stackoom
  简体   繁体   中英

How to get Google App Engine using proper credentials for Vision API?

 原文  2020-03-22 19:43:45       python/ google-app-engine/ google-cloud-platform/ deployment/ google-secret-manager

Question

Context:

I have a Python Flask application working locally that uses the Google Vision API to detect labels in photos.

To use the Google Vision API, I use a GOOGLE_APPLICATION_CREDENTIALS environmental variable. I have a "google-secret.json" key stored locally, which I use to set the GOOGLE_APPLICATION_CREDENTIALS variable with the following two lines:

import os
os.environ["GOOGLE_APPLICATION_CREDENTIALS"] = "google-secret.json"

The above enables me to run this line successfully, locally:

image_label_client = vision.ImageAnnotatorClient()

I'm using Google Cloud Build to automatically deploy this application into the Google App Engine Standard environment. I have *google-secret.json included in my .gitignore file so my key does not become public, and I have Google Cloud Build source from my remote GitHub repository.

I'm new to creating automatic build/deploy pipelines and I'm trying to understand how to get my Google App Engine application to either automatically set a GOOGLE_APPLICATION_CREDENTIALS environmental variable upon build, or access the relevant credentials some other way, to successfully create the vision.ImageAnnotatorClient() .

I'm open to any method that works. I've been searching the internets for a few days but haven't been able to solve this one.

The solution path I'm currently pursuing: Google Secret Manager API.

I'm able to use the Google Secret Manager API locally to access a secret version that has the json key needed for my application to use the Google Vision API. But I'm facing two problems:

  1. I need to use a .json secret file as a key to gain permission to access the secret via Google Secret Manager API, so this re-surfaces the same problem I was originally trying to solve: figuring out how to automatically set up and access a json secret key on a Google Cloud Build / Google App Engine application.
  2. When I retrieve the secret through the Google Secret Manager API, I don't know how to turn it into a credential for the vision.ImageAnnotatorClient() .

For problem number 2: Normally, I would not use an explicit credential argument for vision.ImageAnnotatorClient() . Instead, it would take credentials from this earlier line:

os.environ["GOOGLE_APPLICATION_CREDENTIALS"] = "google_secret.json"

If I try to turn the Google Secret API payload into a .json file, I do it like this:

payload = response.payload.data.decode('UTF-8')
payload_json = json.dumps(payload)
google_api_secret = payload_json

then write it to a file:

with open("google_secret.json", "w") as write_file:
        json.dump(google_api_secret, write_file)

But I get the following error when running

image_label_client = vision.ImageAnnotatorClient()

AttributeError: 'str' object has no attribute 'get'

Any help you could provide would be much appreciated!

2 answers

solution1
 1  2020-03-22 20:17:12

App Engine will use the Application Default Credentials (ADC) strategy, which looks for credentials in the following order:

  1. GOOGLE_APPLICATION_CREDENTIALS environment variable
  2. The default service account provided by App Engine
  3. Otherwise, an error is thrown

GCP's App Engine docs provide an example using the Cloud Storage API in the standard environment here: https://cloud.google.com/docs/authentication/production#obtaining_credentials_on_app_engine_standard_environment

solution2
 0  2020-03-22 21:31:17

I need to use a .json secret file as a key to gain permission to access the secret via Google Secret Manager API, so this re-surfaces the same problem I was originally trying to solve: figuring out how to automatically set up and access a json secret key on a Google Cloud Build / Google App Engine application.

You can use the Default App Engine service account ( YOUR_PROJECT_ID@appspot.gserviceaccount.com ) to access Vision API. The default service account has Editor role, which includes all the permissions you need, you do not have to access another service account from Google Secret Manager.

import googleapiclient.discovery

vision_client = googleapiclient.discovery.build(
        'vision', 'v1')

vision_client.files().annotate(body={}).execute()

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to get Word Count using Google Vision OCR API by Python? How to use google cloud vision with Google App Engine Python? How to use Drive API with credentials of a standard Google App Engine in Python 37? How to get final_url using the URL Fetch PHP API on Google App Engine? How to get bandwidth quota usage with Google app engine api? Using Google Cloud Vision API How to extract email body using the google app engine mail api? How to get a batch response from google vision text detection API? how to get locationId in Google App Engine not using terminal How to Query the Google Cloud Vision API with a local image using python?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM