Hi,

I have a question relevant to the implementation of Vision API. I'm using Vision API in my code that would be deployed at client end. I wanna allow client to use the code and hence hit the Vision API. The only way that I know is possible is with using the service account which will be granted the role for use of Vision API. However, in order to utilize the service account I would have to provide the secret json key (which is a high security risk, since anyone with access to it can use the service account).

I wanna ensure more security, but how? One way I came to know was workload identity federation. But what about if I want it to be implemented in following way.

I list certain client emails as the user role for service account (this service account has Vision API user role). Inside the code client has to provide their own user name and password which would be verified and will allow only if they are listed as the user for service account and no service account secret json key would be required in this process (only email and password verification). This way I can ensure only relevant users (allowed by me) with their own credentials can access service account and vision API.

Can anyone please help me implement it? Need instructions on how to implement it? or any other better way to perform this security concern. Looking forward to positive responses.

Thanks