Published on

GCP Authentication With Custom Credentials

Authors
A vscode window filled with nonsense Python-looking code.

Authenticating with Google Cloud can be straightforward when using a notebook or a Virtual Machine. However, for those developing production software for the web, authentication poses more challenges. For reasons beyond the scope of this discussion, loading a file from disk in production web environments is typically not viable and can be very unsafe.

The White House recently issued a report urging the world to stop using "dangerous" languages because pointers can overflow. I'd hate to see how scared they'd be if they understood container layers and credentials stored on disk...

GCP auth in Python

Let's say we want to use the Vertex AI apis to call Google's new Gemini Pro endpoint. Let's assume you downloaded a service account from your cloud platform project in GCP. And let's assume you store the contents of that file in an environment variable GCP_APPLICATION_DEFAULT_CREDENTIALS.

The docs

Install dependencies

pip install --upgrade google-auth google-cloud-aiplatform

Import the stuff

import json
import os
from google.oauth2 import service_account
import vertexai
from vertexai.generative_models import GenerativeModel

Create your credentials object

service_account_info_json = json.loads(
  os.getenv('GCP_APPLICATION_DEFAULT_CREDENTIALS')
)
credentials = service_account.Credentials.from_service_account_info(
  service_account_info_json
)

As mentioned previously the GCP_APPLICATION_DEFAULT_CREDENTIALS variable holds the string value of the service account.

This is different from standard APPLICATION_DEFAULT_CREDENTIALS usage which holds a string path to your service account file.

In the code above, we use the os module to load the environment variable and pass its contents to the json.loads method. This converts the JSON string into a dictionary containing our service account values.

We then pass those to the from_service_account_info method of the Credentials class from the google.oauth2 service_account module.

Call the Vertex AI endpoint

Next all we have to do is initialize the vertexai module by calling its init method.

# your project name is not 'blah'
vertexai.init(project='blah', location='us-central1', credentials=credentials)

And then we are rocking to call the model at will. Here's an example with the prompt

"Tell me a joke about a guy named Johnny Rocket",

# Load the model
multimodal_model = GenerativeModel("gemini-pro")
# Query the model
response = multimodal_model.generate_content(
    [
        "Tell me a joke about a guy named Johnny Rocket",
    ]
)
print(response)
# the text response from the model is in the parameter `text`, i.e. `response.text`

All the code

And so you have it, here's the complete code.

import json
import os
from google.oauth2 import service_account
import vertexai
from vertexai.generative_models import GenerativeModel

service_account_info_json = json.loads(os.getenv('GCP_APPLICATION_DEFAULT_CREDENTIALS'))
credentials = service_account.Credentials.from_service_account_info(service_account_info_json)

vertexai.init(project='blah', location='us-central1', credentials=credentials)
# Load the model
multimodal_model = GenerativeModel("gemini-pro")
# Query the model
response = multimodal_model.generate_content(
    [
        "Tell me a joke about a guy named Johnny Rocket",
    ]
)
print(response)

As an aside, if you use containers don't forget to remove this variable in test builds so that you don't have that service account laying around!

In summary

I hope this helped someone out there authenticate safely using Google Cloud service accounts. We use this strategy for all our GCP interactions off-platform and it's very reliable and safer than leaving a file hanging out in the open.

Subscribe to the newsletter

✨ Lastly, check out Tincre to add a marketing agency to your app, site, or platform. Or just run the easiest ads anywhere. ✨

Discuss on TwitterView on GitHub