Access Google Cloud services and APIs
This page describes how to access Google Cloud services and APIs through your Colab Enterprise notebook.
Overview
When you run code in a Colab Enterprise notebook, you can access Google Cloud services and APIs by using the credentials associated with your Google Account, also called user credentials. This means that the runtime that you use has the same level of access to Google Cloud that the user does. This makes it easier to write and run code that interacts with Google Cloud services and APIs.
Colab Enterprise can use Application Default Credentials (ADC) to authenticate your user credentials to Google Cloud services and APIs. This page describes the following ways to provide your user credentials to ADC:
Before you begin
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
-
Enable the Vertex AI, Dataform, and Compute Engine APIs.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
-
Enable the Vertex AI, Dataform, and Compute Engine APIs.
Required roles
To ensure that your user account has the necessary
permissions to access Google Cloud services and APIs in a Colab Enterprise notebook,
ask your administrator to grant your user account the
Colab Enterprise Admin (roles/aiplatform.colabEnterpriseAdmin)
IAM role on the project.
For more information about granting roles, see Manage access.
Your administrator might also be able to give your user account the required permissions through custom roles or other predefined roles.
Use a runtime with end-user credentials enabled
You can use the default runtime, which has end-user credentials enabled, or any runtime created from a runtime template in which end-user credentials are enabled.
If you don't have a sufficient runtime template with end-user credentials enabled, you must create one. You must enable or turn off end-user credentials when you create a runtime template. This setting can't be modified later.
Connect to a runtime with end-user credentials enabled
To connect to a runtime with end-user credentials enabled:
-
In the Google Cloud console, go to the Colab Enterprise Notebooks page.
-
In the Region menu, select the region that contains your notebook.
-
On the My notebooks tab, click the notebook that you want to open. If you haven't created a notebook yet, create a notebook.
-
In your notebook, click the Additional connection options expander arrow, and then select Connect to a runtime.
The Connect to Vertex AI runtime dialog opens.
-
For Select a runtime, select Connect to an existing runtime.
-
For Select an existing runtime option, select the runtime that you want to connect to. If there aren't any runtimes in the list, create a runtime or connect to the default runtime.
-
In the Runtime details table, verify that Personal credentials are
Enabled. -
Click Connect.
-
If this is your first time connecting to a runtime with end-user credentials enabled, a Sign in dialog appears.
To grant Colab Enterprise access to your user credentials, complete the following steps:
-
In the Sign in dialog, click your user account.
-
Select See, edit, configure, and delete your Google Cloud data... to grant Colab Enterprise access to your user credentials.
-
Click Continue.
-
When you access Google Cloud services and APIs by using end-user credentials, be aware that if your Google Account doesn't have the required Identity and Access Management (IAM) permissions in your project, your code might not be able to access some resources. If this happens, ask your administrator to grant you the required permissions.
Provide your user credentials to ADC by running code in your notebook
If your runtime doesn't have end-user credentials enabled, you can still use your user credentials to access Google Cloud services and APIs. To do so, provide your user credentials to ADC by using the Google Cloud CLI.
-
Use the following command to create a credential file:
!gcloud auth application-default login
A Sign in dialog appears.
-
Complete the dialog to grant Colab Enterprise access.
After you sign in, your credentials are stored in the local credential file used by ADC. This file is stored on your runtime's VM.
When you provide user credentials to create a local ADC file, you should be aware of the following:
User credentials might not work for some methods and APIs, such as the Cloud Translation API or the Cloud Vision API, without extra parameters or configuration. If you see an error message about the API not being enabled in the project, or that there is no quota project available, see Troubleshooting your ADC setup.
The local ADC contains your access and refresh tokens. Any user with access to your file system can use those credentials. If you no longer need these local credentials, you can revoke them by using the
gcloud auth application-default revokecommand.If your Google Account doesn't have the required Identity and Access Management (IAM) roles in your project, your code might not be able to access some resources. If this happens, someone must grant you the required roles.
Troubleshoot
This section shows you how to resolve issues with running code that interacts with Google Cloud services and APIs.
User credentials not found when running code
This issue occurs when you try to run code in a notebook that interacts with Google Cloud services and APIs, but you haven't granted Colab Enterprise access to your user credentials.
The error message might look like one of the following:
Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential
DefaultCredentialsError: Your default credentials were not found.
See the following common reasons for this issue and their resolutions:
-
You didn't complete a Sign in dialog that appears when you first connect to a runtime that has end-user credentials enabled. By completing this dialog, you grant Colab Enterprise access to your user credentials.
To resolve this issue, try connecting to the runtime again and grant access.
To validate that access has been granted:
-
Click Account > Managed Google Account > Data and Privacy > Third-party Apps & Services.
-
Verify that Colab Enterprise is listed.
-
-
In the Sign in dialog (consent screen) that appears when you first connect to a runtime that has end-user credentials enabled, you didn't select your user account to grant Colab Enterprise access to your user credentials.
To resolve this issue:
-
In the Google Cloud console, click your account profile image, and then click Google Account.
-
Click Data & privacy.
-
In Data from apps and services you use, click Third-party apps & services.
-
Click Colab Enterprise.
-
In Colab Enterprise has some access to your Google Account, click See details.
-
Click Remove access.
-
Click Confirm.
This removes your current access settings.
-
The next time you connect to a runtime that has end-user credentials enabled, make sure to select the correct user account when you complete the Sign in dialog.
-
-
A pop-up blocker might be preventing the Colab Enterprise Sign in dialog (consent screen) from appearing.
To resolve this issue, enable pop-ups temporarily in your browser and try to connect to the runtime again.
-
You aren't using a runtime with end-user credentials enabled, and you haven't provided your user credentials to Application Default Credentials (ADC) by using the Google Cloud CLI.
To resolve this issue, see Provide your user credentials to ADC by running code in your notebook.
What's next
Learn more about how Application Default Credentials work.
Create a runtime template with end-user credentials enabled.
Use the side panel to write and run code that interacts with Vertex AI Experiments.