generative-ai icon indicating copy to clipboard operation
generative-ai copied to clipboard

Published 20 hours ago verified publisher icon GoogleCloudPlatform

[Bug]: evaluate_gemini_with_autosxs: my computer SvcAcct doesnt have access to my bucket.

Open palladius opened this issue 1 year ago • 2 comments

File Name

gemini/evaluation/legacy/evaluate_gemini_with_autosxs.ipynb

What happened?

in https://github.com/GoogleCloudPlatform/generative-ai/blob/main/gemini/evaluation/legacy/evaluate_gemini_with_autosxs.ipynb

Cell 16 fails for me: Service Account has no access to the Bucket I've just created. I believe the solution is to:

  1. either give it some more permissions
  2. macke bucket content public to allUsers

Short error (longer below)

Job failed with: code: 7 message: "Failed to create pipeline job. Error: Service account [email protected] does not have [storage.objects.get, storage.objects.create] IAM permission(s) to the bucket "ricc-devrel-challenge-01-autosxs-demo-znjnjzwv". Please either copy the files to the Google Cloud Storage bucket owned by your project, or grant the required IAM permission(s) to the service account..

Relevant log output

Cell:


job = aiplatform.PipelineJob(
    job_id=display_name,
    display_name=display_name,
    pipeline_root=f"{BUCKET_URI}/{display_name}",
    template_path=TEMPLATE_URI,
    parameter_values=parameters,
    enable_caching=False,
)
job.run(sync=True)


## Error (cell output)

Creating PipelineJob PipelineJob created. Resource name: projects/168029940164/locations/us-central1/pipelineJobs/autosxs-eval-s0qbdvf0 To use this PipelineJob in another session: pipeline_job = aiplatform.PipelineJob.get('projects/168029940164/locations/us-central1/pipelineJobs/autosxs-eval-s0qbdvf0') View Pipeline Job: https://console.cloud.google.com/vertex-ai/locations/us-central1/pipelines/runs/autosxs-eval-s0qbdvf0?project=168029940164 PipelineJob projects/168029940164/locations/us-central1/pipelineJobs/autosxs-eval-s0qbdvf0 current state: 2 PipelineJob projects/168029940164/locations/us-central1/pipelineJobs/autosxs-eval-s0qbdvf0 current state: 2 PipelineJob projects/168029940164/locations/us-central1/pipelineJobs/autosxs-eval-s0qbdvf0 current state: 2 PipelineJob projects/168029940164/locations/us-central1/pipelineJobs/autosxs-eval-s0qbdvf0 current state: 2 PipelineJob projects/168029940164/locations/us-central1/pipelineJobs/autosxs-eval-s0qbdvf0 current state: 2 [truncated]


