Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: evaluate_gemini_with_autosxs: my computer SvcAcct doesnt have access to my bucket. #1204

Open
palladius opened this issue Oct 2, 2024 · 2 comments
Open

[Bug]: evaluate_gemini_with_autosxs: my computer SvcAcct doesnt have access to my bucket. #1204

palladius opened this issue Oct 2, 2024 · 2 comments
Assignees
@inardini

Comments

@palladius
Copy link
Contributor

File Name

gemini/evaluation/legacy/evaluate_gemini_with_autosxs.ipynb

What happened?

in https://github.com/GoogleCloudPlatform/generative-ai/blob/main/gemini/evaluation/legacy/evaluate_gemini_with_autosxs.ipynb

Cell 16 fails for me: Service Account has no access to the Bucket I've just created.
I believe the solution is to:

  1. either give it some more permissions
  2. macke bucket content public to allUsers

Short error (longer below)

Job failed with: code: 7
message: "Failed to create pipeline job. Error: Service account 168029940164-compute@developer.gserviceaccount.com does not have [storage.objects.get, storage.objects.create] IAM permission(s) to the bucket
"ricc-devrel-challenge-01-autosxs-demo-znjnjzwv".
Please either copy the files to the Google Cloud Storage bucket owned by your project, or grant the required IAM permission(s) to the service account..

Relevant log output

Cell:


job = aiplatform.PipelineJob(
    job_id=display_name,
    display_name=display_name,
    pipeline_root=f"{BUCKET_URI}/{display_name}",
    template_path=TEMPLATE_URI,
    parameter_values=parameters,
    enable_caching=False,
)
job.run(sync=True)


## Error (cell output)

Creating PipelineJob
PipelineJob created. Resource name: projects/168029940164/locations/us-central1/pipelineJobs/autosxs-eval-s0qbdvf0
To use this PipelineJob in another session:
pipeline_job = aiplatform.PipelineJob.get('projects/168029940164/locations/us-central1/pipelineJobs/autosxs-eval-s0qbdvf0')
View Pipeline Job:
https://console.cloud.google.com/vertex-ai/locations/us-central1/pipelines/runs/autosxs-eval-s0qbdvf0?project=168029940164
PipelineJob projects/168029940164/locations/us-central1/pipelineJobs/autosxs-eval-s0qbdvf0 current state:
2
PipelineJob projects/168029940164/locations/us-central1/pipelineJobs/autosxs-eval-s0qbdvf0 current state:
2
PipelineJob projects/168029940164/locations/us-central1/pipelineJobs/autosxs-eval-s0qbdvf0 current state:
2
PipelineJob projects/168029940164/locations/us-central1/pipelineJobs/autosxs-eval-s0qbdvf0 current state:
2
PipelineJob projects/168029940164/locations/us-central1/pipelineJobs/autosxs-eval-s0qbdvf0 current state:
2
[truncated]


