This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Cloud IAM permission 'cloudtranslate.glossaries.create' denied.

Posted on 01-24-2025 12:31 PM
chris-hilder
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I am currently following the instructions on this page: https://cloud.google.com/translate/docs/advanced/glossary 

I have also followed the instructions on this page: https://groups.google.com/g/google-translate-api/c/JLkWkxkIGWU 

I have tried: 

from google.cloud import translate_v3beta1 as translate

Whatever I do all I get is: "google.api_core.exceptions.PermissionDenied: 403 Cloud IAM permission 'cloudtranslate.glossaries.create' denied."

Yes I have Storage Object Admin and Cloud Translate API Admin assigned to my service agent. I can access translation services ok using the service agent, but not glossary creation.

I am currently thrashing around creating random service agents and granting them all the permissions that might work. This does not seem to be the best way to proceed, but I am otherwise at a complete loss as what to do. Anyone who has any idea of a systematic way I might go about troubleshooting this, please let me know!

Please also let me know if I am posting this in the wrong place. I am trying to get help with using glossaries with Google Cloud Translate.

Solved Solved
0 4 330
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
chris-hilder
Bronze 1
Bronze 1
In response to mokit
Reply posted on --/--/---- --:-- AM

Thanks for your reply. It turns out that I was using a project ID in the form 

my-project-xxxx

when the system requires it in the form 

my-project-xxxx-xxxxxxxxxxxxx

 That was all it took. (Actually it was Gemini that pointed this out to me, after analysing the code I was running.)

View solution in original post

Jump to Solution
4 REPLIES 4

Posted on --/--/---- --:-- AM
mokit
Silver 4
Silver 4
Reply posted on --/--/---- --:-- AM

Hi, @chris-hilder.

Could you please verify that your application is using the correct project ID and service account? It should not be relying on the default user profile from the gcloud configuration.


Regards,
Mokit

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
chris-hilder
Bronze 1
Bronze 1
In response to mokit
Reply posted on --/--/---- --:-- AM

Thanks for your reply. It turns out that I was using a project ID in the form 

my-project-xxxx

when the system requires it in the form 

my-project-xxxx-xxxxxxxxxxxxx

 That was all it took. (Actually it was Gemini that pointed this out to me, after analysing the code I was running.)

Jump to Solution

Posted on --/--/---- --:-- AM
ruthseki
Staff
Reply posted on --/--/---- --:-- AM

Hi @chris-hilder,

Welcome to Google Cloud Community!

The error "google.api_core.exceptions.PermissionDenied: 403 Cloud IAM permission 'cloudtranslate.glossaries.create' denied" indicates that your service account, lacks the specific cloudtranslate.glossaries.create permission. The problem isn't just about having admin access to the Cloud Translate API; it's about having the granular permission to create glossaries.

Here are some approaches that you may try:

  1. Verify the Permission Directly: Don't rely on assuming "Cloud Translate API Admin" includes everything. Go to the IAM page in the Google Cloud Console for your project.
  • Find your service account.
  • Click on it to see its permissions.
  • Explicitly search for and verify that the cloudtranslate.glossaries.create permission is assigned to your service account. It's not enough to have roles/translate.admin (which might be what "Cloud Translate API Admin" maps to). You need the specific cloudtranslate.glossaries.create permission. If it's missing, add it.
  1. Check for Inheritance: Sometimes roles are inherited from higher levels (e.g., organization or folder). Ensure the permission isn't being blocked at a higher level. Check the IAM settings at the organization and folder level to see if there are any conflicting policies that might be overriding the permissions you've granted at the project level.
  2. Resource Hierarchy: Glossaries are associated with locations. Make sure you're specifying the correct location when creating the glossary. The code should include a location parameter (often 'us-central1' or similar). Incorrect location could lead to permission issues even if the permission is correctly assigned at the project level. 
  3. Quota Issues : Though less probable given the permission error, check if you've hit any Google Cloud Translate API quotas. If you're creating many glossaries, you might have exceeded a limit. Look for quota errors in the Cloud Console's error logs.
  4. Service Account Impersonation : If you're using a different service account to run your code and are impersonating another, make absolutely certain the impersonation is correctly configured and the impersonated account has the necessary permission.
  5. Re-create the Service Account: If all else fails, try creating a completely new service account, assigning only the absolutely necessary permissions (including cloudtranslate.glossaries.create), and testing with that. This helps rule out any subtle issues with a previously-used service account.

By carefully checking each of these points, you'll systematically identify why your service account is denied the permission. Remember to replace placeholders like your_project_id with your actual project ID.

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
chris-hilder
Bronze 1
Bronze 1
In response to ruthseki
Reply posted on --/--/---- --:-- AM

Thanks, it is great to have a troubleshooting process spelled out. It's not what caused my problem, (see reply above) but will be helpful to others searching the forum.

Jump to Solution