I have two GCP projects, projectA for kubernetes resources and projectB for product-search-api and spanner database. I created a service account in projectB with required permissions and mount its credentials.json to the service in projectA as GOOGLE_APPLICATION_CREDENTIALS env var and it works well.
But because of this there are some other permissions issue for the service using features in projectA for eg. stackdriver monitoring etc. I could grant these permissions to the service account I created but I then found a ClientOption - withCredentialsFile.
I planned to use this option without modifying GOOGLE_APPLICATION_CREDENTIALS env var in the service i.e. keep using projectA credentials. So, I passed it to spanner client like below and it works well
client, err := spanner.NewClientWithConfig(context, dbn, spanner.ClientConfig{
SessionPoolConfig: spanner.SessionPoolConfig{
MaxIdle: 100,
},
}, option.WithCredentialsFile(cfg.CredsPathtoProjectB))
But when I pass it to vision.NewImageAnnotatorClient to make request to ProductSearchAPI, I get Permission Denied.
c, err := vision.NewImageAnnotatorClient(context, option.WithCredentialsFile(cfg.CredsPathtoProjectB))
ictx := &pb.ImageContext{
ProductSearchParams: &pb.ProductSearchParams{
ProductSet: fmt.Sprintf("projects/%s/locations/%s/productSets/%s", cfg.ProjectID, cfg.ProjectLocation, cfg.ProductSetID),
ProductCategories: []string{cfg.ProductCategory},
Filter: filter,
},
}
response, err := c.AnnotateImage(ctx, &pb.AnnotateImageRequest{
Image: img,
ImageContext: ictx,
Features: []*pb.Feature{{Type: visionpb.Feature_PRODUCT_SEARCH,
MaxResults: int32(maxItems)}},
})
------------------------
<OUTPUT>
"response:":"error:{code:7 message:\"Permission denied.\"}"
I could use same credentials to request product search API when overwriting GOOGLE_APPLICATION_CREDENTIALS. Am I making any mistake?
You don't need Owner's permission on the service account. However, if the product search resources are in projectB, then you have to call Vision API with a service account from projectB.