VertexAI: Add service account key authentication support#532
VertexAI: Add service account key authentication support#532multiplegeorges wants to merge 6 commits into
Conversation
…ation logic - Added `vertexai_service_account_key` to the configuration requirements for Vertex AI. - Updated the authorization method to use service account credentials if the key is provided, otherwise defaults to application default credentials.
|
Looks like #520 is making related changes to the Vertex provider, so probably a good idea to review both in tandem/together. |
|
+1, could use this! |
|
+1 |
|
in the mean time something like this can be done: credentials = Rails.application.credentials.dig(:google_cloud, :credentials)
if credentials.present?
# Write credentials to temp file for Google Cloud SDK authentication
require "tempfile"
require "json"
credentials_file = Tempfile.new([ "vertex_ai_credentials", ".json" ])
credentials_file.write(credentials.to_json)
credentials_file.close
# Set environment variable for Google Cloud SDK
ENV["GOOGLE_APPLICATION_CREDENTIALS"] = credentials_file.path
# Clean up temp file on exit
at_exit { credentials_file.unlink }
# Configure Vertex AI
config.vertexai_project_id = Rails.application.credentials.dig(:google_cloud, :project_id)
config.vertexai_location = Rails.application.credentials.dig(:google_cloud, :location)
end |
We initially named this configuration `_hash` but was later updated to `_key`
…ion-key Change service account hash to key for authorizer
|
@crmne would love to get this merged in, as we currently have to maintain a fork to auth this way. |
|
We're using the same type of workaround and would love to see this merged in to avoid forking / monkey patching / tempfile wrangling. |
| config.vertexai_project_id = ENV.fetch('GOOGLE_CLOUD_PROJECT', 'test-project') | ||
| config.vertexai_location = ENV.fetch('GOOGLE_CLOUD_LOCATION', 'us-central1') | ||
| config.vertexai_service_account_key = ENV.fetch('VERTEXAI_SERVICE_ACCOUNT_KEY', "{ secret_key: 'test' }") |
There was a problem hiding this comment.
You're redefining 2 properties and moving the whole block of vertex ai configs up breaking the sorting.
| @authorizer = ::Google::Auth.get_application_default( | ||
| scope: [ | ||
| 'https://www.googleapis.com/auth/cloud-platform', | ||
| 'https://www.googleapis.com/auth/generative-language.retriever' | ||
| ] | ||
| ) | ||
| @authorizer = if @config.vertexai_service_account_key | ||
| ::Google::Auth::ServiceAccountCredentials.make_creds( | ||
| json_key_io: StringIO.new(@config.vertexai_service_account_key), | ||
| scope: SCOPES | ||
| ) | ||
| else | ||
| ::Google::Auth.get_application_default(scope: SCOPES) | ||
| end |
| class << self | ||
| def configuration_requirements | ||
| %i[vertexai_project_id vertexai_location] | ||
| %i[vertexai_project_id vertexai_location vertexai_service_account_key] |
There was a problem hiding this comment.
This breaks ADC only configs by making the service account key a hard requirement and contradicts the intended fallback behaviour of ADC or service account.
| config.gemini_api_key = ENV['GEMINI_API_KEY'] | ||
| config.vertexai_project_id = ENV['GOOGLE_CLOUD_PROJECT'] # Available in v1.7.0+ | ||
| config.vertexai_location = ENV['GOOGLE_CLOUD_LOCATION'] | ||
| config.vertexai_service_account_key = ENV['VERTEXAI_SERVICE_ACCOUNT_KEY'] # JSON Key as String from GCP |
There was a problem hiding this comment.
This should be framed as optional when ADC is in place.
| Google Cloud disallows the creation of Vertex AI API keys for Service Accounts, by default. The recommended way to connect is by using a Service Account's JSON key with appropriate IAM roles or by using Application Default Credentials. | ||
|
|
||
| RubyLLM supports both methods of authenticating to Vertex AI and will only use a Service Account key if the key is provided in the `config.vertexai_service_account_key` configuration field. Otherwise, it will fallback to ADC. | ||
|
|
There was a problem hiding this comment.
This frames ADC as a second class choice. Please rephrase to portray both options as equally valid and supported.
|
Thanks for the contribution. I opened a replacement PR from our repo branch with the requested fixes because this PR’s source branch currently has maintainer edits disabled. Could you please enable “Allow edits by maintainers” on future cross-repo PRs? That lets us apply review fixes directly and reduces round-trips. |
## Summary This replaces #532 with the same feature intent (Vertex AI service account support) while keeping ADC as the default path and avoiding regressions. ### What changed - Keep `vertexai_service_account_key` optional (do **not** require it in provider configuration requirements). - Preserve ADC flow when no service account key is set. - Restore `Google::Auth.get_application_default` call to pass scopes positionally (compat with current `googleauth` behavior). - Clean up Vertex settings in `spec/support/rubyllm_configuration.rb`: - remove duplicate `vertexai_project_id` / `vertexai_location` assignments - avoid forcing an invalid default service-account key in test config - Update docs wording to clearly state: - ADC and service-account key are both supported - service-account key is optional - ADC is used when service-account key is unset - fix typo in configuration reference ## Why replacement PR #532 is from a fork with maintainer edits disabled, so we cannot push fixes directly to that branch. ## Related - Supersedes: #532 - Includes compatibility intent from: #520 --------- Co-authored-by: Georges Gabereau <georges.gabereau@gmail.com> Co-authored-by: Simmon Li <hello@crespire.dev>
|
Thanks for addressing the issue either way, appreciate it! |
|
Thanks for the review and merging it @crmne. Really appreciate it and I'll remember to update "Allow edits by maintainers" next time! |
6 participants
What this does
This pull request adds support for authenticating to Google Vertex AI using a Service Account JSON key in addition to the existing Application Default Credentials (ADC) method. It updates both the documentation and the implementation to allow users to provide a Service Account key for Vertex AI authentication, improving flexibility and compatibility with Google Cloud best practices.
Vertex AI Authentication Enhancements:
vertexai_service_account_keyto theRubyLLMconfiguration, allowing users to specify a Service Account JSON key as a string for Vertex AI authentication. [1] [2] [3]Documentation Updates:
vertexai_service_account_keyoption, how authentication works, and Google Cloud’s recommendations regarding API keys and Service Accounts.Test/Spec Configuration:
vertexai_service_account_key, ensuring test environments can utilize the new authentication method.Type of change
Scope check
Quality check
overcommit --installand all hooks passbundle exec rake vcr:record[provider_name]bundle exec rspecmodels.json,aliases.json)API changes
Related issues
None.