5

I have been using the Google Speech API to transcribe audio to text from my PHP app (using the Google Cloud PHP Client) for several months without any problem. But my calls have now started to return 403 errors with status "PERMISSION_DENIED" and message "The caller does not have permission".

I'm using the Speech API together with Google Storage. I'm authenticating using a service account and sending my audio data to Storage. That's working, the file gets uploaded. So I understand - but I might be wrong? - that "the caller" does not have permission to then read to the audio data from Storage.

I've been playing with permissions through the Google Console without success. I've read the docs but am quite confused. The service account I am using (I guess this is "the caller"?) has owner permissions on the project. And everything used to work fine, I haven't changed a thing.

I'm not posting code because if I understand correctly my app code isn't the issue - it's rather my Google Cloud settings. I'd be grateful for any idea or clarifications of concepts!

Thanks.

Ben
  • 51
  • 1
  • 3
  • Being an owner of the project doesn't necessarily imply that the service account has read permission on the object. It's possible that the object was uploaded by another account that specified a private ACL or similar. Maybe try explicitly adding the service account as a reader on that specific object? – Brandon Yarbrough May 12 '17 at 17:43
  • Ha, yeah. Fixed. Thanks a lot! – Ben May 12 '17 at 17:52
  • Suggest converting the comment to an answer and resolving the question. – blambert May 15 '17 at 05:21
  • @BrandonYarbrough How do you "Maybe try explicitly adding the service account as a reader on that specific object? " – Ted Taylor of Life Jul 27 '17 at 15:49
  • @TedTaylorofLife Either through the console, or by running a command like `gsutil acl ch -u serviceAccount@domain.com:R gs://bucket/object` – Brandon Yarbrough Jul 27 '17 at 16:12
  • @BrandonYarbrough so first run `gsutil acl ch -u serviceAccount@domain.com:R gs://mypath/nameoffile.flac` then run `python transcribe_async.py gs://mypath/nameoffile.flac`, correct? – Ted Taylor of Life Jul 27 '17 at 16:18

2 Answers2

6

Being an owner of the project doesn't necessarily imply that the service account has read permission on the object. It's possible that the object was uploaded by another account that specified a private ACL or similar.

Make sure that the service account has access to the object by giving it the right permissions on the entire bucket or on the specific object itself.

You can do so using gsutil acl. More information and additional methods may be found in the official documentation.

For instance the following command gives READ permission on an object to your service account:

gsutil acl -r ch -u serviceAccount@domain.com:R gs://bucket/object

And this command gives READ permission on an entire bucket to your service account:

gsutil acl -r ch -u serviceAccount@domain.com:R gs://bucket
Kannappan Sirchabesan
  • 1,353
  • 11
  • 21
Yannick MG
  • 786
  • 9
  • 19
0

In google cloud vision,when your creating credentials with service account key, you have to create role and set it owner and accesses full permissions

Bhanu chander sheeram
  • 1
  • 4