This page is for application developers within application operator groups responsible for setting up their application and development environments to enable AI features. For more information, see Audiences for GDC air-gapped documentation.
Before you begin
You must have your project set up for Vertex AI. For more information, see Set up a project for Vertex AI.
- Make sure to update your local trust store before you set up authentication in your development environment.
Authenticating to Vertex AI services
Interactions with Vertex AI services are done through authentication tokens. Tokens are digital objects that verify your identity and authorization after you provide valid credentials. The token carries specific information about your account and the permissions it has to access and operate with services and resources.
There are two ways you can set up authentication:
Authenticate with your user account
The following guides you through getting an authentication token for your user account:
Note the endpoint of the API you want to use.
Gain access to the Vertex AI service or Generative AI model you want to use by granting your user account the corresponding role listed in Prepare IAM permissions.
Sign in to Distributed Cloud with the user account you have to interact with the API:
gdcloud auth login
Get the authentication token:
gdcloud auth print-identity-token --audiences=https://ENDPOINT
Replace
ENDPOINT
with the API endpoint that you use for your organization. For more information, view service status and endpoints.Depending on the intended use of the authentication token, you might need to include the port after the service endpoint in the audiences path as follows:
- If you use a client library for your request, you must include port
:443
after the service endpoint in the audiences path. Therefore, the--audiences
path in the command must behttps://ENDPOINT:443
. - If you use gRPC,
curl
, or programmatic REST calls for your request, don't include the port. Therefore, the--audiences
path in the command must behttps://ENDPOINT
.
The output displays the authentication token. Add the token to the header of the command-line requests you make, as in the following example:
-H "Authorization: Bearer TOKEN"
Replace
TOKEN
with the value for the authentication token that the output displays.- If you use a client library for your request, you must include port
Authenticate with your service account
The following guides you through getting an authentication token for your service account:
Note the endpoint of the API you want to use.
Set up the service account you want to use to access the Vertex AI service or Generative AI model.
Grant the service account the corresponding role listed in Prepare IAM permissions to let it gain access to the service or model you want to use.
Set the following environment variable:
export GOOGLE_APPLICATION_CREDENTIALS=PATH_TO_SERVICE_KEY
Replace
PATH_TO_SERVICE_KEY
with the path to the JSON file that contains the key pairs of your service account.Install the
google-auth
client library:pip install google-auth
Add the following code to a Python script:
import os import google.auth from google.auth.transport import requests import requests as reqs os.environ["GOOGLE_APPLICATION_CREDENTIALS"] = "PATH_TO_SERVICE_KEY" os.environ["GRPC_DEFAULT_SSL_ROOTS_FILE_PATH"] = "CERT_NAME" # If you use a client library for your request, # you must include port :443 after the service endpoint # in the audience path. audience = "https://ENDPOINT" creds, project_id = google.auth.default() print(project_id) creds = creds.with_gdch_audience(audience) def test_get_token(): sesh = reqs.Session() req = requests.Request(session=sesh) creds.refresh(req) print(creds.token) if __name__=="__main__": test_get_token()
Replace the following:
PATH_TO_SERVICE_KEY
: the path to the JSON file that contains the key pairs of your service account.CERT_NAME
: the name of the Certificate Authority (CA) certificate file, such asorg-1-trust-bundle-ca.cert
. You only need this value if you are in a development environment. Otherwise, omit it.ENDPOINT
: the API endpoint that you use for your organization. For more information, view service status and endpoints. Depending on the intended use of the authentication token, you might need to include the port after the service endpoint in the audience path as follows:- If you use a client library for your request, you must include port
:443
after the service endpoint in the audience path. Therefore, theaudience
path in the script must be"https://ENDPOINT:443"
. - If you use gRPC,
curl
, or programmatic REST calls for your request, don't include the port. Therefore, theaudience
path in the script must be"https://ENDPOINT"
.
- If you use a client library for your request, you must include port
Save the Python script.
Run the Python script to fetch the token:
python SCRIPT_NAME
Replace
SCRIPT_NAME
with the name you gave to your Python script, such astoken.py
.The output displays the authentication token. Add the token to the header of the command-line requests you make, as in the following example:
-H "Authorization: Bearer TOKEN"
Replace
TOKEN
with the value for the authentication token that the output displays.