This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Using Vison ML via REST API

Posted on 07-06-2022 02:03 AM
SchneiderInfosy
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

I'm taking my first steps with Vision ML and using the REST interface (https://vision.googleapis.com/v1/files:annotate). As API key I provide the key from the Firebase project settings. In the Authorization Bearer, I supply the token from Firebase-Auth after sign-in.

When accessing Annotate I get a 403 (Permission_Denied) error message back:
Error opening file: gs://######.appspot.com/MyFile.tiff.

The object is available in the corresponding bucket and it is not blocked due to the Firebase Storage rules.

Can I pass a Firebase token in this REST interface at all?

How do I make sure that the service account can access the storage?

Thank you for any hint

Author of FB4D GitHub Project (A Delphi Library for access Firebase Services via REST).

0 2 442
Topic Labels
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
Andre_Fiesco
Staff
Reply posted on --/--/---- --:-- AM

The issue seems to be with the permissions or the Firebase rules that are being used. Could you please share the permissions and Firebase rules that you are using?   

Here is document that you can use for the Firebase security rules:

https://firebase.google.com/docs/storage/security 

https://stackoverflow.com/questions/38671444/user-does-not-have-permission-to-access-this-object-fir...

Here is another document that you can use for the IAM permissions:

https://cloud.google.com/storage/docs/access-control/iam-permissions 

You can also use a service account to authenticate to Firebase storage:

https://stackoverflow.com/questions/72565059/cloud-api-product-search-asked-for-storing-the-images-i...

Posted on --/--/---- --:-- AM
SchneiderInfosy
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

That was also my first thought, so I have the rule that only a known user can use the storage, removed for all types of readers released.

rules_version = '2';
service firebase.storage {
  match /b/{bucket}/o {
    match /testML/{img} {
      allow read: if true; // if request.auth != null;
      allow write: if request.auth != null;
    }
  }
}

I suppose this rules out your first assumption.

On the second point, yes, I've also tried giving more privileges to the executing service account. In the Google Cloud Console, I see three other principals in addition to my email address as the owner. Which one is used by the ML vision Service?

I have already assigned "Storage admin" rights to all these 3 accounts. Unfortunately, this did not solve the problem.

Thank you for a further hint.

0 Likes