向GCP视频智能API请求时拒绝权限 [英] Permission Denied When Making Request to GCP Video Intelligence API

问题描述

因此，我可以用快速入门中给出的示例视频向视频智能API做出有效的请求。 https://cloud.google.com/video-intelligence/docs/getting-开始我已经尝试了许多不同的方法来验证api。我正在使用的API令牌是从控制台中的Credentials页面创建的。没有选择将其绑定到视频API，所以我认为它应该会自动工作。 API已在我的账户中启用。

  export TOKEN =foobar
 curl -XPOST -s -k -HContent-Type：application / jsonhttps://videointelligence.googleapis.com/v1beta1/videos:annotate?key=$TOKEN--data'{inputUri：gs：// custom-bucket /IMG_3591.mov，features：[LABEL_DETECTION]}'
 {
error：{
code：403，
message：调用者没有权限，
status：PERMISSION_DENIED
} 
} 
 
 curl -XPOST -s -k -HContent-Type ：application / jsonhttps://videointelligence.googleapis.com/v1beta1/videos:annotate?key=$TOKEN--data'{inputUri：gs：// cloud-ml-sandbox / video / chicago .mp4，features：[LABEL_DETECTION]}'
 {
name：us-east1.18013173402060296928
} 
  

更新：

我将文件设为公共并且工作正常。但我需要将其作为私人访问，因此我授予服务帐户访问该文件的权限，并尝试获取建议的API密钥。

  export TOKEN =$（gcloud auth print-access-token）
 curl -XPOST -s -k -HContent-Type：application / jsonhttps://videointelligence.googleapis.com/v1beta1/videos:annotate?key=$TOKEN--data'{inputUri：gs：// custom-bucket /IMG_3591.mov，features：[LABEL_DETECTION]}'
 {
error：{
code：400，
message： ，
status：INVALID_ARGUMENT，
details：[
 {
@type： type.googleapis.com/google.rpc.Help，
links：[
 {
description：Google开发者控制台，
url： https://console.developers.google.com
} 
] 
} 
] 
} 
} 
  

好像这个打印访问令牌函数返回的令牌不起作用。我有一个API密钥，但它没有访问存储桶的权限，我也没有看到给API密钥访问的方法。

更新2：

所以看起来我们正在设置我们的标记是错误的。我们按照以下示例 https：//云端.google.com / video-intelligence / docs / analyze-labels＃videointelligence-label-file-protocol 这是我们从中获得apiKey = $ TOKEN的地方。但看起来我们需要设置承载头。我们确实尝试过，但我们遇到了第一个无法访问的问题。

TL; DR - Video Intelligence服务无法访问文件您的云存储存储分区，因为缺少权限。由于API使用传递的服务帐户令牌的权限，因此您需要授予您的服务帐户读取GCS存储桶或整个GCS存储桶本身的文件的权限。

长版本

您传递的访问令牌应与IAM服务帐户密钥相对应。服务帐户将属于一个项目（您需要启用视频智能API访问权限），并且该服务帐户应具有访问您尝试访问的GCS存储桶的权限。

每个此类服务帐户都有一个关联的电子邮件ID，格式为 SERVICE_ACCOUNT_NAME@PROJECT_NAME.iam.gserviceaccount.com 。

在云控制台中，您可以转到云存储存储桶/文件，并为IAM服务帐户电子邮件地址授予 Reader 权限。如果您使用 gsutil ，则可以运行以下等效命令：

  gsutil acl ch -u SERVICE_ACCOUNT_NAME@PROJECT_NAME.iam.gserviceaccount.com：READ gs：// custom-bucket / IMG_3591 .mov` 
  

