如何使用正确的 Vision API 凭据获取 Google App Engine?
[英]How to get Google App Engine using proper credentials for Vision API?
问题描述
Context:
语境:
I have a Python Flask application working locally that uses the Google Vision API to detect labels in photos.我有一个在本地工作的 Python Flask 应用程序,它使用 Google Vision API 检测照片中的标签。
To use the Google Vision API, I use a GOOGLE_APPLICATION_CREDENTIALS environmental variable.为了使用 Google Vision API,我使用了GOOGLE_APPLICATION_CREDENTIALS环境变量。 I have a "google-secret.json" key stored locally, which I use to set the GOOGLE_APPLICATION_CREDENTIALS variable with the following two lines:我在本地存储了一个"google-secret.json"密钥,我用它来设置GOOGLE_APPLICATION_CREDENTIALS变量,其中包含以下两行:
import os
os.environ["GOOGLE_APPLICATION_CREDENTIALS"] = "google-secret.json"
The above enables me to run this line successfully, locally:以上使我能够在本地成功运行此行:
image_label_client = vision.ImageAnnotatorClient()
I'm using Google Cloud Build to automatically deploy this application into the Google App Engine Standard environment.我正在使用 Google Cloud Build 自动将此应用程序部署到 Google App Engine 标准环境中。 I have *google-secret.json included in my .gitignore file so my key does not become public, and I have Google Cloud Build source from my remote GitHub repository.我的.gitignore文件中包含*google-secret.json ,因此我的密钥不会公开,并且我有来自远程 GitHub 存储库的 Google Cloud Build 源。
I'm new to creating automatic build/deploy pipelines and I'm trying to understand how to get my Google App Engine application to either automatically set a GOOGLE_APPLICATION_CREDENTIALS environmental variable upon build, or access the relevant credentials some other way, to successfully create the vision.ImageAnnotatorClient() .我是创建自动构建/部署管道的新手,我试图了解如何让我的 Google App Engine 应用程序在构建时自动设置GOOGLE_APPLICATION_CREDENTIALS环境变量,或以其他方式访问相关凭据,以成功创建vision.ImageAnnotatorClient() 。
I'm open to any method that works.我对任何有效的方法持开放态度。 I've been searching the internets for a few days but haven't been able to solve this one.我已经在互联网上搜索了几天,但一直无法解决这个问题。
The solution path I'm currently pursuing: Google Secret Manager API.我目前追求的解决方案路径:Google Secret Manager API。
I'm able to use the Google Secret Manager API locally to access a secret version that has the json key needed for my application to use the Google Vision API.我能够在本地使用 Google Secret Manager API 来访问具有我的应用程序使用 Google Vision API 所需的 json 密钥的秘密版本。 But I'm facing two problems:但我面临两个问题:
- I need to use a .json secret file as a key to gain permission to access the secret via Google Secret Manager API, so this re-surfaces the same problem I was originally trying to solve: figuring out how to automatically set up and access a json secret key on a Google Cloud Build / Google App Engine application.我需要使用一个 .json 机密文件作为密钥来获得通过 Google Secret Manager API 访问机密的权限,所以这又再次出现了我最初试图解决的相同问题:弄清楚如何自动设置和访问一个Google Cloud Build / Google App Engine 应用程序上的 json 密钥。
- When I retrieve the secret through the Google Secret Manager API, I don't know how to turn it into a credential for the
vision.ImageAnnotatorClient().当我通过 Google Secret Manager API 检索机密时,我不知道如何将其转换为vision.ImageAnnotatorClient()的凭据。
For problem number 2: Normally, I would not use an explicit credential argument for vision.ImageAnnotatorClient() .对于问题 2:通常,我不会为vision.ImageAnnotatorClient()使用显式凭据参数。 Instead, it would take credentials from this earlier line:相反,它将从较早的行中获取凭据:
os.environ["GOOGLE_APPLICATION_CREDENTIALS"] = "google_secret.json"
If I try to turn the Google Secret API payload into a .json file, I do it like this:如果我尝试将 Google Secret API 负载转换为 .json 文件,我会这样做:
payload = response.payload.data.decode('UTF-8')
payload_json = json.dumps(payload)
google_api_secret = payload_json
then write it to a file:然后将其写入文件:
with open("google_secret.json", "w") as write_file:
json.dump(google_api_secret, write_file)
But I get the following error when running但是运行时出现以下错误
image_label_client = vision.ImageAnnotatorClient()
AttributeError: 'str' object has no attribute 'get'
Any help you could provide would be much appreciated!您能提供的任何帮助将不胜感激!
2 个解决方案
解决方案1
1 2020-03-22 20:17:12
App Engine will use the Application Default Credentials (ADC) strategy, which looks for credentials in the following order: App Engine 将使用应用程序默认凭据 (ADC)策略,该策略按以下顺序查找凭据:
-
GOOGLE_APPLICATION_CREDENTIALSenvironment variableGOOGLE_APPLICATION_CREDENTIALS环境变量 - The default service account provided by App Engine App Engine 提供的默认服务帐户
- Otherwise, an error is thrown否则抛出错误
GCP's App Engine docs provide an example using the Cloud Storage API in the standard environment here: https://cloud.google.com/docs/authentication/production#obtaining_credentials_on_app_engine_standard_environment GCP 的 App Engine 文档在此处提供了在标准环境中使用 Cloud Storage API 的示例: https : //cloud.google.com/docs/authentication/production#obtaining_credentials_on_app_engine_standard_environment
解决方案2
0 2020-03-22 21:31:17
I need to use a .json secret file as a key to gain permission to access the secret via Google Secret Manager API, so this re-surfaces the same problem I was originally trying to solve: figuring out how to automatically set up and access a json secret key on a Google Cloud Build / Google App Engine application.我需要使用一个 .json 机密文件作为密钥来获得通过 Google Secret Manager API 访问机密的权限,所以这又再次出现了我最初试图解决的相同问题:弄清楚如何自动设置和访问一个Google Cloud Build / Google App Engine 应用程序上的 json 密钥。
You can use the Default App Engine service account ( YOUR_PROJECT_ID@appspot.gserviceaccount.com ) to access Vision API.您可以使用默认 App Engine 服务帐户 ( YOUR_PROJECT_ID@appspot.gserviceaccount.com ) 访问 Vision API。 The default service account has Editor role, which includes all the permissions you need, you do not have to access another service account from Google Secret Manager.默认服务帐户具有Editor角色,其中包括您需要的所有权限,您不必从 Google Secret Manager 访问另一个服务帐户。
import googleapiclient.discovery
vision_client = googleapiclient.discovery.build(
'vision', 'v1')
vision_client.files().annotate(body={}).execute()
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.