Permission denied on GCP video API call
so I can make a valid video api request with the sample video given in the quick starter. https://cloud.google.com/video-intelligence/docs/getting-started I have tried many different ways to authenticate in api. The API token used was generated from the credentials page in the console. There are no options to bind it to the video api, so I figured it should work automatically. API is enabled on my account.
export TOKEN="foobar"
curl -XPOST -s -k -H"Content-Type: application/json" "https://videointelligence.googleapis.com/v1beta1/videos:annotate?key=$TOKEN" --data '{"inputUri": "gs://custom-bucket/IMG_3591.mov", "features": ["LABEL_DETECTION"]}'
{
"error": {
"code": 403,
"message": "The caller does not have permission",
"status": "PERMISSION_DENIED"
}
}
curl -XPOST -s -k -H"Content-Type: application/json" "https://videointelligence.googleapis.com/v1beta1/videos:annotate?key=$TOKEN" --data '{"inputUri": "gs://cloud-ml-sandbox/video/chicago.mp4", "features": ["LABEL_DETECTION"]}'
{
"name": "us-east1.18013173402060296928"
}
Update:
I set the file to public and it worked. But I need to access this as private, so I gave the service account access to the file and tried to get the API key as suggested.
export TOKEN="$(gcloud auth print-access-token)"
curl -XPOST -s -k -H"Content-Type: application/json" "https://videointelligence.googleapis.com/v1beta1/videos:annotate?key=$TOKEN" --data '{"inputUri": "gs://custom-bucket/IMG_3591.mov", "features":["LABEL_DETECTION"]}'
{
"error": {
"code": 400,
"message": "API key not valid. Please pass a valid API key.",
"status": "INVALID_ARGUMENT",
"details": [
{
"@type": "type.googleapis.com/google.rpc.Help",
"links": [
{
"description": "Google developers console",
"url": "https://console.developers.google.com"
}
]
}
]
}
}
It seems that the token returned by this print type accessor function is not working. I have an API key, but it doesn't have access to the bucket, and I don't see a way to grant access to the API keys.
Update 2:
So it looks like we set our token incorrectly. We followed this example https://cloud.google.com/video-intelligence/docs/analyze-labels#videointelligence-label-file-protocol from which we got apiKey = $ TOKEN. But it looks like we needed to install the Header Header. We tried this first, but we had our first problem of not having access to the bucket. So thanks.
source to share
TL; DR . The Video Intelligence service cannot access the file in your cloud storage due to lack of permissions. Since the API uses permissions on the service account token, you need to grant permissions to your service account to read the file in the GCS bucket or the entire GCS array.
Long version
The access token you pass must match the IAM service account key. The service account will be owned by the project (where you need to enable video API access) and the service account must have permissions to the GCS substance you are trying to access.
Each such service account has an associated email ID on the form SERVICE_ACCOUNT_NAME@PROJECT_NAME.iam.gserviceaccount.com
.
In the Cloud Console, you can go to the cloud storage / storage file and grant permissions Reader
for the email address of the IAM service account. There is no need to publish this bucket.
If you are using gsutil
, you can run the following equivalent command:
gsutil acl ch -u SERVICE_ACCOUNT_NAME@PROJECT_NAME.iam.gserviceaccount.com:READ gs://custom-bucket/IMG_3591.mov`
I verified this myself with an IAM service account I created in my project and used it to call the video information API. The file was not published, but only granted Reader permissions to the service account.
I used gcloud to activate the service account and get an access token, although you can do it manually using Google's OAuth API:
-
gcloud auth activate-service-account SERVICE_ACCOUNT_KEY.json
-
export TOKEN="$(gcloud auth print-access-token)"
The steps to create an IAM service account using gcloud are in the same page .
source to share