JSON ERROR:

```json
{
	"name": "RuntimeError",
	"message": "Job failed with:\ncode: 7\nmessage: \"Failed to create pipeline job. Error: Service account `168029940164-compute@developer.gserviceaccount.com` does not have `[storage.objects.get, storage.objects.create]` IAM permission(s) to the bucket \\\"ricc-devrel-challenge-01-autosxs-demo-znjnjzwv\\\". Please either copy the files to the Google Cloud Storage bucket owned by your project, or grant the required IAM permission(s) to the service account..\"\n",
	"stack": "\u001b[0;31m---------------------------------------------------------------------------\u001b[0m\n\u001b[0;31mRuntimeError\u001b[0m                              Traceback (most recent call last)\nCell \u001b[0;32mIn[16], line 9\u001b[0m\n\u001b[1;32m      1\u001b[0m job \u001b[38;5;241m=\u001b[39m aiplatform\u001b[38;5;241m.\u001b[39mPipelineJob(\n\u001b[1;32m      2\u001b[0m     job_id\u001b[38;5;241m=\u001b[39mdisplay_name,\n\u001b[1;32m      3\u001b[0m     display_name\u001b[38;5;241m=\u001b[39mdisplay_name,\n\u001b[0;32m   (...)\u001b[0m\n\u001b[1;32m      7\u001b[0m     enable_caching\u001b[38;5;241m=\u001b[39m\u001b[38;5;28;01mFalse\u001b[39;00m,\n\u001b[1;32m      8\u001b[0m )\n\u001b[0;32m----> 9\u001b[0m \u001b[43mjob\u001b[49m\u001b[38;5;241;43m.\u001b[39;49m\u001b[43mrun\u001b[49m\u001b[43m(\u001b[49m\u001b[43msync\u001b[49m\u001b[38;5;241;43m=\u001b[39;49m\u001b[38;5;28;43;01mTrue\u001b[39;49;00m\u001b[43m)\u001b[49m\n\nFile \u001b[0;32m~/git/py-pvt-gemini-chat-challenge/.venv/lib/python3.11/site-packages/google/cloud/aiplatform/pipeline_jobs.py:334\u001b[0m, in \u001b[0;36mPipelineJob.run\u001b[0;34m(self, service_account, network, reserved_ip_ranges, sync, create_request_timeout, enable_preflight_validations)\u001b[0m\n\u001b[1;32m    310\u001b[0m \u001b[38;5;250m\u001b[39m\u001b[38;5;124;03m\"\"\"Run this configured PipelineJob and monitor the job until completion.\u001b[39;00m\n\u001b[1;32m    311\u001b[0m \n\u001b[1;32m    312\u001b[0m \u001b[38;5;124;03mArgs:\u001b[39;00m\n\u001b[0;32m   (...)\u001b[0m\n\u001b[1;32m    330\u001b[0m \u001b[38;5;124;03m        Optional. Whether to enable preflight validations for the PipelineJob.\u001b[39;00m\n\u001b[1;32m    331\u001b[0m \u001b[38;5;124;03m\"\"\"\u001b[39;00m\n\u001b[1;32m    332\u001b[0m network \u001b[38;5;241m=\u001b[39m network \u001b[38;5;129;01mor\u001b[39;00m initializer\u001b[38;5;241m.\u001b[39mglobal_config\u001b[38;5;241m.\u001b[39mnetwork\n\u001b[0;32m--> 334\u001b[0m \u001b[38;5;28;43mself\u001b[39;49m\u001b[38;5;241;43m.\u001b[39;49m\u001b[43m_run\u001b[49m\u001b[43m(\u001b[49m\n\u001b[1;32m    335\u001b[0m \u001b[43m    \u001b[49m\u001b[43mservice_account\u001b[49m\u001b[38;5;241;43m=\u001b[39;49m\u001b[43mservice_account\u001b[49m\u001b[43m,\u001b[49m\n\u001b[1;32m    336\u001b[0m \u001b[43m    \u001b[49m\u001b[43mnetwork\u001b[49m\u001b[38;5;241;43m=\u001b[39;49m\u001b[43mnetwork\u001b[49m\u001b[43m,\u001b[49m\n\u001b[1;32m    337\u001b[0m \u001b[43m    \u001b[49m\u001b[43mreserved_ip_ranges\u001b[49m\u001b[38;5;241;43m=\u001b[39;49m\u001b[43mreserved_ip_ranges\u001b[49m\u001b[43m,\u001b[49m\n\u001b[1;32m    338\u001b[0m \u001b[43m    \u001b[49m\u001b[43msync\u001b[49m\u001b[38;5;241;43m=\u001b[39;49m\u001b[43msync\u001b[49m\u001b[43m,\u001b[49m\n\u001b[1;32m    339\u001b[0m \u001b[43m    \u001b[49m\u001b[43mcreate_request_timeout\u001b[49m\u001b[38;5;241;43m=\u001b[39;49m\u001b[43mcreate_request_timeout\u001b[49m\u001b[43m,\u001b[49m\n\u001b[1;32m    340\u001b[0m \u001b[43m    \u001b[49m\u001b[43menable_preflight_validations\u001b[49m\u001b[38;5;241;43m=\u001b[39;49m\u001b[43menable_preflight_validations\u001b[49m\u001b[43m,\u001b[49m\n\u001b[1;32m    341\u001b[0m \u001b[43m\u001b[49m\u001b[43m)\u001b[49m\n\nFile \u001b[0;32m~/git/py-pvt-gemini-chat-challenge/.venv/lib/python3.11/site-packages/google/cloud/aiplatform/base.py:863\u001b[0m, in \u001b[0;36moptional_sync.<locals>.optional_run_in_thread.<locals>.wrapper\u001b[0;34m(*args, **kwargs)\u001b[0m\n\u001b[1;32m    861\u001b[0m     \u001b[38;5;28;01mif\u001b[39;00m \u001b[38;5;28mself\u001b[39m:\n\u001b[1;32m    862\u001b[0m         VertexAiResourceNounWithFutureManager\u001b[38;5;241m.\u001b[39mwait(\u001b[38;5;28mself\u001b[39m)\n\u001b[0;32m--> 863\u001b[0m     \u001b[38;5;28;01mreturn\u001b[39;00m \u001b[43mmethod\u001b[49m\u001b[43m(\u001b[49m\u001b[38;5;241;43m*\u001b[39;49m\u001b[43margs\u001b[49m\u001b[43m,\u001b[49m\u001b[43m \u001b[49m\u001b[38;5;241;43m*\u001b[39;49m\u001b[38;5;241;43m*\u001b[39;49m\u001b[43mkwargs\u001b[49m\u001b[43m)\u001b[49m\n\u001b[1;32m    865\u001b[0m \u001b[38;5;66;03m# callbacks to call within the Future (in same Thread)\u001b[39;00m\n\u001b[1;32m    866\u001b[0m internal_callbacks \u001b[38;5;241m=\u001b[39m []\n\nFile \u001b[0;32m~/git/py-pvt-gemini-chat-challenge/.venv/lib/python3.11/site-packages/google/cloud/aiplatform/pipeline_jobs.py:382\u001b[0m, in \u001b[0;36mPipelineJob._run\u001b[0;34m(self, service_account, network, reserved_ip_ranges, sync, create_request_timeout, enable_preflight_validations)\u001b[0m\n\u001b[1;32m    353\u001b[0m \u001b[38;5;250m\u001b[39m\u001b[38;5;124;03m\"\"\"Helper method to ensure network synchronization and to run\u001b[39;00m\n\u001b[1;32m    354\u001b[0m \u001b[38;5;124;03mthe configured PipelineJob and monitor the job until completion.\u001b[39;00m\n\u001b[1;32m    355\u001b[0m \n\u001b[0;32m   (...)\u001b[0m\n\u001b[1;32m    372\u001b[0m \u001b[38;5;124;03m        Optional. Whether to enable preflight validations for the PipelineJob.\u001b[39;00m\n\u001b[1;32m    373\u001b[0m \u001b[38;5;124;03m\"\"\"\u001b[39;00m\n\u001b[1;32m    374\u001b[0m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39msubmit(\n\u001b[1;32m    375\u001b[0m     service_account\u001b[38;5;241m=\u001b[39mservice_account,\n\u001b[1;32m    376\u001b[0m     network\u001b[38;5;241m=\u001b[39mnetwork,\n\u001b[0;32m   (...)\u001b[0m\n\u001b[1;32m    379\u001b[0m     enable_preflight_validations\u001b[38;5;241m=\u001b[39menable_preflight_validations,\n\u001b[1;32m    380\u001b[0m )\n\u001b[0;32m--> 382\u001b[0m \u001b[38;5;28;43mself\u001b[39;49m\u001b[38;5;241;43m.