我用我在项目中创建的IAM服务帐户自己确认了这一点，并使用此帐户调用视频智能API。该文件未公开，但授予读者权限仅限于服务帐户。

我使用gcloud激活服务帐户并获取访问令牌，尽管您可以执行此操作此手动以及使用谷歌OAuth API：

$ ul

gcloud auth activate-service-account SERVICE_ACCOUNT_KEY.json code>

export TOKEN =$（gcloud auth print-access-token）

使用gcloud创建IAM服务帐户的步骤位于同一页面。

so I am able to make a valid request to the video intelligence api with the sample video given in the quickstart. https://cloud.google.com/video-intelligence/docs/getting-started I have tried many different ways of authenticating to the api as well. The API token I am using was created from the Credentials page in the console. There are no options to tie it to the video api so I figured it should automatically work. The API has been enabled on my account.

export TOKEN="foobar"
curl -XPOST -s -k -H"Content-Type: application/json" "https://videointelligence.googleapis.com/v1beta1/videos:annotate?key=$TOKEN" --data '{"inputUri": "gs://custom-bucket/IMG_3591.mov", "features": ["LABEL_DETECTION"]}'
{
  "error": {
    "code": 403,
    "message": "The caller does not have permission",
    "status": "PERMISSION_DENIED"
  }
}

curl -XPOST -s -k -H"Content-Type: application/json" "https://videointelligence.googleapis.com/v1beta1/videos:annotate?key=$TOKEN" --data '{"inputUri": "gs://cloud-ml-sandbox/video/chicago.mp4", "features": ["LABEL_DETECTION"]}'
{
  "name": "us-east1.18013173402060296928"
}

Update:

I set the file as public and it worked. But I need to access this as private, so I gave the service account access to the file and tried to get the API key like suggested.

export TOKEN="$(gcloud auth print-access-token)"
curl -XPOST -s -k -H"Content-Type: application/json" "https://videointelligence.googleapis.com/v1beta1/videos:annotate?key=$TOKEN" --data '{"inputUri": "gs://custom-bucket/IMG_3591.mov", "features":["LABEL_DETECTION"]}'
{
  "error": {
    "code": 400,
    "message": "API key not valid. Please pass a valid API key.",
    "status": "INVALID_ARGUMENT",
    "details": [
      {
        "@type": "type.googleapis.com/google.rpc.Help",
        "links": [
          {
            "description": "Google developers console",
            "url": "https://console.developers.google.com"
          }
        ]
      }
    ]
  }
}

It seems like the token returned by this print-access-token function does not work. I do have an API key, but it does not have access to the bucket and I don't see a way to give an API key access.

Update 2:

So it looks like we were setting our token wrong. We were following this example https://cloud.google.com/video-intelligence/docs/analyze-labels#videointelligence-label-file-protocol which is where we got the apiKey=$TOKEN from. But it looks like we needed to set the Bearer Header. We did try this at first but we were having the first issue of not having access to the bucket. So thank you.

解决方案

TL;DR - Video Intelligence service is unable to access the file on your Cloud storage bucket because of lack of permissions. Since the API uses the permissions of the service account token being passed, you will need to grant your service account permissions to read the file in the GCS bucket or the entire GCS bucket itself.

Long version

The access token you pass should correspond to an IAM service account key. The service account will belong to a project (where you need to enable the Video intelligence API access) and the service account should have permissions to access the GCS bucket you're trying to access.

Each such service account has an associated email id in the form SERVICE_ACCOUNT_NAME@PROJECT_NAME.iam.gserviceaccount.com.

In Cloud console, you can go to the Cloud storage bucket/file and grant Reader permissions for the IAM service account email address. There is no need to make this bucket public.

If you use gsutil, you can run the following equivalent command:

gsutil acl ch -u SERVICE_ACCOUNT_NAME@PROJECT_NAME.iam.gserviceaccount.com:READ gs://custom-bucket/IMG_3591.mov`

I confirmed this myself with an IAM service account that I created in my project and used this to invoke the video intelligence API. The file was not made public, but granted Reader permissions only to the service account.

I used gcloud to activate the service account and fetch the access token, although you can do this manually as well using the google OAuth APIs:

• gcloud auth activate-service-account SERVICE_ACCOUNT_KEY.json
• export TOKEN="$(gcloud auth print-access-token)"

The steps for creating the IAM service account using gcloud are in the same page.

这篇关于向GCP视频智能API请求时拒绝权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！