GCP VertexAI: pass explicit scope to google.auth.default()
#579
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
long term seems better and more idiomatic to use google's semantics of `GOOGLE_APPLICATION_CREDENTIALS` via google.auth.default() instead of explicitly passing in the `service_account_file` parameter/property, but this illustrates a possible (inelegant) workaround
added 2 commits
December 31, 2024 11:51
jtbaker
changed the title
|
Works for me! It's hard to know if this could break auth for someone, the only real way to know is to release this and see if anyone complains. |
samuelcolvin
changed the title
scope to google.auth.default()
|
Thanks @samuelcolvin! What is your release cadence like for this project? I have a POC I'm working on with some Vertex stuff. |
|
We'll do a release tomorrow. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Relates to / resolves #575
GCP resolves default application credentials in a specific order documented here: https://cloud.google.com/docs/authentication/application-default-credentials
The existing VertexAI code seems to assume that
google.auth.default()returns either a user's credentials or the attached service account (via Workload Identity) and not a service account, which has a different code branching path for auth.long term seems better and more idiomatic to use google's semantics ofGOOGLE_APPLICATION_CREDENTIALSviagoogle.auth.default()itself instead of explicitly passing in theservice_account_fileparameter/property to the model constructor separately, but that seems like a significant refactor of some of the codebase. This illustrates a possible (inelegant) workaround short term that got my code using a service account for auth working, not necessarily something that should be merged or the long term solution for the library.Ok, did some more digging, and it seems like we may just need to pass the
scopesparameter in togoogle.auth.default()for the service account case to allow the credentials to refresh their token. Perhaps for gcloud/workload identity cases they are loaded automatically, but for service accounts they need to be more explicit. By removing my changes and adding this, using my service account viagoogle.auth.default()worked. I think that potentially with this change, theservice_account_fileparameter/property and code could be deprecated in favor of GCP's application default credentials preferred flow.