获取Google的Vertex AI服务的授权令牌?

huangapple go评论62阅读模式
英文:

How to get authorization token for Google's Vertex AI service?

问题

I am trying to call Google's Vertex AI API via REST to something like:

https://us-central1-aiplatform.googleapis.com/v1/projects/...

I am having trouble with figuring out where to get the "access token":

-X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \

I was able to generate a short-term OAuth one from Google CLI, but I want to generate a long-term one. I have tried the following, all of which returns a 401 error:

  • API Key

  • Service Account

I just need this for testing purposes. Is there a way for me to do this easily?

Using Google CLI, but it was a short-term solution. The token expired after 30 minutes.

英文:

I am trying to call Google's Vertex AI API via REST to something like:

https://us-central1-aiplatform.googleapis.com/v1/projects/...

I am having trouble with figuring out where to get the "access token":

-X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \

I was able to generate a short-term OAUth one from Google CLI, but I want to generate a long-term one. I have tried the following, all of which returns a 401 error:

  • API Key

  • Service Account

I just need this for testing purposes. Is there a way for me to do this easily?

Using Google CLI, but it was a short-term solution. The token expired after 30 minutes.

答案1

得分: 1

你只能通过REST API(参见文档)来完成此操作,具体要求如下:

> 默认情况下,令牌的最大生存期为1小时(3,600秒)。要将这些令牌的最大生存期延长至12小时(43,200秒),请将服务帐户添加到包括 constraints/iam.allowServiceAccountCredentialLifetimeExtension 列表约束的组织策略中。

要使用REST API,您需要执行一个POST方法,如下所示:

https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/PRIV_SA:generateAccessToken

并附带以下请求体:

{
  "scope": [
    "https://www.googleapis.com/auth/cloud-platform"
  ],
  "lifetime": "LIFETIME"
}

其中:

LIFETIME: 访问令牌过期的时间,以秒为单位。例如,300秒

PRIV_SA: 特权服务帐户的电子邮件地址,用于创建短暂令牌。

您当前的方法是通过gcloud CLI。根据文档

> Google Cloud CLI 不支持为令牌设置生存期。

这意味着您受限于默认的时间限制,该限制设计为很短(访问令牌被称为短暂凭据)。

英文:

You can only do this via the REST API (see documentation) with the following requirement

> By default, the maximum token lifetime is 1 hour (3,600 seconds). To extend the maximum lifetime for these tokens to 12 hours (43,200 seconds), add the service account to an organization policy that includes the constraints/iam.allowServiceAccountCredentialLifetimeExtension list constraint.

To use the REST API, you execute a POST method to

https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/PRIV_SA:generateAccessToken

with a body

{
  "scope": [
    "https://www.googleapis.com/auth/cloud-platform"
  ],
  "lifetime": "LIFETIME"
}

where

LIFETIME: The amount of time until the access token expires, in seconds. For example, 300s

PRIV_SA: The email address of the privilege-bearing service account for which the short-lived token is created.

Your current method is via gcloud CLI. According to documentation,

> The Google Cloud CLI does not support setting a lifetime for the token

This means you're limited to the default time limit which is designed to be short (the access token is referred to as short-lived credentials)

答案2

得分: 1

I finally was able to call Palm (bison) from NodeJS and normal service account. See code:

import { JWT } from "google-auth-library";

const API_ENDPOINT = "us-central1-aiplatform.googleapis.com";
const URL = `https://${API_ENDPOINT}/v1/projects/${process.env.GOOGLE_KEY}/locations/us-central1/publishers/google/models/chat-bison@001:predict`;

const getIdToken = async () => {
    const client = new JWT({
        keyFile: "./google.json",
        scopes: ["https://www.googleapis.com/auth/cloud-platform"],
    });
    const idToken = await client.authorize();
    return idToken.access_token;
};

export const getTextPalm = async (prompt, temperature) => {
    const headers = {
        Authorization: `Bearer ` + (await getIdToken()),
        "Content-Type": "application/json",
    };

    const data = {
        instances: [
            {
                context: "",
                examples: [],
                messages: [
                    {
                        author: "user",
                        content: prompt,
                    },
                ],
            },
        ],
        parameters: {
            temperature: temperature || 0.5,
            maxOutputTokens: 1024,
            topP: 0.8,
            topK: 40,
        },
    };

    const response = await fetch(URL, {
        method: "POST",
        headers,
        body: JSON.stringify(data),
    });

    if (!response.ok) {
        console.error(response.statusText);
        throw new Error("Request failed " + response.statusText);
    }

    const result = await response.json();
    return result.predictions[0].candidates[0].content;
};

I also had to add some permissions to service account, like this:

获取Google的Vertex AI服务的授权令牌?

