search

statmike / vertex-ai-mlops

Google Cloud Platform Vertex AI end-to-end workflows for machine learning operations
Apache License 2.0
508 stars 234 forks source link

MLB notebook fails on permission issue until compute engine default service account granted Vertex AI User permission on project #47

Closed markbpryan closed 1 year ago

markbpryan commented 1 year ago

When you run the MLB notebook (https://github.com/statmike/vertex-ai-mlops/blob/main/Applied%20GenAI/Vertex%20AI%20GenAI%20For%20Document%20Q%26A%20-%20MLB%20Rules%20For%20Baseball.ipynb) in Vertex Workbench, the get_embeddings statement generates a PermissionDenied error.

Here's the statement that generates the error:

embedding_model.get_embeddings([question])[0].values[0:5]

Here's the PermissionDenied error you get when you run that cell:

PermissionDenied: 403 Permission 'aiplatform.endpoints.predict' denied on resource '//aiplatform.googleapis.com/projects/genai-test-project-may28/locations/us-central1/publishers/google/models/textembedding-gecko@001' (or it may not exist). [reason: "IAM_PERMISSION_DENIED"
domain: "aiplatform.googleapis.com"
metadata {
  key: "permission"
  value: "aiplatform.endpoints.predict"
}
metadata {
  key: "resource"
  value: "projects/genai-test-project-may28/locations/us-central1/publishers/google/models/textembedding-gecko@001"
}
]

You can get around this by granting the compute engine default service account (e.g. for project with project number 388500005335, compute engine default service account is: 388500005335-compute@developer.gserviceaccount.com)) Vertex AI User role.

https://screenshot.googleplex.com/7qVMQNFxxHbs6ah

After granting the compute engine default service account this role in the console, the get_embeddings statement runs without error:

https://screenshot.googleplex.com/5F4h7oSHDk6u9EY

Suggest adding a note to the intro to this notebook to indicate that the user has to grant the Vertex AI User role to the compute engine default service account for their project. Adding code to do this automatically would be ideal, but I was only able to get as far as getting the compute engine default service account, not the command to grant this service account Vertex AI user role programmatically.

PROJECT_NUMBER_LIST = !gcloud projects list \
--filter="$(gcloud config get-value project)" \
--format="value(PROJECT_NUMBER)"
PROJECT_NUMBER = PROJECT_NUMBER_LIST[0]
compute_engine_default_service_account = PROJECT_NUMBER+'-compute@developer.gserviceaccount.com'
print(compute_engine_default_service_account)
statmike commented 1 year ago

Hi @markbpryan, You are correct, the user or service account running the notebook will need permissions for each of the services used. In the case of embeddings and LLM that means Vertex AI User role does include the needed permissions.

I updated the readme and each of the notebooks to have a prerequisites section with some additional clarity around the needs for role/permissions related to the services used in the notebook. I will add it to my todo list to give prescriptive minimal permissions needed for each later on.

Did the remainder of the notebook work ok for you?

Note: I just pushed a fairly big update to this and other notebooks I now refer to as v1 notebook in the readme. I also introduced V2 version of the notebooks that have some enhancements like multiple documents and outputs images of all pages used as source for the asked question.

Thank You, @statmike

statmike commented 1 year ago

Closing for now, based on my answer above. Happy to reopen based on your ongoing experience with the notebook