate-service-account SERVICE_ACCT_EMAIL
# our version
$ gcloud auth application-default login --impersonate-service-account $SERVICE_ACCOUNT_ID@$PROJECT_ID.iam.gserviceaccount.com
Testing the result of expansion of the email for the service account, it did match the service account email in IAM microservice with the gcp project as shown here: (This shows BigQuery and Cloud Storage enabled, but the key is that vertex ai is enabled.) (Furthermore, in the marketplace for the project we also have vertex ai enabled. This might only enable the api in the project, but not the use of the API from outside the hosted workbench. Likewise when I searched for Vertex AI API as an api role, I did not find it. I found platform API and I wonder if its the only api available as a generic api outside of hosted workbench notebooks.)
Setup of jupyter notebook
These are from a jupyter notebook. All code is in python with the exception of the python pip commands done for the shell - these can be distinguised by the use of !.
# install the google cloud AI api
!pip install "shapely<2.0.0"
!pip install google-cloud-aiplatform --upgrade
# Import the os package
import os
import vertexai
PROJECT_ID = os.environ['GCP_PROJ_ID'] # @param {type:"string"}
vertexai.init(project=PROJECT_ID, location="us-central1")
# test the gcp vertex AI
from vertexai.language_models import TextGenerationModel
# these were checks to see if we had our environment set correctly.
# It showed the environment variable had the path specified correctly
# for the json credential file and that we could access the
# credentials.
#print(os.environ['GOOGLE_APPLICATION_CREDENTIALS'])
#os.system('cat application_default_credentials.json')
#os.system('pwd')
#os.system('ls')
# load the model
# this failed with "status": "PERMISSION_DENIED"
# I'm not sure if it was permission denied on loading the JSON file
# or if the service account credentials did not have access to the
# API.
generation_model = TextGenerationModel.from_pretrained("text-bison@001")
Problem
The last line shown above gets a permission denied result.
Lastly
This info might be better seen in total in github. The github with the text and notebook is shown here.
Upvotes: 2
Views: 1501
Answers (1)
Reputation: 26
You were missing the google auth with service account part before using the model. The GOOGLE_APPLICATION_CREDENTIALS variable is commented out and not used.
Here is the example on how to use it:
from vertexai.language_models import TextGenerationModel
from google.oauth2 import service_account #importing auth using service_account
# reading and saving credentials
with open(os.environ['GOOGLE_APPLICATION_CREDENTIALS'], 'r') as source:
info = json.load(source)
# Auth using service account with json credentials
service_account.Credentials.from_service_account_info(info)
Now it should work:
generation_model = TextGenerationModel.from_pretrained("text-bison@001")
Upvotes: 0
Related Questions
- How can I open multiple files using "with open" in Python?
- How to Schedule a Vertex AI Notebook Execution with Custom Environment Including Scripts and Config Files?
- Authenticate Custom Training Job in Vertex AI with Service Account
- pip install mysql-python fails with EnvironmentError: mysql_config not found
- GCP Vertex AI Training Custom Job : User does not have bigquery.jobs.create permission