How to get API keys to use with Vertex AI or PalM 2 API | C2C Community
Solved

How to get API keys to use with Vertex AI or PalM 2 API

  • 4 June 2023
  • 2 replies
  • 1576 views

Userlevel 2
Badge +2

Hey community! I am looking into replacing some of our OpenAI usage with Vertex / PalM 2 and am wondering how to get the necessary API and use them in production. We would be using these APIs in cloud functions.

 

gcloud auth print-access-token does not work in cloud functions.

I’ve used service account credentials to initialize clients for other APIs like translate, bigquery, etc., but this endpoint does not accept a service account credential.

Should I use the runtimes service account and get an access token that way? 

curl -s "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" -H "Metadata-Flavor: Google" | jq -r .access_token

 

Here’s the sample request found in the Vertex AI playground 

API_ENDPOINT="us-central1-aiplatform.googleapis.com"
PROJECT_ID="home-service-62a33"
MODEL_ID="text-bison@001"

curl \
-X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
"https://${API_ENDPOINT}/v1/projects/${PROJECT_ID}/locations/us-central1/publishers/google/models/${MODEL_ID}:predict" -d \
$'{
"instances": [
{
"content": ""
}
],
"parameters": {
"temperature": 0.2,
"maxOutputTokens": 256,
"topP": 0.8,
"topK": 40
}
}'

 

More broadly - how should we authenticate these API’s for use in a cloud function?

 

Thanks in advance!

icon

Best answer by pthiagar 8 June 2023, 19:14

View original

2 replies

Userlevel 1

Hi @ojpetar Generally, once the service account policy binding is setup for the function, the most reliable way to generate tokens would be to do so programmatically using the authentication libraries. 

But, if you have to do this manually, there are many ways to do this too.  For your e.g. you should be able to use Compute metadata server to get id token for a specific audience like this-

curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity?audience=AUDIENCE" \

     -H "Metadata-Flavor: Google"

Where audience is the URL of the invoked function.  You can then pass the google signed id token in the Authorization Bearer header to the request.  

See docs for more info - authentication options for invocation.

Hope this helps!

Userlevel 2
Badge +2

Awesome! Thank you so so much :)

Reply