Permission and role issue with Vertex AI

prime-qbits · 03-10-2025 12:34 PM

I have been trying to create a vector index using python via service account. Everytime I get following error: Error connecting to existing index: Timeout of 120.0s exceeded, last exception: 503 Getting metadata from plugin failed with error: ('Unable to acquire impersonated credentials', '{\n "error": {\n "code": 403,\n "message": "Permission \'iam.serviceAccounts.getAccessToken\' denied on resource (or it may not exist).",\n "status": "PERMISSION_DENIED",\n "details": [\n {\n "@type": "type.googleapis.com/google.rpc.ErrorInfo",\n "reason": "IAM_PERMISSION_DENIED",\n "domain": "iam.googleapis.com",\n "metadata": {\n "permission": "iam.serviceAccounts.getAccessToken"\n }\n }\n ]\n }\n}\n')

I tried giving all kinds of roles. Including the one mentioned in GCP documents i.e. roles/aiplatform , even vertex admin. Still no success. Can someone please help.

marckevin

Hi @prime-qbits,

Welcome to Google Cloud Community!

Here are some suggestions that you can try:

The error you're encountering, "iam.serviceAccounts.getAccessToken denied on resource (PERMISSION_DENIED),", means that the service account you're using does not have the necessary permission to generate an access token. Try granting your service account the roles/iam.serviceAccountTokenCreator or an equivalent role that provides the necessary permissions with the least privilege
Ensure that there are no conflicting IAM policies preventing your service account from obtaining access token.
Double-check and review your Python code. A small typographical error in the service account or using the wrong service account can lead to errors.
Audit Logging: To further analyze your issue, you may examine and review logs for any errors related to your denied permission.

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.