Re: CURL public gemini-pro query error - "Please u...

bapi-svivek · 02-19-2025 09:59 PM

Curl test to public gemini-pro is failing. Would appreciate any pointers re what to debug.

Using a service account.
Billing enabled on project.
Confirmed that service account is authenticated (gcloud auth activate-service-account).
"Vertex AI User" role assigned to service account.
"Vertex AI API" is enabled.

CURL -

curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
-d '
{"contents": [{"parts": [{"text": "shortest sentence with 4 colors and 5 shapes"}]}],
"generationConfig": {"temperature": 0.2,"maxOutputTokens": 512}
}' \
"https://us-west1-aiplatform.googleapis.com/v1/projects/<project-id>/locations/us-west1/publishers/google/models/gemini-pro:generateContent"

Error -

{
"error": {
"code": 400,
"message": "Please use a valid role: user, model.",
"status": "INVALID_ARGUMENT"
}
}

dchiesa1

I'm not an expert , but I see two things that look wrong to me.

you're not specifying a role in the JSON payload.
Your access token is not corresponding to the service account .

For #1, See this documentation. The payload should be like this:

curl \
  -X POST \
  -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \
  -H "Content-Type: application/json" \
  "https://us-central1-aiplatform.googleapis.com/v1/projects/${PROJECT_ID}/locations/us-central1/publishers/google/models/${MODEL_ID}:streamGenerateContent" -d \
  $'{
    "contents": {
      "role": "user",
      "parts": [
        {
        "fileData": {
          "mimeType": "image/png",
          "fileUri": "gs://generativeai-downloads/images/scones.jpg"
          }
        },
        {
          "text": "Describe this picture."
        }
      ]
    }
  }'

Note the "role" field. The error message is saying you're missing the role. From my brief review, the doc is unclear - it says that you can omit the role in some circumstances. But maybe not in this circumstance.

For #2, gcloud auth print-access-token prints YOUR access token. you can try this API to inspect what you get out of that:

accesstoken=$(gcloud auth print-access-token)
curl -i https://www.googleapis.com/oauth2/v3/tokeninfo\?access_token=$accessToken

You should see your own user's email in the output of that curl command. That tells you the access token belongs to you, not to the service account. To get a token on behalf of a service account using the gcloud command, you must use something like this:

gcloud auth print-access-token --impersonate-service-account ${full_sa_email}

And if you send the output of THAT to the token info endpoint, the email there will be the full email of the service account. THAT is the way to get an access token , if you want to "act as" the service account.

BTW to do this impersonation, you need to have iam.serviceAccountTokenCreator role. To get that:

  WHOAMI=$(gcloud auth list --filter=status:ACTIVE --format="value(account)")
  gcloud iam service-accounts add-iam-policy-binding  ${full_sa_email}" \
       --member="user:${WHOAMI}" \
       --role=roles/iam.serviceAccountTokenCreator

dchiesa1

Also, this space is intended to focus on Gemini Code Assist, an AI coding assistant that is powered by Gemini. Think of it as a developer-oriented service, applying Gemini to help in coding, developing, reviewing code, analyzing programming language code. It's integrated into code editors and programming tools.

This forum is not intended to be a general-purpose forum for any questions about Gemini.

CURL public gemini-pro query error - "Please use a valid role: user, model."