Google Cloud Vision API - How to enable a service account

Question

I am trying to get my head round GoogleVision API Java library.

I have created a service account, downloaded the json and set this environment variable.

GOOGLE_APPLICATION_CREDENTIALS=C:\GoogleAPI\keys\translate-41428d4d1ec6.json

I have set Application Default Credentials using:

gcloud beta auth application-default login

And I am following the example here: https://cloud.google.com/vision/docs/reference/libraries

I am assuming now that all calls made will use the service account as if by magic, as I am not doing any authentication in the code (as per the sample).

However, I cannot see where I authorised the service account to use the Google Vision API, which I assume I have to. So, I could possible not be using the service account at all...

When I go into the IAM, and try to assign a "role" to the service account, there is nothing related to the vision API? There are roles such as

• How can I be sure I am using the service account to make the call?
• What do I need to to explicitly to enable a service account to access a specific API such as GoogleVision when it isnt listed in IAM...or can ALL service accounts related to the project access the APIs?

The example in the documentation shows how

Any help appreciated.

Also I am interested in how I would adapt the sample to not use Application Default Credentials, but actually create a specific Credential instance and use this to call Google Vision, as that is not clear. The example give is for calling GoogleStorage, but I can't translate this to Google Vision.

public class StorageFactory {
  private static Storage instance = null;

  public static synchronized Storage getService() throws IOException, GeneralSecurityException {
    if (instance == null) {
      instance = buildService();
    }
    return instance;
  }

  private static Storage buildService() throws IOException, GeneralSecurityException {
    HttpTransport transport = GoogleNetHttpTransport.newTrustedTransport();
    JsonFactory jsonFactory = new JacksonFactory();
    GoogleCredential credential = GoogleCredential.getApplicationDefault(transport, jsonFactory);

    // Depending on the environment that provides the default credentials (for
    // example: Compute Engine, App Engine), the credentials may require us to
    // specify the scopes we need explicitly.  Check for this case, and inject
    // the Cloud Storage scope if required.
    if (credential.createScopedRequired()) {
      Collection<String> scopes = StorageScopes.all();
      credential = credential.createScoped(scopes);
    }

    return new Storage.Builder(transport, jsonFactory, credential)
        .setApplicationName("GCS Samples")
        .build();
  }
}

And don't get me started on the 2 hours I just wasted getting "Access Denied"...which apparently was due to the image size being over 4mb, and nothing to do with credentials!

Answer 1

You do not need to authorize the service account to access the vision API. Enabling the API in your project and using a service account associated with that project is sufficient. Let me know if you're still having issues.