google-gemini
Vertex-AI Authentication does not prompt for an oauth screen
What happened?
I have a weird situation. Last week on Friday (1st Aug), I was able to use gemini cli with no problem. I still have an open session to that in a terminal window. When opening a new window and trying to send a request, I get ✕ [API Error: Permission 'aiplatform.endpoints.predict' denied on resource '//aiplatform.googleapis.com/projects/laod001-gemini-ai/locations/global/publishers/google/models/gemini-2.5-pro' (or it may not exist). (Status: PERMISSION_DENIED)]
That might be right. I do not have that permission. But I do have a Code Assist license assigned to my user and I am able to chat with gemini using the vscode plugin. I just reauthenticated inside of the google code assist plugin and there it is asking for an oauth token. After successful authentication, the extension works and I am able to chat with gemini
What did you expect to happen?
To be able to interact with gemini.
Client information
$ gemini /about
broken config:
╭──────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ │
│ About Gemini CLI │
│ │
│ CLI Version 0.1.17 │
│ Git Commit 99ba2f64 (local modifications) │
│ Model gemini-2.5-pro │
│ Sandbox no sandbox │
│ OS darwin │
│ Auth Method vertex-ai │
│ GCP Project laod001-gemini-ai │
│ │
╰──────────────────────────────────────────────────────────────────────────────────────────────────────────╯
working config:
╭─────────────────────────────────────────────────────────────────────────────────╮
│ │
│ About Gemini CLI │
│ │
│ CLI Version 0.1.15 │
│ Git Commit c45c14ee (local modifications) │
│ Model gemini-2.5-flash │
│ Sandbox no sandbox │
│ OS darwin │
│ Auth Method OAuth │
│ GCP Project laod001-gemini-ai │
│ │
╰─────────────────────────────────────────────────────────────────────────────────╯
Login information
Vertex AI
Anything else we need to know?
Here is what I tried:
- delete .gemini folder
- change the location from us-central1 to us-west1 or global
- try logging in with "Login with Google"
-
- This fails with "Failed to login. Message: Precondition check failed"
- reauthenticating with gcloud auth login
- reauthenticating with gcloud auth application-default login
- changing the project in gcloud auth application-default to another project, where I have the permission (there it also works again, but this is not the right project to use. switching back gives the issue again)
- Using gemini-cli in a cloudshell - there it also works fine
Can you use /auth and use the Login with Google option which will map to using your Code Assist license. See instructions here.
If I use Login with Google, I get a "Failed to login. Message: Precondition check failed" error. Is there a way to extract more logs?
I cloned the project and let claude add more log messages. Summary of Auth Debugging Enhancements
- Enhanced Error Parsing in useAuthCommand.ts
Before:
} catch (e) {
setAuthError(Failed to login. Message: ${getErrorMessage(e)});
openAuthDialog();
}
After: } catch (e) { console.error('Auth error details:', e);
let errorMessage = 'Failed to login.';
if (e && typeof e === 'object') {
const error = e as any;
if (error.message) {
errorMessage += ` ${error.message}`;
}
if (error.code) {
errorMessage += ` (Code: ${error.code})`;
}
if (error.status) {
errorMessage += ` (Status: ${error.status})`;
}
// For Google API errors, check for additional nested error info
if (error.response?.data) {
errorMessage += ` Response: ${JSON.stringify(error.response.data)}`;
}
if (error.error?.message) {
errorMessage += ` Inner error: ${error.error.message}`;
}
// Fallback to full error serialization if we still don't have much info
if (errorMessage === 'Failed to login.') {
errorMessage = `Failed to login. Message: ${JSON.stringify(e, Object.getOwnPropertyNames(e))}`;
}
}
setAuthError(errorMessage);
openAuthDialog();
}
- Added Comprehensive Logging in codeAssist.ts
Before: const authClient = await getOauthClient(authType, config); const userData = await setupUser(authClient); return new CodeAssistServer(authClient, userData.projectId, httpOptions, sessionId, userData.userTier);
After:
try {
console.log([AUTH DEBUG] Getting OAuth client for authType: ${authType});
const authClient = await getOauthClient(authType, config);
console.log([AUTH DEBUG] OAuth client obtained successfully);
console.log(`[AUTH DEBUG] Setting up user with auth client`);
const userData = await setupUser(authClient);
console.log(`[AUTH DEBUG] User setup completed. ProjectId: ${userData.projectId}, UserTier: ${userData.userTier}`);
return new CodeAssistServer(authClient, userData.projectId, httpOptions, sessionId, userData.userTier);
} catch (error) {
console.error([AUTH DEBUG] Error in createCodeAssistContentGenerator:, error);
// Log HTTP request/response details
if (error && typeof error === 'object') {
const err = error as any;
if (err.response) {
console.error(`[AUTH DEBUG] HTTP Response:`, {
status: err.response.status,
statusText: err.response.statusText,
headers: err.response.headers,
data: err.response.data,
});
}
// ... more request logging
}
throw error;
}
- Detailed API Call Logging in setup.ts
Added debug logging around each API call:
console.log([AUTH DEBUG] Calling loadCodeAssist with:, {
cloudaicompanionProject: projectId,
metadata: clientMetadata,
});
const loadRes = await caServer.loadCodeAssist({
cloudaicompanionProject: projectId,
metadata: clientMetadata,
});
console.log([AUTH DEBUG] loadCodeAssist response:, loadRes);
Impact
Before: Users got generic error: "Failed to login. Message: {"message":"Precondition check failed.","name":"Error"}"
After: Users get detailed error: "Failed to login. Precondition check failed. (Code: 400) (Status: 400) Response: {"error":{"code":400,"message":"Precondition check failed.","status":"FAILED_PRECONDITION"}}"
Plus console logs showing exactly which API call failed and with what request payload.
Usage: DEBUG=1 gemini to see all the detailed logging.
This transforms debugging from "something failed" to "this specific API call failed with this exact error and request".
Here are the debug messages during the auth flow:
[AUTH DEBUG] Creating CodeAssist content generator with authType: oauth-personal [AUTH DEBUG] Getting OAuth client for authType: oauth-personal
Code Assist login required. Attempting to open authentication page in your browser. Otherwise navigate to:
https://accounts.google.com/o/oauth2/v2/auth?redirect_uri=http%3A%2F%2Flocalhost%3A62720%2Foauth2callback&access_type=offline&scope=https%3A%2F%2Fwww.go ogleapis.com%2Fauth%2Fcloud-platform%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.pro file&state=4b44b02e8e062d384cbdcbcee58d1044bc358965905d231e0159fae78e762afe&response_type=code&client_id=681255809395-oo8ft2oprdrnp9e3aqf6av3hmdib135j.a pps.googleusercontent.com
Waiting for authentication... [AUTH DEBUG] OAuth client obtained successfully [AUTH DEBUG] Setting up user with auth client [AUTH DEBUG] Setting up user, projectId from env: [REDACTED_PROJECT_ID] [AUTH DEBUG] Calling loadCodeAssist with: { cloudaicompanionProject: '[REDACTED_PROJECT_ID]', metadata: { ideType: 'IDE_UNSPECIFIED', platform: 'PLATFORM_UNSPECIFIED', pluginType: 'GEMINI', duetProject: '[REDACTED_PROJECT_ID]' } } [AUTH DEBUG] loadCodeAssist response: { currentTier: { id: 'free-tier', name: 'Gemini Code Assist for individuals', description: 'Gemini-powered code suggestions and chat in multiple IDEs', privacyNotice: { showNotice: true, noticeText: '[PRIVACY_NOTICE_TEXT_TRUNCATED]' } }, allowedTiers: [ { id: 'free-tier', name: 'Gemini Code Assist for individuals', description: 'Gemini-powered code suggestions and chat in multiple IDEs', privacyNotice: [Object], isDefault: true }, { id: 'standard-tier', name: 'Gemini Code Assist', description: 'Unlimited coding assistant with the most powerful Gemini models', userDefinedCloudaicompanionProject: true, privacyNotice: {} } ], cloudaicompanionProject: '[REDACTED_AUTO_PROJECT_ID]', gcpManaged: false } [AUTH DEBUG] Determined tier: { id: 'free-tier', name: 'Gemini Code Assist for individuals', description: 'Gemini-powered code suggestions and chat in multiple IDEs', privacyNotice: { [PRIVACY_NOTICE_OBJECT] } } [AUTH DEBUG] Calling onboardUser with: { tierId: 'free-tier', cloudaicompanionProject: '[REDACTED_PROJECT_ID]', metadata: { ideType: 'IDE_UNSPECIFIED', platform: 'PLATFORM_UNSPECIFIED', pluginType: 'GEMINI', duetProject: '[REDACTED_PROJECT_ID]' } } [AUTH DEBUG] Error in setupUser: GaxiosError: Precondition check failed. [AUTH DEBUG] API Response Error: { status: 400, statusText: 'Bad Request', data: { error: { code: 400, message: 'Precondition check failed.', status: 'FAILED_PRECONDITION' } } } [AUTH DEBUG] Request config: { method: 'POST', url: 'https://cloudcode-pa.googleapis.com/v1internal:onboardUser', headers: { 'Content-Type': 'application/json', Authorization: '<<REDACTED>>', Accept: 'application/json' }, body: '{"tierId":"free-tier","cloudaicompanionProject":"[REDACTED_PROJECT_ID]","metadata":{"ideType":"IDE_UNSPECIFIED","platform":"PLATFORM_UNSPECIFIE D","pluginType":"GEMINI","duetProject":"[REDACTED_PROJECT_ID]"}}' }
So something changed now. I can see that the free tier was removed from the allowed Tiers and now it seems to work again. I am not sure why this works now. Maybe on the administrative side of the project something changed. But I can't really tell.