\u001b[39;49m\u001b[43m_block_until_complete\u001b[49m\u001b[43m(\u001b[49m\u001b[43m)\u001b[49m\n\u001b[1;32m    384\u001b[0m \u001b[38;5;66;03m# AutoSxS view model evaluations\u001b[39;00m\n\u001b[1;32m    385\u001b[0m \u001b[38;5;28;01mfor\u001b[39;00m details \u001b[38;5;129;01min\u001b[39;00m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39mtask_details:\n\nFile \u001b[0;32m~/git/py-pvt-gemini-chat-challenge/.venv/lib/python3.11/site-packages/google/cloud/aiplatform/pipeline_jobs.py:793\u001b[0m, in \u001b[0;36mPipelineJob._block_until_complete\u001b[0;34m(self)\u001b[0m\n\u001b[1;32m    790\u001b[0m \u001b[38;5;66;03m# Error is only populated when the job state is\u001b[39;00m\n\u001b[1;32m    791\u001b[0m \u001b[38;5;66;03m# JOB_STATE_FAILED or JOB_STATE_CANCELLED.\u001b[39;00m\n\u001b[1;32m    792\u001b[0m \u001b[38;5;28;01mif\u001b[39;00m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39m_gca_resource\u001b[38;5;241m.\u001b[39mstate \u001b[38;5;129;01min\u001b[39;00m _PIPELINE_ERROR_STATES:\n\u001b[0;32m--> 793\u001b[0m     \u001b[38;5;28;01mraise\u001b[39;00m \u001b[38;5;167;01mRuntimeError\u001b[39;00m(\u001b[38;5;124m\"\u001b[39m\u001b[38;5;124mJob failed with:\u001b[39m\u001b[38;5;130;01m\\n\u001b[39;00m\u001b[38;5;132;01m%s\u001b[39;00m\u001b[38;5;124m\"\u001b[39m \u001b[38;5;241m%\u001b[39m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39m_gca_resource\u001b[38;5;241m.\u001b[39merror)\n\u001b[1;32m    794\u001b[0m \u001b[38;5;28;01melse\u001b[39;00m:\n\u001b[1;32m    795\u001b[0m     _LOGGER\u001b[38;5;241m.\u001b[39mlog_action_completed_against_resource(\u001b[38;5;124m\"\u001b[39m\u001b[38;5;124mrun\u001b[39m\u001b[38;5;124m\"\u001b[39m, \u001b[38;5;124m\"\u001b[39m\u001b[38;5;124mcompleted\u001b[39m\u001b[38;5;124m\"\u001b[39m, \u001b[38;5;28mself\u001b[39m)\n\n\u001b[0;31mRuntimeError\u001b[0m: Job failed with:\ncode: 7\nmessage: \"Failed to create pipeline job. Error: Service account `168029940164-compute@developer.gserviceaccount.com` does not have `[storage.objects.get, storage.objects.create]` IAM permission(s) to the bucket \\\"ricc-devrel-challenge-01-autosxs-demo-znjnjzwv\\\". Please either copy the files to the Google Cloud Storage bucket owned by your project, or grant the required IAM permission(s) to the service account..\"\n"
}



### Code of Conduct

- [X] I agree to follow this project's Code of Conduct
@palladius
Copy link
Contributor Author

I've fixed it this way and trying now if it works:

PROJECT_NUMBER = "168029940164" # TODO: calculate based on PROJECT_ID
COMPUTE_ACCOUNT = f"{PROJECT_NUMBER}-compute@developer.gserviceaccount.com"#

...
# give access to SvcAcct to bucket
! gsutil iam ch serviceAccount:{COMPUTE_ACCOUNT}:objectAdmin {BUCKET_URI}
# verifies access to SvcAcct to bucket, you never know with OrgPolicies
! gsutil iam get {BUCKET_URI}

@palladius
Copy link
Contributor Author

@inardini JFYI

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@inardini inardini

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@palladius @inardini