Give Google Cloud Vision API access to Firebase Storage

Question

I'm using Firebase on iOS, and I want to let users upload a photo to Firebase Storage. After that, I want to analyze the photo using Google Cloud Vision APIs.

Uploading works fine.

To analyze the photo, I'm specifying it using

image = {
    source = {
        gcsImageUri = "gs://app.name.from.firebase.console/path.to.photo";
    };
};

The problem is that I get the following error

error = {
    code = 7;
    message = "image-annotator::User lacks permission.: Calling GetObjectMetadata with file \"/bigstore/gs://app.name.from.firebase.console/path.to.photo\": cloud.bigstore.ResponseCode.ErrorCode::ACCESS_DENIED: ACCESS_DENIED: gaiaUser/0 does not have OBJECTS_GET access to object gs://app.name.from.firebase.console/path.to.photo.";
};

Do you have any suggestion w.r.t. what permissions I need to set?

Thanks!

Answer 1

I managed to temporarily fix the issue by giving Reader permission to allUsers on the bucket and also for the object default permissions.

Answer 2

I assume this is because the service account (GCS docs) that you created for using the Cloud Vision API and Firebase Storage (just a Google Cloud Storage bucket) together may not cover using both of them. How did you create your service account? According to these instructions (Cloud Vision docs)?

You can resolve this by creating a service account with permissions to read your bucket (ensure that the IAM role includes object GET). You may also have to add this service account to your default bucket and object ACLs if it isn't already (they usually do get added if they are created with the right IAM role for the bucket, but it's wise to check).

FWIW, I have a project that does exactly this, so I'm surprised that a default service account wouldn't work for both of these things.