This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Accessing Anthropic vertex ai using service account

Posted on 03-30-2025 02:51 AM
yovel
New Member
Reply posted on --/--/---- --:-- AM

Hi, I'm new to GCP and I'm trying to setup access to vertex ai using a service account.
When I try to create and use a client using the service account:

gcp_credentials = service_account.Credentials.from_service_account_file(
str(Path(__file__).parent / 'google_creds.json')
)
_ANTROPHIC_VERTEX_CLIENT = AsyncAnthropicVertex(
project_id=llm_settings.GOOGLE_PROJECT_ID,
region="europe-west1",
credentials=gcp_credentials
)
ret = await _ANTROPHIC_VERTEX_CLIENT.messages.create(
max_tokens=100,
messages=[{"role": "user", "content": "What's the capital of France?"}],
model="claude-3-7-sonnet@20250219"
)

I get this error:
google.auth.exceptions.RefreshError: ('invalid_scope: Invalid OAuth scope or ID token audience provided.', {'error': 'invalid_scope', 'error_description': 'Invalid OAuth scope or ID token audience provided.'})

This seems to be a problem with the service account because using default auth works (gcloud auth application-default login).
I made sure the service account has all of the required permissions (roles):

  • Service Account Admin
  • Service Account Key Admin
  • Service Account Token Creator
  • Service Account User
  • Vertex AI Administrator



 

 

 

0 1 201
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
dawnberdan
Staff
Reply posted on --/--/---- --:-- AM

Hi @yovel,

Welcome to Google Cloud Community!

The error you're encountering (invalid_scope) indicates that the service account you're using does not have the appropriate OAuth scope or audience to authenticate properly for the Vertex AI service. To address this, here are a few potential solutions and things to check:

1. Ensure Correct OAuth Scopes in the Service Account: Service accounts need specific OAuth scopes to authenticate with various Google APIs, including Vertex AI. Make sure that the service account you're using has the correct OAuth scope for the API.

For Vertex AI, the appropriate OAuth scope is:

In Python, when using google-auth to create credentials from a service account, it should automatically use the correct scopes.

2. Check that the Service Account is Correctly Assigned Roles: You’ve mentioned that the service account has several roles, which is great. Ensure that the service account also has the following additional roles (or at least one of them) to ensure it can access Vertex AI services properly:

  • roles/aiplatform.admin for accessing and interacting with Vertex AI.
  • roles/iam.serviceAccountTokenCreatorallows the service account to impersonate other service accounts if necessary.

If you're uncertain whether the roles have been assigned correctly, you can review the roles via the GCP Console or use the gcloud CLI to list the roles. Look for your service account and ensure that it has the necessary roles.

3. Service Account Permissions for Vertex AI

  • It’s worth verifying that the service account you're using has permissions specifically for Vertex AI. The role roles/aiplatform.admin should suffice for this.
  • Ensure that there are no constraints, such as organizational policies or VPC service controls, that might prevent the service account from accessing Vertex AI services.

4. Ensure the Service Account JSON File is Correct

  • Check if the google_creds.json file is valid and hasn’t been corrupted or modified. If the file was recently generated, make sure that the permissions and roles were granted immediately after creating it.
  • You can regenerate the credentials by creating a new service account key from the Google Cloud Console and replacing the google_creds.json file.

5. Use the Correct Model ID

  • Ensure that the model ID is correct and accessible from the region you are targeting If the model ID is incorrect or not available in the specified region, it could cause issues during authentication and API requests.

If the error persists, enable detailed logging for google-auth and check if there are any more specific details about the cause of the invalid_scope error.

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.

 

0 Likes