Here are the new logs after OAuth works again: AUTH DEBUG] Creating CodeAssist content generator with authType: oauth-personal [AUTH DEBUG] Getting OAuth client for authType: oauth-personal Loaded cached credentials. [AUTH DEBUG] OAuth client obtained successfully [AUTH DEBUG] Setting up user with auth client [AUTH DEBUG] Setting up user, projectId from env: [REDACTED-PROJECT-ID] [AUTH DEBUG] Calling loadCodeAssist with: { cloudaicompanionProject: '[REDACTED-PROJECT-ID]', metadata: { ideType: 'IDE_UNSPECIFIED', platform: 'PLATFORM_UNSPECIFIED', pluginType: 'GEMINI', duetProject: '[REDACTED-PROJECT-ID]' } } [AUTH DEBUG] loadCodeAssist response: { allowedTiers: [ { id: 'standard-tier', name: 'Gemini Code Assist', description: 'Unlimited coding assistant with the most powerful Gemini models', userDefinedCloudaicompanionProject: true, privacyNotice: {}, isDefault: true } ], cloudaicompanionProject: '[REDACTED-PROJECT-ID]', gcpManaged: true } [AUTH DEBUG] Determined tier: { id: 'standard-tier', name: 'Gemini Code Assist', description: 'Unlimited coding assistant with the most powerful Gemini models', userDefinedCloudaicompanionProject: true, privacyNotice: {}, isDefault: true } [AUTH DEBUG] Calling onboardUser with: { tierId: 'standard-tier', cloudaicompanionProject: '[REDACTED-PROJECT-ID]', metadata: { ideType: 'IDE_UNSPECIFIED', platform: 'PLATFORM_UNSPECIFIED', pluginType: 'GEMINI', duetProject: '[REDACTED-PROJECT-ID]' } } [AUTH DEBUG] Initial onboardUser response: { done: true, response: { '@type': 'type.googleapis.com/google.internal.cloud.code.v1internal .OnboardUserResponse', cloudaicompanionProject: { id: '[REDACTED-PROJECT-ID]' }, status: { statusCode: 'WARNING', displayMessage: 'You are missing a valid license for Gemini Code Assist. Please contact your billing administrator to purchase or assign a license.', helpLink: [Object], messageTitle: 'Subscription needed for Gemini Code Assist' } } } [AUTH DEBUG] Final setupUser result: { projectId: '[REDACTED-PROJECT-ID]', userTier: 'standard-tier' } [AUTH DEBUG] User setup completed. ProjectId: [REDACTED-PROJECT-ID], UserTier: standard-tier Authenticated via "oauth-personal".
╭────────╮ │ > hi │ ╰────────╯
✦ Hi there! How can I help you today? Flushing log events to Clearcut.
Good question. Maybe someone from the Google Team can chime in here and give his opinion on this issue
Hi, We have had multiple fixes go into this space of the code in the past few weeks.
Are you still seeing issues hitting the login page?
Additionally this issue talks about authenticating with Vertex for which were you able to try the instructions in docs here? https://github.com/google-gemini/gemini-cli/blob/main/docs/cli/authentication.md
Hello! As part of our effort to keep our backlog manageable and focus on the most active issues, we are tidying up older reports.
It looks like this issue hasn't been active for a while, so we are closing it for now. However, if you are still experiencing this bug on the latest stable build, please feel free to comment on this issue or create a new one with updated details.
Thank you for your contribution!
![gemini-cli[bot] avatar](https://avatars.githubusercontent.com/in/1473539?v=4 "Published by a pub.dev verified publisher"){kind=small}
Found possible duplicate issues:
- #5738
- #7478
If you believe this is not a duplicate, please remove the status/possible-duplicate label.