英文:
How to get authorization token for Google's Vertex AI service?
问题
I am trying to call Google's Vertex AI API via REST to something like:
https://us-central1-aiplatform.googleapis.com/v1/projects/...
I am having trouble with figuring out where to get the "access token":
-X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
I was able to generate a short-term OAuth one from Google CLI, but I want to generate a long-term one. I have tried the following, all of which returns a 401 error:
-
API Key
-
Service Account
I just need this for testing purposes. Is there a way for me to do this easily?
Using Google CLI, but it was a short-term solution. The token expired after 30 minutes.
英文:
I am trying to call Google's Vertex AI API via REST to something like:
https://us-central1-aiplatform.googleapis.com/v1/projects/...
I am having trouble with figuring out where to get the "access token":
-X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
I was able to generate a short-term OAUth one from Google CLI, but I want to generate a long-term one. I have tried the following, all of which returns a 401 error:
-
API Key
-
Service Account
I just need this for testing purposes. Is there a way for me to do this easily?
Using Google CLI, but it was a short-term solution. The token expired after 30 minutes.
答案1
得分: 1
你只能通过REST API(参见文档)来完成此操作,具体要求如下:
> 默认情况下,令牌的最大生存期为1小时(3,600秒)。要将这些令牌的最大生存期延长至12小时(43,200秒),请将服务帐户添加到包括 constraints/iam.allowServiceAccountCredentialLifetimeExtension 列表约束的组织策略中。
要使用REST API,您需要执行一个POST方法,如下所示:
https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/PRIV_SA:generateAccessToken
并附带以下请求体:
{
"scope": [
"https://www.googleapis.com/auth/cloud-platform"
],
"lifetime": "LIFETIME"
}
其中:
LIFETIME: 访问令牌过期的时间,以秒为单位。例如,300秒
PRIV_SA: 特权服务帐户的电子邮件地址,用于创建短暂令牌。
您当前的方法是通过gcloud CLI。根据文档,
> Google Cloud CLI 不支持为令牌设置生存期。
这意味着您受限于默认的时间限制,该限制设计为很短(访问令牌被称为短暂凭据)。
英文:
You can only do this via the REST API (see documentation) with the following requirement
> By default, the maximum token lifetime is 1 hour (3,600 seconds). To extend the maximum lifetime for these tokens to 12 hours (43,200 seconds), add the service account to an organization policy that includes the constraints/iam.allowServiceAccountCredentialLifetimeExtension list constraint.
To use the REST API, you execute a POST method to
https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/PRIV_SA:generateAccessToken
with a body
{
"scope": [
"https://www.googleapis.com/auth/cloud-platform"
],
"lifetime": "LIFETIME"
}
where
LIFETIME: The amount of time until the access token expires, in seconds. For example, 300s
PRIV_SA: The email address of the privilege-bearing service account for which the short-lived token is created.
Your current method is via gcloud CLI. According to documentation,
> The Google Cloud CLI does not support setting a lifetime for the token
This means you're limited to the default time limit which is designed to be short (the access token is referred to as short-lived credentials)
答案2
得分: 1
I finally was able to call Palm (bison) from NodeJS and normal service account. See code:
import { JWT } from "google-auth-library";
const API_ENDPOINT = "us-central1-aiplatform.googleapis.com";
const URL = `https://${API_ENDPOINT}/v1/projects/${process.env.GOOGLE_KEY}/locations/us-central1/publishers/google/models/chat-bison@001:predict`;
const getIdToken = async () => {
const client = new JWT({
keyFile: "./google.json",
scopes: ["https://www.googleapis.com/auth/cloud-platform"],
});
const idToken = await client.authorize();
return idToken.access_token;
};
export const getTextPalm = async (prompt, temperature) => {
const headers = {
Authorization: `Bearer ` + (await getIdToken()),
"Content-Type": "application/json",
};
const data = {
instances: [
{
context: "",
examples: [],
messages: [
{
author: "user",
content: prompt,
},
],
},
],
parameters: {
temperature: temperature || 0.5,
maxOutputTokens: 1024,
topP: 0.8,
topK: 40,
},
};
const response = await fetch(URL, {
method: "POST",
headers,
body: JSON.stringify(data),
});
if (!response.ok) {
console.error(response.statusText);
throw new Error("Request failed " + response.statusText);
}
const result = await response.json();
return result.predictions[0].candidates[0].content;
};
I also had to add some permissions to service account, like this:
英文:
I finally was able to call Palm (bison) from NodeJS and normal service account. See code:
import { JWT } from "google-auth-library";
const API_ENDPOINT = "us-central1-aiplatform.googleapis.com";
const URL = `https://${API_ENDPOINT}/v1/projects/${process.env.GOOGLE_KEY}/locations/us-central1/publishers/google/models/chat-bison@001:predict`;
const getIdToken = async () => {
const client = new JWT({
keyFile: "./google.json",
scopes: ["https://www.googleapis.com/auth/cloud-platform"],
});
const idToken = await client.authorize();
return idToken.access_token;
};
export const getTextPalm = async (prompt, temperature) => {
const headers = {
Authorization: `Bearer ` + (await getIdToken()),
"Content-Type": "application/json",
};
const data = {
instances: [
{
context: "",
examples: [],
messages: [
{
author: "user",
content: prompt,
},
],
},
],
parameters: {
temperature: temperature || 0.5,
maxOutputTokens: 1024,
topP: 0.8,
topK: 40,
},
};
const response = await fetch(URL, {
method: "POST",
headers,
body: JSON.stringify(data),
});
if (!response.ok) {
console.error(response.statusText);
throw new Error("Request failed " + response.statusText);
}
const result = await response.json();
return result.predictions[0].candidates[0].content;
};
I also had to add some permissions to service account, like this:
答案3
得分: 1
更新:现在您可以使用Google Makersuite生成一个简单的API密钥查看步骤来为Makersuite中的VertexAI生成API密钥,但目前仍处于封闭测试阶段。然后只需使用&key=thatKey调用Vertex AI API。
如果没有使用Makersuite,因为您在非GCE服务器上,您需要模拟一个服务账户。
您需要执行以下配置步骤,以便该链接中的说明能够正常工作:
- 安装Google Cloud SDK。
- 创建一个服务账户:如果尚未完成此操作,请授予必要的权限。
- 获取服务账户密钥文件。
- 使用"gcloud auth activate-service-account --key-file=[KEY_FILE路径]"设置身份验证。
- 通过将GOOGLE_APPLICATION_CREDENTIALS环境变量设置为服务账户密钥文件的路径来模拟服务账户。这一步对于与服务账户关联的API调用至关重要。
- 生成(短暂的)访问令牌,并根据需要重新生成,因为您现在已安装了密钥文件。
英文:
update: now you can use google makersuite to generate a simple api key see step-by-step to generate API key for vertexAI in makersuite, but currently is on a closed beta. then just call the vertex AI api with &key=thatKey
without makersuite, because you are on a non-GCE server, you need to impersonate a service account
You will need these configuration steps so the instructions in that link work:
- Install the Google Cloud SDK
- Create a service account: If you haven't already done so, and give necessary permissions.
- Obtain a service account key file.
- Set up authentication using "gcloud auth activate-service-account --key-file=[PATH_TO_KEY_FILE]
- impersonate the service account by setting the GOOGLE_APPLICATION_CREDENTIALS environment variable to the path of the service account key file. This step is essential for API calls to be associated with the service account.
- Generate (short lived) access tokens and regenerate as needed since you now have the key file installed.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论