How to enable Google Vision API to access Google Cloud Storage Bucket within same project

About

Asked 8/2, 2017 at 23:34 Answered 8/2, 2017 at 23:56

google-cloud-storage google-cloud-vision google-vision

I have uploaded some test images to a Google Cloud Bucket, but don't want to make them public (which would be cheating). When I try to run a rest call for Google Vision API I get:

{
  "responses": [
    {
      "error": {
        "code": 7,
        "message": "image-annotator::User lacks permission.: Can not open file: gs://images-translate-156512/P1011234.JPG"
      }
    }
  ]
}

What are the steps to enable the Google Vision API to access Google Cloud Storage objects within the same project? At the moment I am using only the API key while I experiment with Google Vision. I am suspecting a service account may be required and an ACL on the GCS objects.

I could bypass GCS altogether and base64 encode the image and send it Google Vision API, but really want to try and solve this use case. Not used ACLs yet, or service accounts.

Any help appreciated

Orthoclase answered 8/2, 2017 at 23:34 Comment(0)

API keys are not used for authorization. They are used in situations where you want to specify which project should be billed for an operation and which project's quota should be used, but they do not authenticate you as any particular entity.

In order to use the Cloud Vision API with a non-public GCS object, you'll need to send OAuth authentication information along with your request for a user or service account which has permission to read the GCS object.

Authorization is a complex topic. I recommend using the gcloud command-line utility for ad-hoc experimentation or the Google Cloud client library for the language you're developing in.

Google has a guide for authorization here: https://cloud.google.com/docs/authentication

Buddleia answered 8/2, 2017 at 23:56 Comment(5)

So I create a service account and assign it an ACL at the bucket level? Does this service account need to be aligned to the Google Vision API or just Google Storage? – Orthoclase 9/2, 2017 at 0:8

The link states all Google Cloud APIs require authentication, but I am just sending an API key to access Google Vision? – Orthoclase 9/2, 2017 at 0:10

A service account isn't strictly necessary; you could make the call with your own account as well. If you do want to use a service account, it needs to be granted read permission to the GCS bucket. – Buddleia 9/2, 2017 at 19:11

@Orthoclase did you manage to do it ? I have the same problem as you – Penstock 30/10, 2019 at 10:43

Check to make sure that the account reading the object (which may not be your account) has read permission. If you want to sanity check that it's a permission issue related to cloud storage, you could try making an object publicly readable. – Buddleia 30/10, 2019 at 18:19

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags