- Published on
GCP Authentication With Custom Credentials
- Authors
- Name
- Jason R. Stevens, CFA
- @thinkjrs
Authenticating with Google Cloud can be straightforward when using a notebook or a Virtual Machine. However, for those developing production software for the web, authentication poses more challenges. For reasons beyond the scope of this discussion, loading a file from disk in production web environments is typically not viable and can be very unsafe.
The White House recently issued a report urging the world to stop using "dangerous" languages because pointers can overflow. I'd hate to see how scared they'd be if they understood container layers and credentials stored on disk...
GCP auth in Python
Let's say we want to use the Vertex AI apis to call Google's new Gemini Pro endpoint. Let's assume you downloaded a service account from your cloud platform project in GCP. And let's assume you store the contents of that file in an environment variable GCP_APPLICATION_DEFAULT_CREDENTIALS
.
The docs
Install dependencies
pip install --upgrade google-auth google-cloud-aiplatform
Import the stuff
import json
import os
from google.oauth2 import service_account
import vertexai
from vertexai.generative_models import GenerativeModel
Create your credentials object
service_account_info_json = json.loads(
os.getenv('GCP_APPLICATION_DEFAULT_CREDENTIALS')
)
credentials = service_account.Credentials.from_service_account_info(
service_account_info_json
)
As mentioned previously the GCP_APPLICATION_DEFAULT_CREDENTIALS
variable holds the string value of the service account.
This is different from standard
APPLICATION_DEFAULT_CREDENTIALS
usage which holds a string path to your service account file.
In the code above, we use the os
module to load the environment variable and pass its contents to the json.loads
method. This converts the JSON string into a dictionary containing our service account values.
We then pass those to the from_service_account_info
method of the Credentials
class from the google.oauth2
service_account
module.
Call the Vertex AI endpoint
Next all we have to do is initialize the vertexai
module by calling its init
method.
# your project name is not 'blah'
vertexai.init(project='blah', location='us-central1', credentials=credentials)
And then we are rocking to call the model at will. Here's an example with the prompt
"Tell me a joke about a guy named Johnny Rocket",
# Load the model
multimodal_model = GenerativeModel("gemini-pro")
# Query the model
response = multimodal_model.generate_content(
[
"Tell me a joke about a guy named Johnny Rocket",
]
)
print(response)
# the text response from the model is in the parameter `text`, i.e. `response.text`
All the code
And so you have it, here's the complete code.
import json
import os
from google.oauth2 import service_account
import vertexai
from vertexai.generative_models import GenerativeModel
service_account_info_json = json.loads(os.getenv('GCP_APPLICATION_DEFAULT_CREDENTIALS'))
credentials = service_account.Credentials.from_service_account_info(service_account_info_json)
vertexai.init(project='blah', location='us-central1', credentials=credentials)
# Load the model
multimodal_model = GenerativeModel("gemini-pro")
# Query the model
response = multimodal_model.generate_content(
[
"Tell me a joke about a guy named Johnny Rocket",
]
)
print(response)
As an aside, if you use containers don't forget to remove this variable in test builds so that you don't have that service account laying around!
In summary
I hope this helped someone out there authenticate safely using Google Cloud service accounts. We use this strategy for all our GCP interactions off-platform and it's very reliable and safer than leaving a file hanging out in the open.
✨ Lastly, check out Tincre to add a marketing agency to your app, site, or platform. Or just run the easiest ads anywhere. ✨