IAM roles for Google Cloud Natural Language API

1
votes

I want to use Google Cloud Natural Language API with its Node.js lib. For authentication, I use a service-account as suggested by the docs Docs suggest to use role "Owner" but for production "more granular" permissions. Unfortunately they dont mention available roles. Nor do I find roles at IAM docs, where I usually lookup roles/permissions.

Which roles are available for NLP API ? There are AutoML roles and as AutoML is related to NLP, maybe they fit?

My tests have shown that it actually doesnt matter which role I use. Even sth like "BigQuery MetadataViewer" will grant access to NLP API ?! However I would like to use the correct role instead of a random one and somewhen later stuff will break.

And to add to the confusion, API keys doc says that NLP API is only accessible via API-key, but the NLP doc itself tells you to use a service-account. I guess API key is legacy information..

1
authenticationgoogle-cloud-platformgoogle-iamgoogle-natural-language
When it comes to IAM, I usually think about negative ramifications of inappropriate access. For example, deleting a file or inserting a record in a database. My understanding of NLP is that I give a piece of text and it comes back with annotations on what that text contains. This then begs the question ... other than the cost of using the service, what if any negative ramification could result from invoking NLP? What roles might possibly make sense for this service?Kolban
Well, I use IAM per service for security reasons and every service only gets the permissions it really needs. So the attack surface is minimized in case of a breach in a microservice. Also being able to break down which key caused which cost helps alotpHiL

1 Answers

3
votes

Cloud Natural Language uses AutoML roles since is part of the AutoML products. At this moment Auto ML roles has: AutoML Admin, AutoML Editor, AutoML Predictor and AutoML Viewer.

You have to analyze which roles you will use in your application and once you determine it you could decide which type of roles fits to your app, remember that with custom roles you can define the level access you need to your users.

Keep in mind that service account is as special type of Google account and is not attached to a user; thus, the resources which used that service account don't need end-user authentication, that's why is recommended to use a service account where you are working with a client library (Node.JS).