This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Authenticating to Vertex AI deployed endpoints

Posted on 11-10-2022 01:57 PM
wrmay
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hello, I am a new user of Vertex AI.  I have trained and deployed a tabular data categorization model to an Vertex AI hosted endpoint.  I have successfully called it from a program running on my laptop where the "gcloud" cli is installed.  If I want to run this not from my desktop but have it called from another service, how do I authenticate ?  I have created a service account but I am not sure 1) what roles would need to be attached to that account and 2) how I would provide the service account credentials given that I don't have much control over how the service that will call my model is started (i.e. I can't control its environment vars).  Any help would be appreciated!

 

0 5 1,512
Topic Labels
0 Likes
5 REPLIES 5

Posted on --/--/---- --:-- AM
anjelab
Staff
Reply posted on --/--/---- --:-- AM

Hi, for starters, you may read the basic concepts of IAM and service accounts 

You may check this pre-defined roles for Vertex AI that you can attach on your service account depending on the level of permission you want to give. 

For the second question, you need to be a Service Account Admin as per this official GCP Documentation for you to manage a service account.

Posted on --/--/---- --:-- AM
wrmay
Bronze 1
Bronze 1
In response to anjelab
Reply posted on --/--/---- --:-- AM

Thank you for the response.  Now I know I need ServiceAccountAdmin.  The thing I'm still not clear on is whether there is some way to provide the service account credentials without referencing a file on the file system.  For example, if I'm accessing the service from a client to whose file system I have no access, what are my options ?

0 Likes

Posted on --/--/---- --:-- AM
anjelab
Staff
In response to wrmay
Reply posted on --/--/---- --:-- AM

If this is a file from a service you have no control of, the permission should be given on the side of that service. 

0 Likes

Posted on --/--/---- --:-- AM
wrmay
Bronze 1
Bronze 1
In response to anjelab
Reply posted on --/--/---- --:-- AM

This is custom code that is deployed to an app server like environment. I can deploy code and config to the app server but I don't control the environment variables that the app servers starts up with and I don't control the file system.  I'd like to deploy code to the app server that accesses Google hosted model endpoints.  Is there some way to do to authenticate to Google Cloud other than setting an environment variable that points to credentials on the file system ?

 

Posted on --/--/---- --:-- AM
ammar_hanif96
Bronze 2
Bronze 2
In response to wrmay
Reply posted on --/--/---- --:-- AM

I have been facing the same problem. 

I have created the model, deployed it to an endpoint. I can make the predictions via console, shell and even outside environment for say postman.

However, in order to make request from postman I have to use the bearer token, which I get using below command in CLI
gcloud auth print-access-token

The issue is that the bearer token expires after an hour, so I won't be able to use to long and for production purposes. What is the solution for it?

0 Likes