Permission denied when trying to finetune a language model using vertex AI

ShonaZhang · March 1, 2024, 7:04am

Hi so I want to try finetune a model using vertex AI studio (Language). I upload the training jsonl, set the correct service account with the vertex AI service agent role but received below error

APPLICATION_ERROR;google.iam.credentials.v1/CloudGaia.GenerateMint;IAM permission denied for service account xxxx@xxxxxxxx.iam.gserviceaccount.com. ;AppErrorCode=7;StartTimeMs=1709273464168;unknown;Deadline(sec)=5.0;ResFormat=uncompressed;ServerTimeSec=0.017659282;LogBytes=-1;FailFast;EffSecLevel=privacy_and_integrity;ReqFormat=uncompressed;ReqID=xxxxxxxxx;GlobalID=0;Server=[xxxxxxxxxxxxxxxxxxxxx1.

However I can’t find where the CloudGaia.GenerateMint operation is coming from and what kind of role it needs. Has anyone face similar issue before can offer some help?

Thanks

ryanjung · December 16, 2024, 5:21am

"CloudGaia.GenerateMint;IAM permission denied for service account … " indicates that CloudGaia is failing to get credentials for service accounts.

If you are using a service account, you must have the Service Account Token Creator (roles/iam.serviceAccountTokenCreator) IAM role on the service account you are impersonating.

Follow https://cloud.google.com/docs/authentication/set-up-adc-local-dev-environment.

NamrataHinduja · December 16, 2024, 6:18am

Verify the Service Account

Ensure that the service account you’ve set for your Vertex AI operation has the correct roles assigned. For fine-tuning language models in Vertex AI, the service account typically needs:

Vertex AI Service Agent Role (roles/aiplatform.serviceAgent): This role is critical for Vertex AI operations.
IAM Service Account Token Creator (roles/iam.serviceAccountTokenCreator): This role is necessary for generating and using tokens with the service account.
Cloud Storage Permissions: Ensure the service account has at least roles/storage.objectViewer and roles/storage.objectCreator if the training data or model artifacts are stored in Google Cloud Storage.

Use the following command to verify the roles assigned to the service account:

gcloud projects get-iam-policy PROJECT_ID --flatten=“bindings.members”
–format=“table(bindings.role)” --filter=“bindings.members:SERVICE_ACCOUNT”

GeoffLyon · December 17, 2024, 6:00am

Thanks Namrata Hinduja for your answer..

Topic		Replies	Views
Service Account error in model fine-tune (model garden) Custom ML & MLOps vertex-ai-platform	2	14	April 2, 2024
Service account error in Vertex AI pipeline while uploading the fine-tuned model to bucket (Collab) Custom ML & MLOps vertex-ai-platform , vertex-ai-model-registry	1	45	March 26, 2024
Service account error in Vertex AI while trying to create a tuned model. Custom ML & MLOps vertex-ai-platform , vertex-ai-model-registry	0	18	April 24, 2024

Permission denied when trying to finetune a language model using vertex AI

AI Suggested topics