Docker image running in k8s which needs gcloud auth credentials

khteh · March 17, 2025, 8:37am

I need run a python app in docker container on k8s. This app needs to use gcloud stuff like gemini-2.0-flash, google_vertexai and

vertexai.init(project=os.environ.get("GOOGLE_CLOUD_PROJECT"), location=os.environ.get("GOOGLE_CLOUD_LOCATION"))

I can install the gcloud CLI in Dockerfile. What’s next after that? Any reference?

jkirstaetter · March 17, 2025, 11:13am

Hi @khteh

Look at Application Default Credentials (ADC).
This allows you to create a JSON file with the credentials to access Vertex AI from your container.

Cheers

khteh · March 17, 2025, 11:31am

Does this work on local microk8s cluster?

jkirstaetter · March 17, 2025, 12:55pm

Hi @khteh

If your container has gcloud installed, it should work. Give it a try and report back.

Cheers

jkirstaetter · March 17, 2025, 1:01pm

Hi,

See the following snippet how you could do a REST call.

curl -X POST \
  -H "Authorization: Bearer $(gcloud auth print-access-token)" \
  -H "Content-Type: application/json" \

https://${LOCATION}-aiplatform.googleapis.com/v1/projects/${PROJECT_ID}/locations/${LOCATION}/publishers/google/models/${MODEL_VERSION}:generateContent \
-d '{....}'

The HTTP header for Authorization is the key element that your container needs to be able to produce. As you might see, it call the gcloud CLI to get the necessary access token.

Cheers

khteh · March 18, 2025, 8:21am

I suddently hit the 401 error:

Error: ClientError("401 UNAUTHENTICATED. {'error': {'code': 401, 'message': 'API keys are not supported by this API. Expected OAuth2 access token or other authentication credentials that assert a principal. See https://cloud.google.com/docs/authentication', 'status': 'UNAUTHENTICATED', 'details': [{'@type': 'type.googleapis.com/google.rpc.ErrorInfo', 'reason': 'CREDENTIALS_MISSING', 'domain': 'googleapis.com', 'metadata': {'method': 'google.cloud.aiplatform.v1beta1.PredictionService.GenerateContent', 'service': 'aiplatform.googleapis.com'}}]}}")

I use Gemini API key. Is that the right key to use?

jkirstaetter · March 18, 2025, 8:58pm

Hi @khteh

No, authentication for Vertex AI is based on GCP credentials as referred in the ADC link above. You’d need an access token instead of an API key. When you initialize the genai client you specify a project and a location parameter.

Ok, there is a small exception: Vertex AI in express mode works using a different API key than the one created in AI Studio.

Cheers.

Topic		Replies	Views
Inability to authenticate with OAuth for the Vertex AI SDK Gemini API	0	78	May 3, 2024
Python package for Gemini API: google-cloud-aiplatform or vertexai? Gemini API api	9	290	May 17, 2024
Gemini API quickstart (in Python) Community	1	232	May 7, 2024
Python genai.Client authentication failure Gemini API python , gemini-flash	2	83	April 10, 2025
Is using gemini api thru google cloud platform possiable? Gemini API api	2	70	December 18, 2024

Docker image running in k8s which needs gcloud auth credentials

Related topics