Reputation: 11
How to get Google App Engine using proper credentials for Vision API?
Context:
I have a Python Flask application working locally that uses the Google Vision API to detect labels in photos.
To use the Google Vision API, I use a GOOGLE_APPLICATION_CREDENTIALS environmental variable. I have a "google-secret.json" key stored locally, which I use to set the GOOGLE_APPLICATION_CREDENTIALS variable with the following two lines:
import os
os.environ["GOOGLE_APPLICATION_CREDENTIALS"] = "google-secret.json"
The above enables me to run this line successfully, locally:
image_label_client = vision.ImageAnnotatorClient()
I'm using Google Cloud Build to automatically deploy this application into the Google App Engine Standard environment. I have *google-secret.json included in my .gitignore file so my key does not become public, and I have Google Cloud Build source from my remote GitHub repository.
I'm new to creating automatic build/deploy pipelines and I'm trying to understand how to get my Google App Engine application to either automatically set a GOOGLE_APPLICATION_CREDENTIALS environmental variable upon build, or access the relevant credentials some other way, to successfully create the vision.ImageAnnotatorClient().
I'm open to any method that works. I've been searching the internets for a few days but haven't been able to solve this one.
The solution path I'm currently pursuing: Google Secret Manager API.
I'm able to use the Google Secret Manager API locally to access a secret version that has the json key needed for my application to use the Google Vision API. But I'm facing two problems:
- I need to use a .json secret file as a key to gain permission to access the secret via Google Secret Manager API, so this re-surfaces the same problem I was originally trying to solve: figuring out how to automatically set up and access a json secret key on a Google Cloud Build / Google App Engine application.
- When I retrieve the secret through the Google Secret Manager API, I don't know how to turn it into a credential for the
vision.ImageAnnotatorClient().
For problem number 2: Normally, I would not use an explicit credential argument for vision.ImageAnnotatorClient(). Instead, it would take credentials from this earlier line:
os.environ["GOOGLE_APPLICATION_CREDENTIALS"] = "google_secret.json"
If I try to turn the Google Secret API payload into a .json file, I do it like this:
payload = response.payload.data.decode('UTF-8')
payload_json = json.dumps(payload)
google_api_secret = payload_json
then write it to a file:
with open("google_secret.json", "w") as write_file:
json.dump(google_api_secret, write_file)
But I get the following error when running
image_label_client = vision.ImageAnnotatorClient()
AttributeError: 'str' object has no attribute 'get'
Any help you could provide would be much appreciated!
Upvotes: 1
Views: 970
Answers (2)
Reputation: 8066
I need to use a .json secret file as a key to gain permission to access the secret via Google Secret Manager API, so this re-surfaces the same problem I was originally trying to solve: figuring out how to automatically set up and access a json secret key on a Google Cloud Build / Google App Engine application.
You can use the Default App Engine service account ([email protected]) to access Vision API. The default service account has Editor role, which includes all the permissions you need, you do not have to access another service account from Google Secret Manager.
import googleapiclient.discovery
vision_client = googleapiclient.discovery.build(
'vision', 'v1')
vision_client.files().annotate(body={}).execute()
Upvotes: 0
Reputation: 11
App Engine will use the Application Default Credentials (ADC) strategy, which looks for credentials in the following order:
GOOGLE_APPLICATION_CREDENTIALSenvironment variable- The default service account provided by App Engine
- Otherwise, an error is thrown
GCP's App Engine docs provide an example using the Cloud Storage API in the standard environment here: https://cloud.google.com/docs/authentication/production#obtaining_credentials_on_app_engine_standard_environment
Upvotes: 1
Related Questions
- compute engine's service account has insufficient scopes for cloud vision api
- Could not establish an API connection in Google Cloud Platform
- How to authenticate a google vision API on cloud inside a python script?
- Trouble with Google Application Credentials
- google.api_core.exceptions.PermissionDenied: 403 Request had insufficient authentication scopes
- How to get credentials in Google AppEngine Python37
- vision-client doesn't supprt api-key
- Google Cloud vision API: "Request had insufficient authentication scopes."
- How to use google cloud vision with Google App Engine Python?
- How to access google cloud vision API in python program?