2

TL;DR - Can I authenticate to AutoML API by impersonating a service account (SA) with my application default credentials (ADC) or must I actually use SA authentication?

I would like to be able to authenticate to the AutoML API using ADC when making batch predictions on a deployed model. This is just for development purposes as to not create a new SA for each developer & data scientist. I know AutoML requires a SA for authentication so I would like to use the --impersonate-service-account flag or the auth/impersonate_service_account setting. I have followed instructions from this Medium post but am still getting an error about using end user credentials. So my question is, am I just doing something wrong, or must AutoML use a true SA authentication without impersonation?

The output of gcloud config list is -

[auth]
impersonate_service_account = abcdefghijklmnop@my-project.iam.gserviceaccount.com
[compute]
region = us-east1
zone = us-east1-b
[core]
account = first.last@domain.com
disable_usage_reporting = False
project = my-project

Your active configuration is: [default]

Here is the error returned by AutoML -

google.api_core.exceptions.PermissionDenied: 403 Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the automl.googleapis.com. We recommend configuring the billing/quota_project setting in gcloud or using a service account through the auth/impersonate_service_account setting. For more information about service accounts and how to use them in your application, see https://cloud.google.com/docs/authentication/.

And from the AutoML docs -
Service accounts are the only authentication option available with the AutoML API.

Thanks,
Zach

Zach
  • 113
  • 1
  • 9
  • Read this article on impersonating a service account. https://www.jhanley.com/google-cloud-improving-security-with-impersonation/ – John Hanley Mar 20 '20 at 15:20
  • @JohnHanley thank you for the comment and the article. During the course of following your article the below command warned me that I was using impersonation. This confirms to me that AutoML requires a SA and that impersonation wont work. Thanks for taking the time to assist. gcloud projects get-iam-policy [PROJECT-ID] \ --flatten="bindings[].members" \ --format='table(bindings.role)' \ --filter="bindings.members:[ACCOUNT]" – Zach Mar 23 '20 at 13:20
  • The warning does not mean that. The CLI is reminding that you are using impersonation. – John Hanley Mar 23 '20 at 15:50
  • Okay, if that is the case then why does impersonation work for the above command but not for AutoML? I am using the same settings to execute both. – Zach Mar 24 '20 at 13:15

2 Answers2

0

Have you tried specifying which service account to use for impersonation[1] by running "gcloud config set auth/impersonate_service_account"?

In order to impersonate, your original credentials need to be granted roles/iam.serviceAccountTokenCreator on the target service account[1].

[1] https://cloud.google.com/storage/docs/gsutil/addlhelp/CredentialTypesSupportingVariousUseCases

Victor_Torres
  • 67
  • 7
0

I have tested with several other services and service account impersonation seems to work for them. It appears Google AutoML requires a service account and impersonation will not work.

Zach
  • 113
  • 1
  • 9
  • No Google service uses a JSON key for authorization. They use OAuth Acess or Identity Tokens. Service Account Impersonation creates those tokens. Your assumption is not valid. – John Hanley Mar 23 '20 at 16:17