JSON ERROR:

```json
{
	"name": "RuntimeError",
	"message": "Job failed with:\ncode: 7\nmessage: \"Failed to create pipeline job. Error: Service account `[email protected]` does not have `[storage.objects.get, storage.objects.create]` IAM permission(s) to the bucket \\\"ricc-devrel-challenge-01-autosxs-demo-znjnjzwv\\\". Please either copy the files to the Google Cloud Storage bucket owned by your project, or grant the required IAM permission(s) to the service account..\"\n",
	"stack": "\u001b[0;31m---------------------------------------------------------------------------\u001b[0m\n\u001b[0;31mRuntimeError\u001b[0m                              Traceback (most recent call last)\nCell \u001b[0;32mIn[16], line 9\u001b[0m\n\u001b[1;32m      1\u001b[0m job \u001b[38;5;241m=\u001b[39m aiplatform\u001b[38;5;241m.\u001b[39mPipelineJob(\n\u001b[1;32m      2\u001b[0m     job_id\u001b[38;5;241m=\u001b[39mdisplay_name,\n\u001b[1;32m      3\u001b[0m     display_name\u001b[38;5;241m=\u001b[39mdisplay_name,\n\u001b[0;32m   (...)\u001b[0m\n\u001b[1;32m      7\u001b[0m     enable_caching\u001b[38;5;241m=\u001b[39m\u001b[38;5;28;01mFalse\u001b[39;00m,\n\u001b[1;32m      8\u001b[0m )\n\u001b[0;32m----> 9\u001b[0m \u001b[43mjob\u001b[49m\u001b[38;5;241;43m.\u001b[39;49m\u001b[43mrun\u001b[49m\u001b[43m(\u001b[49m\u001b[43msync\u001b[49m\u001b[38;5;241;43m=\u001b[39;49m\u001b[38;5;28;43;01mTrue\u001b[39;49;00m\u001b[43m)\u001b[49m\n\nFile \u001b[0;32m~/git/py-pvt-gemini-chat-challenge/.venv/lib/python3.11/site-packages/google/cloud/aiplatform/pipeline_jobs.py:334\u001b[0m, in \u001b[0;36mPipelineJob.run\u001b[0;34m(self, service_account, network, reserved_ip_ranges, sync, create_request_timeout, enable_preflight_validations)\u001b[0m\n\u001b[1;32m    310\u001b[0m \u001b[38;5;250m\u001b[39m\u001b[38;5;124;03m\"\"\"Run this configured PipelineJob and monitor the job until completion.\u001b[39;00m\n\u001b[1;32m    311\u001b[0m \n\u001b[1;32m    312\u001b[0m \u001b[38;5;124;03mArgs:\u001b[39;00m\n\u001b[0;32m   (...)\u001b[0m\n\u001b[1;32m    330\u001b[0m \u001b[38;5;124;03m        Optional. Whether to enable preflight validations for the PipelineJob.\u001b[39;00m\n\u001b[1;32m    331\u001b[0m \u001b[38;5;124;03m\"\"\"\u001b[39;00m\n\u001b[1;32m    332\u001b[0m network \u001b[38;5;241m=\u001b[39m network \u001b[38;5;129;01mor\u001b[39;00m initializer\u001b[38;5;241m.\u001b[39mglobal_config\u001b[38;5;241m.\u001b[39mnetwork\n\u001b[0;32m--> 334\u001b[0m \u001b[38;5;28;43mself\u001b[39;49m\u001b[38;5;241;43m.\u001b[39;49m\u001b[43m_run\u001b[49m\u001b[43m(\u001b[49m\n\u001b[1;32m    335\u001b[0m \u001b[43m    \u001b[49m\u001b[43mservice_account\u001b[49m\u001b[38;5;241;43m=\u001b[39;49m\u001b[43mservice_account\u001b[49m\u001b[43m,\u001b[49m\n\u001b[1;32m    336\u001b[0m \u001b[43m    \u001b[49m\u001b[43mnetwork\u001b[49m\u001b[38;5;241;43m=\u001b[39;49m\u001b[43mnetwork\u001b[49m\u001b[43m,\u001b[49m\n\u001b[1;32m    337\u001b[0m \u001b[43m    \u001b[49m\u001b[43mreserved_ip_ranges\u001b[49m\u001b[38;5;241;43m=\u001b[39;49m\u001b[43mreserved_ip_ranges\u001b[49m\u001b[43m,\u001b[49m\n\u001b[1;32m    338\u001b[0m \u001b[43m    \u001b[49m\u001b[43msync\u001b[49m\u001b[38;5;241;43m=\u001b[39;49m\u001b[43msync\u001b[49m\u001b[43m,\u001b[49m\n\u001b[1;32m    339\u001b[0m \u001b[43m    \u001b[49m\u001b[43mcreate_request_timeout\u001b[49m\u001b[38;5;241;43m=\u001b[39;49m\u001b[43mcreate_request_timeout\u001b[49m\u001b[43m,\u001b[49m\n\u001b[1;32m    340\u001b[0m \u001b[43m    \u001b[49m\u001b[43menable_preflight_validations\u001b[49m\u001b[38;5;241;43m=\u001b[39;49m\u001b[43menable_preflight_validations\u001b[49m\u001b[43m,\u001b[49m\n\u001b[1;32m    341\u001b[0m \u001b[43m\u001b[49m\u001b[43m)\u001b[49m\n\nFile \u001b[0;32m~/git/py-pvt-gemini-chat-challenge/.venv/lib/python3.11/site-packages/google/cloud/aiplatform/base.py:863\u001b[0m, in \u001b[0;36moptional_sync.<locals>.optional_run_in_thread.<locals>.wrapper\u001b[0;34m(*args, **kwargs)\u001b[0m\n\u001b[1;32m    861\u001b[0m     \u001b[38;5;28;01mif\u001b[39;00m \u001b[38;5;28mself\u001b[39m:\n\u001b[1;32m    862\u001b[0m         VertexAiResourceNounWithFutureManager\u001b[38;5;241m.\u001b[39mwait(\u001b[38;5;28mself\u001b[39m)\n\u001b[0;32m--> 863\u001b[0m     \u001b[38;5;28;01mreturn\u001b[39;00m \u001b[43mmethod\u001b[49m\u001b[43m(\u001b[49m\u001b[38;5;241;43m*\u001b[39;49m\u001b[43margs\u001b[49m\u001b[43m,\u001b[49m\u001b[43m \u001b[49m\u001b[38;5;241;43m*\u001b[39;49m\u001b[38;5;241;43m*\u001b[39;49m\u001b[43mkwargs\u001b[49m\u001b[43m)\u001b[49m\n\u001b[1;32m    865\u001b[0m \u001b[38;5;66;03m# callbacks to call within the Future (in same Thread)\u001b[39;00m\n\u001b[1;32m    866\u001b[0m internal_callbacks \u001b[38;5;241m=\u001b[39m []\n\nFile \u001b[0;32m~/git/py-pvt-gemini-chat-challenge/.venv/lib/python3.11/site-packages/google/cloud/aiplatform/pipeline_jobs.py:382\u001b[0m, in \u001b[0;36mPipelineJob._run\u001b[0;34m(self, service_account, network, reserved_ip_ranges, sync, create_request_timeout, enable_preflight_validations)\u001b[0m\n\u001b[1;32m    353\u001b[0m \u001b[38;5;250m\u001b[39m\u001b[38;5;124;03m\"\"\"Helper method to ensure network synchronization and to run\u001b[39;00m\n\u001b[1;32m    354\u001b[0m \u001b[38;5;124;03mthe configured PipelineJob and monitor the job until completion.\u001b[39;00m\n\u001b[1;32m    355\u001b[0m \n\u001b[0;32m   (...)\u001b[0m\n\u001b[1;32m    372\u001b[0m \u001b[38;5;124;03m        Optional. Whether to enable preflight validations for the PipelineJob.\u001b[39;00m\n\u001b[1;32m    373\u001b[0m \u001b[38;5;124;03m\"\"\"\u001b[39;00m\n\u001b[1;32m    374\u001b[0m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39msubmit(\n\u001b[1;32m    375\u001b[0m     service_account\u001b[38;5;241m=\u001b[39mservice_account,\n\u001b[1;32m    376\u001b[0m     network\u001b[38;5;241m=\u001b[39mnetwork,\n\u001b[0;32m   (...)\u001b[0m\n\u001b[1;32m    379\u001b[0m     enable_preflight_validations\u001b[38;5;241m=\u001b[39menable_preflight_validations,\n\u001b[1;32m    380\u001b[0m )\n\u001b[0;32m--> 382\u001b[0m \u001b[38;5;28;43mself\u001b[39;49m\u001b[38;5;241;43m.