英文:

I finally was able to call Palm (bison) from NodeJS and normal service account. See code:

import { JWT } from "google-auth-library";

const API_ENDPOINT = "us-central1-aiplatform.googleapis.com";
const URL = `https://${API_ENDPOINT}/v1/projects/${process.env.GOOGLE_KEY}/locations/us-central1/publishers/google/models/chat-bison@001:predict`;

const getIdToken = async () => {
    const client = new JWT({
        keyFile: "./google.json",
        scopes: ["https://www.googleapis.com/auth/cloud-platform"],
    });
    const idToken = await client.authorize();
    return idToken.access_token;
};

export const getTextPalm = async (prompt, temperature) => {
    const headers = {
        Authorization: `Bearer ` + (await getIdToken()),
        "Content-Type": "application/json",
    };

    const data = {
        instances: [
            {
                context: "",
                examples: [],
                messages: [
                    {
                        author: "user",
                        content: prompt,
                    },
                ],
            },
        ],
        parameters: {
            temperature: temperature || 0.5,
            maxOutputTokens: 1024,
            topP: 0.8,
            topK: 40,
        },
    };

    const response = await fetch(URL, {
        method: "POST",
        headers,
        body: JSON.stringify(data),
    });

    if (!response.ok) {
        console.error(response.statusText);
        throw new Error("Request failed " + response.statusText);
    }

    const result = await response.json();
    return result.predictions[0].candidates[0].content;
};

I also had to add some permissions to service account, like this:

获取Google的Vertex AI服务的授权令牌?

答案3

得分: 1

更新:现在您可以使用Google Makersuite生成一个简单的API密钥查看步骤来为Makersuite中的VertexAI生成API密钥,但目前仍处于封闭测试阶段。然后只需使用&key=thatKey调用Vertex AI API。

如果没有使用Makersuite,因为您在非GCE服务器上,您需要模拟一个服务账户

您需要执行以下配置步骤,以便该链接中的说明能够正常工作:

  1. 安装Google Cloud SDK。
  2. 创建一个服务账户:如果尚未完成此操作,请授予必要的权限。
  3. 获取服务账户密钥文件。
  4. 使用"gcloud auth activate-service-account --key-file=[KEY_FILE路径]"设置身份验证。
  5. 通过将GOOGLE_APPLICATION_CREDENTIALS环境变量设置为服务账户密钥文件的路径来模拟服务账户。这一步对于与服务账户关联的API调用至关重要。
  6. 生成(短暂的)访问令牌,并根据需要重新生成,因为您现在已安装了密钥文件。
英文:

update: now you can use google makersuite to generate a simple api key see step-by-step to generate API key for vertexAI in makersuite, but currently is on a closed beta. then just call the vertex AI api with &key=thatKey

without makersuite, because you are on a non-GCE server, you need to impersonate a service account

You will need these configuration steps so the instructions in that link work:

  1. Install the Google Cloud SDK
  2. Create a service account: If you haven't already done so, and give necessary permissions.
  3. Obtain a service account key file.
  4. Set up authentication using "gcloud auth activate-service-account --key-file=[PATH_TO_KEY_FILE]
  5. impersonate the service account by setting the GOOGLE_APPLICATION_CREDENTIALS environment variable to the path of the service account key file. This step is essential for API calls to be associated with the service account.
  6. Generate (short lived) access tokens and regenerate as needed since you now have the key file installed.

huangapple
  • 本文由 发表于 2023年5月11日 11:01:05
  • 转载请务必保留本文链接:https://go.coder-hub.com/76223871.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定