Solved: [Vertex AI + Service Account] Could not refresh ac...

dan1701 · 03-29-2025 01:33 AM

Hi everyone,

I’m working on a Node.js backend that connects to Vertex AI (gemini-pro) using a service account with a key file. However, I keep getting this error when trying to generate a response:

Gemini error: Could not refresh access token.

Setup details:

Service account has roles:
Vertex AI User, Service Account Token Creator
Using google-auth-library in Node.js
Key file path is correct and accessible
Endpoint:
https://us-central1-aiplatform.googleapis.com/v1/projects/wimade-it-455119/locations/us-central1/mod...
.env file is correctly loaded with the key path

What I've tried:

Regenerated service account keys multiple times
Verified roles in IAM and Policy Bindings via gcloud
OAuth consent screen set to Production
Tested with gcloud auth application-default print-access-token – works
Rebuilt entire project with fresh Firebase and GCP config
Same issue across both localhost and production setups

🔍Error log:

Unfortunately, the error is vague:

Gemini-fout (data): Could not refresh access token.

Questions:

Could this be related to how Vertex AI expects authentication?
Is it safe to test via service account directly or must we use Application Default Credentials?
How can I get more verbose logs for token requests or deeper diagnostics?

Any guidance would be greatly appreciated.

Thanks in advance,
Danny

Issue Resolved – Gemini API 404 Error Caused by Incorrect Endpoint URL by using ADC

I've switched from using a service account key to Application Default Credentials (ADC) with gcloud auth application-default login, and it's now working correctly with the Gemini API.

However, I still don't know what exactly caused the "Could not refresh access token" error when using the service account — the credentials and scopes seemed to be correct, and the project and region settings matched.

If anyone has insight into that specific issue, I’d still love to understand what went wrong.

Thanks for the help so far!

marckevin

Hi @dan1701,

Welcome to Google Cloud Community!

Could this be related to how Vertex AI expects authentication?

Yes, it is possible that this is related to how Vertex AI expects authentication. It has specific requirements, similar to other Google Cloud services, with various factors affecting the authentication process.
Is it safe to test via service account directly or must we use Application Default Credentials?

Both approaches are safe when authenticating to Vertex AI when properly configured. Authenticating via a service account is secure since it is designed as a safe way to grant access by authenticating with the service account key file. On the other hand, Application Default Credentials (ADC) automatically find credentials based on the environment, this method is easier since it handles token refreshes, it's more convenient and avoids the need to manage key files directly.
How can I get more verbose logs for token requests or deeper diagnostics?

Try Cloud Logging to further analyze your issue or for deeper diagnostics. You can examine and review logs for any errors related to 'Could not refresh access token.' Additionally, you can refer to this documentation as a helpful guide for troubleshooting.

I understand that you have already performed several troubleshooting steps and ensured that the service account setup is correct, including IAM roles and permissions, key file path, endpoint URL, etc. The error 'Could not refresh access token' typically points to various factors, usually due to insufficient roles when calling the Vertex AI API. The 'Vertex AI User' and 'Service Account Token Creator' roles should be sufficient. However, if you're using Cloud Storage, ensure that you have the proper IAM roles and permissions based on your requirements. Additionally, although you’ve already checked the key file, it's best practice to double-check if your service account has read permission on the key file, as the issue strongly suggests a specific configuration problem, which was resolved by ADC.

You can check this documentation for proper guidance on how to authenticate to Vertex AI in local development environments, including client libraries or third-party tools (Application Default Credentials - ADC), REST, and service account impersonation.

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.

View solution in original post

marckevin

Hi @dan1701,

Welcome to Google Cloud Community!

Could this be related to how Vertex AI expects authentication?

Yes, it is possible that this is related to how Vertex AI expects authentication. It has specific requirements, similar to other Google Cloud services, with various factors affecting the authentication process.
Is it safe to test via service account directly or must we use Application Default Credentials?

Both approaches are safe when authenticating to Vertex AI when properly configured. Authenticating via a service account is secure since it is designed as a safe way to grant access by authenticating with the service account key file. On the other hand, Application Default Credentials (ADC) automatically find credentials based on the environment, this method is easier since it handles token refreshes, it's more convenient and avoids the need to manage key files directly.
How can I get more verbose logs for token requests or deeper diagnostics?

Try Cloud Logging to further analyze your issue or for deeper diagnostics. You can examine and review logs for any errors related to 'Could not refresh access token.' Additionally, you can refer to this documentation as a helpful guide for troubleshooting.

I understand that you have already performed several troubleshooting steps and ensured that the service account setup is correct, including IAM roles and permissions, key file path, endpoint URL, etc. The error 'Could not refresh access token' typically points to various factors, usually due to insufficient roles when calling the Vertex AI API. The 'Vertex AI User' and 'Service Account Token Creator' roles should be sufficient. However, if you're using Cloud Storage, ensure that you have the proper IAM roles and permissions based on your requirements. Additionally, although you’ve already checked the key file, it's best practice to double-check if your service account has read permission on the key file, as the issue strongly suggests a specific configuration problem, which was resolved by ADC.

You can check this documentation for proper guidance on how to authenticate to Vertex AI in local development environments, including client libraries or third-party tools (Application Default Credentials - ADC), REST, and service account impersonation.

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.

dan1701

Thanks for your reply. Apologies for potential confusion.

Due to the persistent issue with could not refresh access token, I decided to take a clearer approach: I have since set up a completely new Google Cloud project and created a new, dedicated service account for my application.

This fresh start seems to have resolved the previous complexities regarding token handling and Vertex AI access appears to be working now.

However, I've encountered a new primary challenge: I am now facing authorization/could not find db issues specifically when my Node.js application (running on Cloud Run in the new project) tries to access Firestore, see https://www.googlecloudcommunity.com/gc/Databases/Firestore-API-Returns-NOT-FOUND-gRPC-Error-5-for-D...

Thanks again for your assistance!

[Vertex AI + Service Account] Could not refresh access token - persistent 403 error

Setup details:

What I've tried:

🔍Error log:

Questions: