Google generative api with palm: 403 Request had insufficient authentication scopes. [reason: "ACCESS_TOKEN_SCOPE_INSUFFICIENT"

Question

I have been trying to use the Palm API and the palm.chat() function with google's new generative api. I've been in a maze of documentation and errors and I can't seem to get past this one. My code is very simple, and the error is coming from a simple request with palm.chat(). I have an API key that works when I test it with curl. I also downloaded credentials. I set up an OAuth consent screen, because I thought that might help me add the scope that I need, but I can't see what the scope requirement would be for palm.chat. Here is my code:

import google.generativeai as palm
import os
palm.configure(api_key='XXXXXXXXXXXXXXXXXXXXX')

os.environ['GOOGLE_APPLICATION_CREDENTIALS']='XXXXXXXXX/.config/gcloud/application_default_credentials.json'

response = palm.chat(messages='Hello')

response.last

The exact error I am getting is:

File "/Library/Frameworks/Python.framework/Versions/3.11/lib/python3.11/site-packages/google/api_core/grpc_helpers.py", line 67, in error_remapped_callable raise exceptions.from_grpc_error(exc) from exc google.api_core.exceptions.PermissionDenied: 403 Request had insufficient authentication scopes. [reason: "ACCESS_TOKEN_SCOPE_INSUFFICIENT" domain: "googleapis.com" metadata { key: "method" value: "google.ai.generativelanguage.v1beta2.TextService.GenerateText" } metadata { key: "service" value: "generativelanguage.googleapis.com" }

I have no idea what I am doing wrong and I've been working in circles to solve this error all day. Any help would be much appreciated. Thank you!

Answer 1

I think something was wrong with the python/pip versions, ended up switching to a different device and everything worked perfectly first try.

Answer 2

The recommended solution would be to stick with using the API key on its own, but if you must use ADCs, you can use gcloud to set the scopes:

gcloud config set account [email protected]
gcloud config set project name-of-your-cloud-project

gcloud auth application-default login --scopes="https://www.googleapis.com/auth/generative-language,https://www.googleapis.com/auth/cloud-platform"

And don't mix credentials - either use the API key or the ADCs, but not both. It might work, but it's unclear what auth mechanism will take precedence in any given code path.

More detail in the GitHub issue.

Answer 3

I encountered the same error when using virtualenv, but when I switched to pyenv with the same code, it worked fine. I suppose that means it was something wrong with the python environment, I'm not really sure. In addition, you don't even need to install Google Cloud CLI since you have the API key.

For more details, please refer to https://github.com/google/generative-ai-python/issues/50

Answer 4

I finally got it working on a different computer. I suspected that there was something corrupt in one of the modules. Created a req.txt file containing the following modules: cachetools-5.3.1 google-ai-generativelanguage-0.2.0 google-api-core-2.11.1 google-auth-2.22.0 google-generativeai-0.1.0 googleapis-common-protos-1.59.1 grpcio-1.56.2 grpcio-status-1.56.2 proto-plus-1.22.3 protobuf-4.23.4 pyasn1-0.5.0 pyasn1-modules-0.3.0 rsa-4.9 Ran: pip uninstall -y -r reqs.txt pip install google-generativeai It is now working as expected

Answer 5

What works for me is to authenticate with credentials instead of api_key, that means you need to generate it first.

from google.oauth2 import service_account
credentials = service_account.Credentials.from_service_account_file('./credentials.json')
palm.configure(credentials=credentials)
print([m for m in palm.list_models() ]) # should work!

However, I support the idea something is corrupted or there is a bug in the generativeai library, this issue is only happening to me in a local Jupiter kernel, but running a python script, curl command or even Google Colab like you can see in the quick start is working good. https://colab.research.google.com/github/google/generative-ai-docs/blob/main/site/en/tutorials/text_quickstart.ipynb and you only need to pass an api_key.

Answer 6

Got the same error trying to use langchain VirtualEmbeddings(). Inside the virtualenv just needed to do gcloud auth application-default login and error went away.