\u001b[39;49m\u001b[43m_block_until_complete\u001b[49m\u001b[43m(\u001b[49m\u001b[43m)\u001b[49m\n\u001b[1;32m    384\u001b[0m \u001b[38;5;66;03m# AutoSxS view model evaluations\u001b[39;00m\n\u001b[1;32m    385\u001b[0m \u001b[38;5;28;01mfor\u001b[39;00m details \u001b[38;5;129;01min\u001b[39;00m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39mtask_details:\n\nFile \u001b[0;32m~/git/py-pvt-gemini-chat-challenge/.venv/lib/python3.11/site-packages/google/cloud/aiplatform/pipeline_jobs.py:793\u001b[0m, in \u001b[0;36mPipelineJob._block_until_complete\u001b[0;34m(self)\u001b[0m\n\u001b[1;32m    790\u001b[0m \u001b[38;5;66;03m# Error is only populated when the job state is\u001b[39;00m\n\u001b[1;32m    791\u001b[0m \u001b[38;5;66;03m# JOB_STATE_FAILED or JOB_STATE_CANCELLED.\u001b[39;00m\n\u001b[1;32m    792\u001b[0m \u001b[38;5;28;01mif\u001b[39;00m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39m_gca_resource\u001b[38;5;241m.\u001b[39mstate \u001b[38;5;129;01min\u001b[39;00m _PIPELINE_ERROR_STATES:\n\u001b[0;32m--> 793\u001b[0m     \u001b[38;5;28;01mraise\u001b[39;00m \u001b[38;5;167;01mRuntimeError\u001b[39;00m(\u001b[38;5;124m\"\u001b[39m\u001b[38;5;124mJob failed with:\u001b[39m\u001b[38;5;130;01m\\n\u001b[39;00m\u001b[38;5;132;01m%s\u001b[39;00m\u001b[38;5;124m\"\u001b[39m \u001b[38;5;241m%\u001b[39m \u001b[38;5;28mself\u001b[39m\u001b[38;5;241m.\u001b[39m_gca_resource\u001b[38;5;241m.\u001b[39merror)\n\u001b[1;32m    794\u001b[0m \u001b[38;5;28;01melse\u001b[39;00m:\n\u001b[1;32m    795\u001b[0m     _LOGGER\u001b[38;5;241m.\u001b[39mlog_action_completed_against_resource(\u001b[38;5;124m\"\u001b[39m\u001b[38;5;124mrun\u001b[39m\u001b[38;5;124m\"\u001b[39m, \u001b[38;5;124m\"\u001b[39m\u001b[38;5;124mcompleted\u001b[39m\u001b[38;5;124m\"\u001b[39m, \u001b[38;5;28mself\u001b[39m)\n\n\u001b[0;31mRuntimeError\u001b[0m: Job failed with:\ncode: 7\nmessage: \"Failed to create pipeline job. Error: Service account `[email protected]` does not have `[storage.objects.get, storage.objects.create]` IAM permission(s) to the bucket \\\"ricc-devrel-challenge-01-autosxs-demo-znjnjzwv\\\". Please either copy the files to the Google Cloud Storage bucket owned by your project, or grant the required IAM permission(s) to the service account..\"\n"
}



### Code of Conduct

- [X] I agree to follow this project's Code of Conduct

palladius avatar Oct 02 '24 16:10 palladius

I've fixed it this way and trying now if it works:

PROJECT_NUMBER = "168029940164" # TODO: calculate based on PROJECT_ID
COMPUTE_ACCOUNT = f"{PROJECT_NUMBER}[email protected]"#

...
# give access to SvcAcct to bucket
! gsutil iam ch serviceAccount:{COMPUTE_ACCOUNT}:objectAdmin {BUCKET_URI}
# verifies access to SvcAcct to bucket, you never know with OrgPolicies
! gsutil iam get {BUCKET_URI}

palladius avatar Oct 02 '24 16:10 palladius

@inardini JFYI

palladius avatar Oct 02 '24 16:10 palladius