Permission denied error when calling vertex ai text embedding from google cloud funtion

Hi,

I am trying to call vertex ai text embedding from a google cloud function like below.

aiplatform.init(project=project,location=location)
model = TextEmbeddingModel.from_pretrained(“textembedding-gecko@001”)
embeddings = model.get_embeddings(sentences)

However I am getting a permission denied error.

google.api_core.exceptions.PermissionDenied: 403 Permission ‘aiplatform.endpoints.predict’ denied on resource ‘//aiplatform.googleapis.com/projects/algo-ai-dev-081c04/locations/us-central1/publishers/google/models/textembedding-gecko@001’ (or it may not exist). [reason: “IAM_PERMISSION_DENIED”

What IAM permission/ role should i add to my service account to solve this

Can you try adding these roles:

• Vertex AI Administrator (roles/aiplatform.admin)
• Vertex AI User (roles/aiplatform.user)

Reference:

https://cloud.google.com/vertex-ai/generative-ai/docs/access-control#predefined_roles

Did you ever get this issue resolved? We are facing the same and despite assigning all possible Vertex AI roles (admin, user, AI platform) to the service account, we keep getting it. Please post if you found a solution. Thank you.

Health Jeanie team

How safe and recommended is to assigning these roles esp Vertex AI admin to a service account? Shouldn’t Vertex AI Agent be enough for this access?

Something seems not right here, we are stuck with this error for 3 days now and we tried everything. Can you please suggest a solution?

Thank you.

Health Jeanie team

We are facing the same issue, can you suggest what we can do here? we already have the AI platform user assigend.

please advise how did you solve it we are facing the same issue.

I have done everything but still the issue persist. Has anyone solved it?

Running into the same issue of a Google Cloud Function accessing Vertex AI. Anyone successfully solve this?

Alright, I think I figured it out - granted I’m not 100% sure of root cause. The issue has to do with the service accounts. Cloud Functions use the default service account for compute unless you specify otherwise. For some reason the default Compute service account doesn’t have access to Vertex AI (granted you can get into Gemini if you have the API key). I got around the problem by creating a new custom service account and giving it VertexAI permissions - then attaching that new custom service account to my cloud functions.

To be honest I’m still not exactly sure why this works but it does, it could be a bug, like I gave a slew of IAM permissions to the default service account and no luck.

I suspect this doesn’t have visibility because (1) most dev shops have a well-laid out IAM set of rules that are already custom and (2) most use cloud functions with Vertex AI simply for Gemini and not the other features (eg embeddings). Still though, I’d expect to see this raised more often.

Thanks, It worked.