Skip to content

models.get() uses credentials' project instead of configured Vertex AI project for API enablement check #2173

New issue
New issue
Open
Open
models.get() uses credentials' project instead of configured Vertex AI project for API enablement check#2173
Assignees
Venkaiahbabuneelam
Labels
priority: p2Moderately-important priority. Fix may not be included in next release.status:awaiting user responsetype: bugError or flaw in code with unintended results or allowing sub-optimal usage patterns.
@tharun208

Description

@tharun208
tharun208
opened on Mar 16, 2026

Environment

  • Python: 3.13
  • google-genai version: latest (via llama-index-llms-google-genai)
  • Platform: GKE with Workload Identity
  • OS: Linux (container)

Description

When creating a google.genai.Client with vertexai=True and an explicit project, the client.models.get() call checks Vertex AI API enablement against the credentials' GCP project (from Workload Identity / ADC), not the project passed in the config.

This does not happen with the Go SDK (google.golang.org/genai) using the same cross-project setup.

Steps to reproduce

import google.genai

client = google.genai.Client(
    vertexai=True,
    project="project-a",       # Vertex AI API enabled here
    location="us-central1",
    api_key=None,
)
# Credentials come from Workload Identity in "project-b"
# (Vertex AI API NOT enabled in project-b)

client.models.get(model="gemini-2.5-flash-lite")

Expected behavior

The models.get() call should use project-a (the explicitly configured project) for the API request, where Vertex AI API is enabled.

Actual behavior

The SDK sends the request against project-b (the credentials' project), resulting in:

google.genai.errors.ClientError: 403 PERMISSION_DENIED.
Vertex AI API has not been used in project <project-b-number> before or it is disabled.

Stack trace

File "google/genai/models.py", line 4633, in get
    response = self._api_client.request('get', path, request_dict, http_options)
File "google/genai/_api_client.py", line 1375, in request
    response = self._request(http_request, http_options, stream=False)
...
google.genai.errors.ClientError: 403 PERMISSION_DENIED.
{'error': {'code': 403, 'message': 'Vertex AI API has not been used in project <project-b-number>...'}}

Additional context

  • The Go SDK (google.golang.org/genai) works correctly with the identical cross-project setup (same service account, same Workload Identity binding, same target project).
  • The credentials' service account has the necessary IAM roles in the target project.
  • Setting GOOGLE_GENAI_USE_VERTEXAI=true does not help since vertexai_config already sets vertexai=True internally.

Metadata

Metadata

Assignees

Labels

priority: p2Moderately-important priority. Fix may not be included in next release.status:awaiting user responsetype: bugError or flaw in code with unintended results or allowing sub-optimal usage patterns.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions