Google Speech API returns 403 PERMISSION_DENIED

Question

I have been using the Google Speech API to transcribe audio to text from my PHP app (using the Google Cloud PHP Client) for several months without any problem. But my calls have now started to return 403 errors with status "PERMISSION_DENIED" and message "The caller does not have permission".

I'm using the Speech API together with Google Storage. I'm authenticating using a service account and sending my audio data to Storage. That's working, the file gets uploaded. So I understand - but I might be wrong? - that "the caller" does not have permission to then read to the audio data from Storage.

I've been playing with permissions through the Google Console without success. I've read the docs but am quite confused. The service account I am using (I guess this is "the caller"?) has owner permissions on the project. And everything used to work fine, I haven't changed a thing.

I'm not posting code because if I understand correctly my app code isn't the issue - it's rather my Google Cloud settings. I'd be grateful for any idea or clarifications of concepts!

Thanks.

Answer 1

Being an owner of the project doesn't necessarily imply that the service account has read permission on the object. It's possible that the object was uploaded by another account that specified a private ACL or similar.

Make sure that the service account has access to the object by giving it the right permissions on the entire bucket or on the specific object itself.

You can do so using gsutil acl. More information and additional methods may be found in the official documentation.

For instance the following command gives READ permission on an object to your service account:

gsutil acl -r ch -u [email protected]:R gs://bucket/object

And this command gives READ permission on an entire bucket to your service account:

gsutil acl -r ch -u [email protected]:R gs://bucket