Login/Register
Google Cloud Vision API - How to enable a service account
Asked Answered
Solved javagoogle-cloud-platformgoogle-cloud-vision
W

1

9

I am trying to get my head round GoogleVision API Java library.

I have created a service account, downloaded the json and set this environment variable.

GOOGLE_APPLICATION_CREDENTIALS=C:\GoogleAPI\keys\translate-41428d4d1ec6.json

I have set Application Default Credentials using:

gcloud beta auth application-default login

And I am following the example here: https://cloud.google.com/vision/docs/reference/libraries

I am assuming now that all calls made will use the service account as if by magic, as I am not doing any authentication in the code (as per the sample).

However, I cannot see where I authorised the service account to use the Google Vision API, which I assume I have to. So, I could possible not be using the service account at all...

When I go into the IAM, and try to assign a "role" to the service account, there is nothing related to the vision API? There are roles such as

  • How can I be sure I am using the service account to make the call?
  • What do I need to to explicitly to enable a service account to access a specific API such as GoogleVision when it isnt listed in IAM...or can ALL service accounts related to the project access the APIs?

The example in the documentation shows how

Any help appreciated.

Also I am interested in how I would adapt the sample to not use Application Default Credentials, but actually create a specific Credential instance and use this to call Google Vision, as that is not clear. The example give is for calling GoogleStorage, but I can't translate this to Google Vision.

public class StorageFactory {
  private static Storage instance = null;

  public static synchronized Storage getService() throws IOException, GeneralSecurityException {
    if (instance == null) {
      instance = buildService();
    }
    return instance;
  }

  private static Storage buildService() throws IOException, GeneralSecurityException {
    HttpTransport transport = GoogleNetHttpTransport.newTrustedTransport();
    JsonFactory jsonFactory = new JacksonFactory();
    GoogleCredential credential = GoogleCredential.getApplicationDefault(transport, jsonFactory);

    // Depending on the environment that provides the default credentials (for
    // example: Compute Engine, App Engine), the credentials may require us to
    // specify the scopes we need explicitly.  Check for this case, and inject
    // the Cloud Storage scope if required.
    if (credential.createScopedRequired()) {
      Collection<String> scopes = StorageScopes.all();
      credential = credential.createScoped(scopes);
    }

    return new Storage.Builder(transport, jsonFactory, credential)
        .setApplicationName("GCS Samples")
        .build();
  }
}

And don't get me started on the 2 hours I just wasted getting "Access Denied"...which apparently was due to the image size being over 4mb, and nothing to do with credentials!

Welcher answered 11/2, 2017 at 12:58 Comment(4)
Did you enable the Cloud Vision API for your project at console.cloud.google.com/apis/api/vision.googleapis.com/…? Also, see youtube.com/watch?v=tSnzoW4RlaQ related to service accounts.Vertebrate
I created a service account, enabled the api. At no point have I had to give access to the vision API specifically TO the service account?! Is creation of service account enough? I am able to use the service account without a role...to access vision API...using Application Default Credentials. I thought I would have to link to service account to the API.Welcher
As far as I can tell, you do not need any specific role to call the Vision API. I can see how that might make sense - you're uploading the image and asking for it to be categorized but you're not actually using any other cloud resources that would require permissions.Vertebrate
Thanks for your helpWelcher
A
10

You do not need to authorize the service account to access the vision API. Enabling the API in your project and using a service account associated with that project is sufficient. Let me know if you're still having issues.

Anglonorman answered 12/2, 2017 at 5:1 Comment(1)
Thanks, next I want Vision to process images in Google Storage, so assume I need to assign an ACL to the bucket using the service account. Onwards ...Welcher

© 2022 - 2024 — McMap. All rights reserved.