cURL to GoogleCloud Vision API: Caller does not have required permission to use project foo

Question

I'm following https://cloud.google.com/vision/docs/quickstart-cli

I've created a Google Cloud account, created a project, enabled Vision API, setup billing.

I now execute the cURL:

curl -X POST \
-H "Authorization: Bearer "$(gcloud auth application-default print-access-token) \
-H "Content-Type: application/json; charset=utf-8" \
-H "X-Goog-User-Project: dragon-ocr-324006" \
https://vision.googleapis.com/v1/images:annotate -d @request.json

I get the response:

{
  "error": {
    "code": 403,
    "message": "Caller does not have required permission to use project dragon-ocr-324006. Grant the caller the Owner or Editor role, or a custom role with the serviceusage.services.use permission, by visiting https://console.developers.google.com/iam-admin/iam/project?project=dragon-ocr-324006 and then retry (propagation of new permission may take a few minutes).",
    "status": "PERMISSION_DENIED",
    "details": [
      {
        "@type": "type.googleapis.com/google.rpc.Help",
        "links": [
          {
            "description": "Google developer console IAM admin",
            "url": "https://console.developers.google.com/iam-admin/iam/project?project=dragon-ocr-324006"
          }
        ]
      },
      {
        "@type": "type.googleapis.com/google.rpc.ErrorInfo",
        "reason": "USER_PROJECT_DENIED",
        "domain": "googleapis.com",
        "metadata": {
          "consumer": "projects/dragon-ocr-324006",
          "service": "vision.googleapis.com"
        }
      }
    ]
  }
}

What does this mean? Who is the 'caller'? When I do gcloud auth application-default login it lets me log in as, I guess, root user for my gcloud. And that must be the caller...?

So, I click that link, and get:

Permissions error... great. And now other pages give the same perms-error. So I have to repoint my browser to https://console.cloud.google.com/ and go in manually.

So, both root-user and project-user (if I got that right) have Owner permission.

So what is the problem.

Maybe my local machine doesn't have the updated profile for the project-user?

ok, so rm -rf ~/.config/gcloud and gcloud auth application-default login

Quick test: gcloud auth application-default print-access-token gives me an access token, great!

I rerun my crl.sh script and get the same problem.

---

Now here's the kicker. I've got another gcloud account I just created today, and if I run it on that one, it completes fine!

So what am I doing wrong on the first account?

Answer 1

Bear with me because you asked different questions:)

• First:

Who is the 'caller'? When I do gcloud auth application-default login it lets me log in as, I guess, root user for my gcloud. And that must be the caller...?

It's normal that the error message is not referring a specific caller / identity. In fact, you are using an access token in your curl through gcloud auth application-default print-access-token . Access tokens are used to inform an API that the bearer of the token has been authorised to access the API. It doesn't hold any identity information.

• Second:

That access token has been generated for you based on the credentials, you already setup as default credentials. You get these credentials in 2 ways

• you run export GOOGLE_APPLICATION_CREDENTIALS="/path/to/service-account-file.json" But I think you didn't use this since you didn't evoke any key file.

• you run gcloud auth application-default login , you had to go through a web flow, and the creadentials are generated and stored under ~/.config/gcloud/application_default_credentials.json

• Third:

So, both root-user and project-user (if I got that right) have Owner permission.

ok, so rm -rf ~/.config/gcloud and gcloud auth application-default login

Here I understand that you changed the roles. So the initial role (set of permissions) given to the identity for which you generated the default credentials, was not enough.

• Fourth:

You gave both users a large set of permissions (the Owner role has almost all permissions) Then you regenerated the default credentials.

But it did not work : because as stated in error message: (propagation of new permission may take a few minutes)

• Finally:

When you came back with a new account it did work because he was already set with proper permissions. But if you retry with the old one it will work also, of course if you did not change his Owner role.

Answer 2

I had almost similar kind of issue when I was working on a Cloud Function in VS Code local development.
In my case Application Default Credentials (ADC) was pointing to different service account which didn't had enough permission.
I followed the below steps to resolve this issue:
Executed these commands (locally) in Google Cloud SDK Shell

1. First list the current configuration to verify the config values

   gcloud config list
   This will output:

   [accessibility]
   screen_reader = False
   [core]
   account = <service_account>@appspot.gserviceaccount.com
   disable_usage_reporting = True
   project = ProjectId
   

2. Then I had to run a command to list all Credentialed Accounts
   

   gcloud auth list
   This will output the service accounts and an asterisk (*) at the beginning of an account which is active.
   If this active service account is different than what is expected then must

3. activate the respective service account by running the following command.
   

   gcloud auth activate-service-account <different_service_account>@appspot.gserviceaccount.com --key-file=PATH_TO_SERVICE_ACCOUNT_KEY_FILE
   More details can be found here
   Then restart the application resolved my issue.
   

Though this is not exactly the solution for this question, but definitely may help anyone who got into this error.