What am I doing wrong to get this error for Google Vision API

Question

I have been getting a "Error opening File: gs://{gs-bucket-path}/{gs bucket folder path} - In VS code

I have tried it in Postman and receive "Error opening file: gs://{gs-bucket-path}/{gs bucket folder path} permission denied.

I have a Service Account created under the project for this OCR API project, I downloaded the JSON and ensure in PowerShell that the GOOGLE_APPLICATION_CREDENTIAL key/path is pointing correctly to my JSON file that I downloaded. I have set API keys and tried OAuth 2.0 credentials.

I am pretty new to doing APIs and having to deal with CRUD and JSON but have learned an ok amount of terminology with messing up so much.

I have set permissions under my account in the organization as Storage Object Owner Project IAM Admin Project Mover Storage Admin Storage Folder Admin Storage Object Admin Storage Object Creator Storage Object Viewer

Have also set the Service Account permissions under the Project as Storage Object Creator, Storage Object Viewer, & Storage Object User Removed it as Owner as I read on another post that its not a good idea.

I'm confused.

Here is my code from postman and the error i am receiving

POST https://vision.googleapis.com/v1/files:asyncBatchAnnotate?key={{key}} this is where I'm calling.

    {
  "requests": [
    {
      "inputConfig": {
        "gcsSource": {
          "uri": "gs://My-Path-To-My-GsBucket/My-Path-To-Folder&File.pdf"
        },
        "mimeType": "application/pdf"
        
      },
      "outputConfig": {
        "gcsDestination": {
          "uri": "gs://My-Path-To-Output-Folder/"
        },
        "batchSize": 1
      },
      "features": [
        {
          "type": "TEXT_DETECTION"
          
        }
        
      ]
      
    }

  ]
  
}

the response i get is "error":{ "code":403 "message": error opening file { my path} "status": Permission_denied

Answer 1

So i found a Postman video on setting up Google OAuth from the actual google cloud console, followed that guide, found out i had some information in the Auth URL wrong in the OAuth 2.0 set up on postman along with a Client Authentication was wrong. Fixed & ran that. Received a token, used as bearer and no error anymore. Onto the next step! TY so much for everyone's help.

Answer 2

Seems the service account does not have permission to access the file, so you need to set up proper permissions to use the PDF API (or any other API involving this file). See this documentation for details:

Try adding the scope googleapis.com/auth/cloud-platform (View and manage your data across Google Cloud Platform services). For more information check this Cloud Storage OAuth 2.0 scopes

Most of the operations you perform in Cloud Storage must be authenticated. The only exceptions are operations on resources that allow anonymous access.

Authorization is the process of determining what permissions an authenticated identity has on a set of specified resources. OAuth 2.0 uses scopes to determine if an authenticated identity is authorized. Applications use a credential (obtained from a user-centric or server-centric authentication flow) together with one or more scopes to request an access token from a Google authorization server to access protected resources.

Also as stated here This error (403) indicates that the user was not authorized by Google Cloud Storage to make the request.

A common source of this error is that the bucket permissions (bucket ACL) are not set properly to allow your app access. See Google Cloud Storage Authentication for information on setting up access.

If you are still facing the issue consider contacting Google Cloud Support to further investigate the problem.