ChatVertexAI never resolves passed Google Credentials

julienguarino commented 3 weeks ago

Description

It seems that when using ChatVertexAI and passing a proper GCP Service Account, the associated identity is never used.

Instead, the implicit Google identity is always used.

Steps to reproduce

from google.oauth2 import service_account
from langchain_core.messages import HumanMessage
from langchain_google_vertexai import ChatVertexAI  

text_message = {
        "type": "text",
        "text": "Hi, what kind of skills do you have ?"}

message = HumanMessage(content=[text_message, image_message])

# Load service account credentials
#
saCredentials = service_account.Credentials.from_service_account_file(filename="./IAM_SA_CREDENTIALS.json")

myChat = \
        ChatVertexAI(
            model_name="gemini-1.5-flash-preview-0514",
            max_output_tokens=8192,
            project=GEN_AI_GCP_PROJECT_ID,
            location="europe-west1",
            credentials=saCredentials)

output = myChat.invoke([message])

print(output.content)

Comments

The example above will always use my implicit identity, the GCP audit logs will show that:

audit_log, method: "google.cloud.aiplatform.v1beta1.PredictionService.GenerateContent", principal_email: "MY_PERSONNAL_ID@company.com"

The example above, if deployed in a Cloud Run for example, will always use the underlying Cloud Run Service Account identity.

I'm not sure but I guess this is related to #290 ?

lkuligin commented 2 weeks ago

it's fixed on main already, could you install from main and try again, please?

julienguarino commented 2 weeks ago

Hi, great it does work perfectly now.

Thanx a lot.

langchain-ai / langchain-google