How to enable Google Vision API to access Google Cloud Storage Bucket within same project

6
votes

I have uploaded some test images to a Google Cloud Bucket, but don't want to make them public (which would be cheating). When I try to run a rest call for Google Vision API I get:

{
  "responses": [
    {
      "error": {
        "code": 7,
        "message": "image-annotator::User lacks permission.: Can not open file: gs://images-translate-156512/P1011234.JPG"
      }
    }
  ]
}

What are the steps to enable the Google Vision API to access Google Cloud Storage objects within the same project? At the moment I am using only the API key while I experiment with Google Vision. I am suspecting a service account may be required and an ACL on the GCS objects.

I could bypass GCS altogether and base64 encode the image and send it Google Vision API, but really want to try and solve this use case. Not used ACLs yet, or service accounts.

Any help appreciated

1
google-cloud-storagegoogle-cloud-visiongoogle-vision

1 Answers

3
votes

API keys are not used for authorization. They are used in situations where you want to specify which project should be billed for an operation and which project's quota should be used, but they do not authenticate you as any particular entity.

In order to use the Cloud Vision API with a non-public GCS object, you'll need to send OAuth authentication information along with your request for a user or service account which has permission to read the GCS object.

Authorization is a complex topic. I recommend using the gcloud command-line utility for ad-hoc experimentation or the Google Cloud client library for the language you're developing in.

Google has a guide for authorization here: https://cloud.google.com/docs/authentication