<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2634489&amp;fmt=gif">

AI and Machine Learning, Vertex AI, API Management

How to get API keys to use with Vertex AI or PalM 2 API

By Petar Ojdrovic | August 12, 2021

Hey community! I am looking into replacing some of our OpenAI usage with Vertex / PalM 2 and am wondering how to get the necessary API and use them in production. We would be using these APIs in cloud functions.


gcloud auth print-access-token does not work in cloud functions.

I've used service account credentials to initialize clients for other APIs like translate, bigquery, etc., but this endpoint does not accept a service account credential.

Should I use the runtimes service account and get an access token that way? 

curl -s "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" -H "Metadata-Flavor: Google" | jq -r .access_token


Here's the sample request found in the Vertex AI playground 


curl \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
"https://${API_ENDPOINT}/v1/projects/${PROJECT_ID}/locations/us-central1/publishers/google/models/${MODEL_ID}:predict" -d \
"instances": [
"content": ""
"parameters": {
"temperature": 0.2,
"maxOutputTokens": 256,
"topP": 0.8,
"topK": 40


More broadly - how should we authenticate these API's for use in a cloud function?


Thanks in advance!


Best answer by pthiagar

Generally, once the service account policy binding is setup for the function, the most reliable way to generate tokens would be to do so programmatically using the authentication libraries. 

But, if you have to do this manually, there are many ways to do this too.  For your e.g. you should be able to use Compute metadata server to get id token for a specific audience like this-

curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity?audience=AUDIENCE" \

     -H "Metadata-Flavor: Google"

Where audience is the URL of the invoked function.  You can then pass the google signed id token in the Authorization Bearer header to the request.  

See docs for more info - authentication options for invocation.

Hope this helps!

Recent Articles

Data Analytics

Generative AI: Are You Behind?!

Review the latest insights from the AI Readiness Report.
By Bruno Aziza
Industry Solutions

Make "Gen AI Work": Landscape, SLMs vs. LLMs, Cost & More...

Discover the 5 metrics you need to know in order to be an exceptional CEO and Operator.
By Bruno Aziza
Google Cloud Strategy

AI Cheat Sheet

AI is no more and no less the drive to create robots with human minds so they can do everything we do and more. Use this cheat sheet to help decode the space.
By Leah Zitter