從 Cloud SDK Interactive python（縮寫 ipython 或 Ipython）按照 Form_Parser 的 GCP 教程調用 Document AI v1beta3 時權限被拒絕

Question

我正在遵循https://codelabs.developers.google.com/codelabs/docai-form-parser-v3-python#7上的教程，我遵循了他們指定的所有步驟.....

我使用 Cloud SDK 用於教程中指定的開發目的，但隨后

他們給出的代碼如下：

project_id= 'YOUR_PROJECT_ID' 
location = 'YOUR_PROJECT_LOCATION' # Format is 'us' or 'eu'
processor_id = 'YOUR_PROCESSOR_ID' # Create processor in Cloud Console
file_path = 'form.pdf' # The local file in your current working directory

from google.cloud import documentai_v1beta3 as documentai
from google.cloud import storage

def process_document(
    project_id=project_id, location=location, processor_id=processor_id,  file_path=file_path
):

    # Instantiates a client
    client = documentai.DocumentProcessorServiceClient()

    # The full resource name of the processor, e.g.:
    # projects/project-id/locations/location/processor/processor-id
    # You must create new processors in the Cloud Console first
    name = f"projects/{project_id}/locations/{location}/processors/{processor_id}"

    with open(file_path, "rb") as image:
        image_content = image.read()
    
    # Read the file into memory
    document = {"content": image_content, "mime_type": "application/pdf"}

    # Configure the process request
    request = {"name": name, "document": document}

    # Use the Document AI client to process the sample form
    result = client.process_document(request=request)

    document = result.document
    document_text = document.text
    print("Document processing complete.")
    print("Text: {}".format(document_text)) 

然后我調用 function process_document()並且我從 GCP 得到的響應是下面的這個錯誤

Traceback (most recent call last):
  File "C:\Users\91982\GCP_CLCBusinessMSGBOT\CLCBusinessMSGBOT\lib\site-packages\google\api_core\grpc_helpers.py", line 67, in error_remapped_callable
    return callable_(*args, **kwargs)
  File "C:\Users\91982\GCP_CLCBusinessMSGBOT\CLCBusinessMSGBOT\lib\site-packages\grpc\_channel.py", line 946, in __call__
    return _end_unary_response_blocking(state, call, False, None)
  File "C:\Users\91982\GCP_CLCBusinessMSGBOT\CLCBusinessMSGBOT\lib\site-packages\grpc\_channel.py", line 849, in _end_unary_response_blocking
    raise _InactiveRpcError(state)
grpc._channel._InactiveRpcError: <_InactiveRpcError of RPC that terminated with:
        status = StatusCode.PERMISSION_DENIED
        details = "Permission 'documentai.processors.processOnline' denied on resource '//documentai.googleapis.com/projects/550698032251/locations/us/processors/640b1155e305c10e' (or it may not exist)."
        debug_error_string = "{"created":"@1621998239.448000000","description":"Error received from peer ipv4:172.217.166.170:443","file":"src/core/lib/surface/call.cc","file_line":1067,"grpc_message":"Permission 'documentai.processors.processOnline' denied on resource '//documentai.googleapis.com/projects/550698032251/locations/us/processors/640b1155e305c10e' (or it may not exist).","grpc_status":7}"
>

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "C:\Users\91982\GCP_CLCBusinessMSGBOT\CLCBusinessMSGBOT_FormParser.py", line 77, in <module>
    process_document_sample(project_id = project_id, location= location, processor_id= processor_id, file_path= file_path)
  File "C:\Users\91982\GCP_CLCBusinessMSGBOT\CLCBusinessMSGBOT_FormParser.py", line 38, in process_document_sample
    result = client.process_document(request=request)
  File "C:\Users\91982\GCP_CLCBusinessMSGBOT\CLCBusinessMSGBOT\lib\site-packages\google\cloud\documentai_v1\services\document_processor_service\client.py", line 440, in process_document
    response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
  File "C:\Users\91982\GCP_CLCBusinessMSGBOT\CLCBusinessMSGBOT\lib\site-packages\google\api_core\gapic_v1\method.py", line 145, in __call__
    return wrapped_func(*args, **kwargs)
  File "C:\Users\91982\GCP_CLCBusinessMSGBOT\CLCBusinessMSGBOT\lib\site-packages\google\api_core\retry.py", line 285, in retry_wrapped_func
    return retry_target(
  File "C:\Users\91982\GCP_CLCBusinessMSGBOT\CLCBusinessMSGBOT\lib\site-packages\google\api_core\retry.py", line 188, in retry_target
    return target()
  File "C:\Users\91982\GCP_CLCBusinessMSGBOT\CLCBusinessMSGBOT\lib\site-packages\google\api_core\grpc_helpers.py", line 69, in error_remapped_callable
    six.raise_from(exceptions.from_grpc_error(exc), exc)
  File "<string>", line 3, in raise_from
google.api_core.exceptions.PermissionDenied: 403 Permission 'documentai.processors.processOnline' denied on resource '//documentai.googleapis.com/projects/550698032251/locations/us/processors/640b1155e305c10e' (or it may not exist).

我確實按照指定設置了環境變量，並且我的帳戶訪問項目的 IAM 權限也被賦予了所有者的所有角色，因此即使在持續存在的情況下也授予了所有權限

錯誤消息提及documentai.processors.processOnline - 表示未授予提及的權限，但我擁有與 Document AI 處理器關聯的特定服務帳戶的所有權限，因為我具有所有者角色

我哪里錯了，我應該如何解決這個問題？

Answer 1

我按照教程進行操作，但遇到了與您相同的錯誤。 本教程缺少向創建的服務帳戶 ( my-docai-sa@your-project-name.iam.gserviceaccount.com ) 授予 Document AI 權限的步驟（步驟 5）。 為此，您可以運行以下命令：

#Set your project_id by exporting it on a environment variable
export GOOGLE_CLOUD_PROJECT=$(gcloud config get-value core/project)

#Run this command to grand your created service account with Document AI Editor role (read and write)
gcloud projects add-iam-policy-binding ${GOOGLE_CLOUD_PROJECT} --member="serviceAccount:my-docai-sa@${GOOGLE_CLOUD_PROJECT}.iam.gserviceaccount.com" --role="roles/documentai.editor"

#Set environment variable to use the credentials from the created service account
export GOOGLE_APPLICATION_CREDENTIALS="/path/to/key.json"

如果您想控制對 API 的訪問，可以參考文檔 AI 角色了解更多信息。 完成所有這些操作后，您應該不再遇到此錯誤。

您可以通過調用此命令檢查該角色是否已正確分配給您的服務帳戶。

gcloud projects get-iam-policy ${GOOGLE_CLOUD_PROJECT} --flatten=bindings --filter=bindings.role:roles/documentai.editor

它應該顯示以下內容：

---
auditConfigs:
- auditLogConfigs:
  - logType: ADMIN_READ
  - logType: DATA_READ
  service: cloudsql.googleapis.com
bindings:
  members:
  - serviceAccount:my-docai-sa@your-project-name.iam.gserviceaccount.com
  role: roles/documentai.editor
etag: xxxxxxxx
version: 1