0
votes

I'm trying to deploy a new version of a model to AI Platform, it's a custom prediction routine. I've managed to deploy just fine when I have all the resources in the same GCP project, but when I try to deploy and I point the GCS files to a bucket in a different project, it fails to deploy. So I'm trying to pass which service account to use when creating the version, but it keeps ignoring it.

That's the message I get:

googleapiclient.errors.HttpError: <HttpError 400 when requesting https://ml.googleapis.com/v1/projects/[gcp-project-1]/models/[model_name]/versions?alt=json returned "Field: version.deployment_uri Error: The provided GCS prefix [gs://[bucket-gcp-project-2]/] cannot be read by service account service-*****@cloud-ml.google.com.iam.gserviceaccount.com.". Details: "[{'@type': 'type.googleapis.com/google.rpc.BadRequest', 'fieldViolations': [{'field': 'version.deployment_uri', 'description': 'The provided GCS prefix [gs://[bucket-gcp-project-2]/] cannot be read by service account service-******@cloud-ml.google.com.iam.gserviceaccount.com.'}]}]

My request looks like

POST https://ml.googleapis.com/v1/projects/[gcp-project-1]/models/[model_name]/versions?alt=json

    {
        "name": "v1",
        "deploymentUri": "gs://[bucket-gcp-project-2]",
        "pythonVersion": "3.5",
        "runtimeVersion": "1.13",
        "package_uris": "gs://[bucket-gcp-project-2]/model.tar.gz",
        "predictionClass": "predictor.Predictor",
        "serviceAccount": "my-service-account@[gcp-project-1].iam.gserviceaccount.com"
    }

The service account has access in both projects

1
Do the service account have the same Permissions on both projects? Are the permissions granted at the bucket level? - Daniel Ocando
As I mentioned the service account that I want it to use has permission, but it is ignoring the service account I have specified (which is the problem I'm trying to solve) - klesouza
Please specify which permissions and roles does the my-service-account@[gcp-project-1].iam.gserviceaccount.com has in both project-1 and project-2, both on the IAM permissions console and on the bucket level. You can begin by testing giving the service account the Storage Admin role on project-2 at the project level, wait for the permissions to propagate. And afterwards, depending on the specifics of your project you can give finer grain level permissions by using one of these possibilities. - Daniel Ocando
I think you are missing the point of my question. If you read the error message, it shows which service account is being used, and that's not the one I want it to use. My question is not around permissions, is why it's not using the service account I specified - klesouza

1 Answers

0
votes

Specifying a service account is documented as a beta feature. Try using the gcloud SDK, e.g.:

gcloud components install beta

gcloud beta ai-platform versions create v1 \
  --service-account my-service-account@[gcp-project-1].iam.gserviceaccount.com ...