IAM roles for Google Cloud Natural Language API

Question

I want to use Google Cloud Natural Language API with its Node.js lib. For authentication, I use a service-account as suggested by the docs Docs suggest to use role "Owner" but for production "more granular" permissions. Unfortunately they dont mention available roles. Nor do I find roles at IAM docs, where I usually lookup roles/permissions.

Which roles are available for NLP API ? There are AutoML roles and as AutoML is related to NLP, maybe they fit?

My tests have shown that it actually doesnt matter which role I use. Even sth like "BigQuery MetadataViewer" will grant access to NLP API ?! However I would like to use the correct role instead of a random one and somewhen later stuff will break.

And to add to the confusion, API keys doc says that NLP API is only accessible via API-key, but the NLP doc itself tells you to use a service-account. I guess API key is legacy information..

Answer 1

Cloud Natural Language uses AutoML roles since is part of the AutoML products. At this moment Auto ML roles has: AutoML Admin, AutoML Editor, AutoML Predictor and AutoML Viewer.

You have to analyze which roles you will use in your application and once you determine it you could decide which type of roles fits to your app, remember that with custom roles you can define the level access you need to your users.

Keep in mind that service account is as special type of Google account and is not attached to a user; thus, the resources which used that service account don't need end-user authentication, that's why is recommended to use a service account where you are working with a client library (Node.JS).