I’m encountering a persistent authentication error while trying to use the @Google -cloud/vertexai Node.js client library in an application deployed on Fly.io.
My application successfully loads Google Cloud service account credentials from a Fly.io secret (provided as JSON via the GOOGLE_CREDENTIALS_JSON environment variable). I am able to initialize the GoogleAuth client and the vertexai.VertexAI client seemingly without errors. The logs indicate successful initialization of both.
However, when I attempt to call the generativeModel.generateContent() method, I receive the following GoogleAuthError:
Text Generation Error: GoogleAuthError: [VertexAI.GoogleAuthError]: Unable to authenticate your request
Depending on your run time environment, you can get authentication by
- if in local instance or cloud shell: `!gcloud auth login`
- if in Colab: `from google.colab import auth`
- if in service account or other: please follow guidance in https://cloud.google.com/docs/authentication
[cause]: Error: Could not load the default credentials. Browse to https://cloud.google.com/docs/authentication/getting-started for more information.
This suggests that the library is attempting to use Application Default Credentials (ADC) and failing, despite me explicitly providing service account credentials.
My Setup:
- Platform: Fly.io
- Language: Node.js (v18.16.0)
- Library: @Google -cloud/vertexai (latest version as of April 25, 2025)
- Authentication Method: Service account credentials provided as a JSON string via a Fly.io secret (GOOGLE_CREDENTIALS_JSON).
- Initialization Code (relevant snippet):
const vertexai = require('@google-cloud/vertexai');
const { GoogleAuth } = require('google-auth-library');
let credentials = null;
if (process.env.GOOGLE_CREDENTIALS_JSON) {
try {
credentials = JSON.parse(process.env.GOOGLE_CREDENTIALS_JSON);
console.log('Google Cloud credentials loaded from GOOGLE_CREDENTIALS_JSON Fly.io secret.');
} catch (error) {
console.error('Error parsing GOOGLE_CREDENTIALS_JSON:', error);
process.exit(1);
}
}
let vertexAIClient = null;
let generativeModel = null;
async function initializeVertexAI() {
console.log('About to check for credentials...');
if (credentials) {
console.log('Credentials object is truthy.');
try {
const authClient = new GoogleAuth({
projectId: credentials.project_id,
credentials: credentials,
});
console.log('authClient initialized:', authClient);
vertexAIClient = new vertexai.VertexAI({
project: credentials.project_id,
location: 'us-central1',
auth: authClient, // Explicitly pass authClient
});
console.log('vertexAIClient initialized successfully:', vertexAIClient);
generativeModel = vertexAIClient.getGenerativeModel({
model: 'gemini-2.0-flash',
auth: authClient, // Explicitly pass authClient here as well
});
console.log('generativeModel initialized successfully:', generativeModel);
} catch (error) {
console.error("Error initializing Vertex AI client:", error);
console.error("Vertex AI Client Initialization Error Details:", error);
}
} else {
console.warn('Credentials object is NOT truthy.');
}
}
initializeVertexAI();
Troubleshooting Steps Already Taken:
- Verified that the GOOGLE_CREDENTIALS_JSON secret is correctly set and contains valid JSON.
- Confirmed that the GoogleAuth client is initialized successfully with the provided credentials.
- Ensured that the vertexai.VertexAI client is initialized, explicitly passing the authClient.
- Tried explicitly passing the authClient when getting the GenerativeModel instance.
- Attempted to set an empty GOOGLE_APPLICATION_CREDENTIALS environment variable to prevent ADC interference.
Despite these steps, the authentication error persists when calling generateContent().
I suspect there might be a specific interaction or configuration required for using service account credentials with the @Google -cloud/vertexai library within the Fly.io environment that I am missing.
Any insights or specific configurations needed for Fly.io would be greatly appreciated.
Thank you for your time and assistance.