按照 Form_Parser 的 GCP 教程从 Cloud SDK Interactive python(缩写 ipython 或 Ipython)调用 Document AI v1beta3 时权限被拒绝

Permission denied when invoking Document AI v1beta3 from Cloud SDK Interactive python (abbr. ipython or Ipython)following GCP tutorial for Form_Parser

我正在学习 https://codelabs.developers.google.com/codelabs/docai-form-parser-v3-python#7 上的教程 我遵循了他们指定的所有步骤......

我将 Cloud SDK 用于教程中指定的开发目的,但后来

他们给出的代码如下:

project_id= 'YOUR_PROJECT_ID' 
location = 'YOUR_PROJECT_LOCATION' # Format is 'us' or 'eu'
processor_id = 'YOUR_PROCESSOR_ID' # Create processor in Cloud Console
file_path = 'form.pdf' # The local file in your current working directory

from google.cloud import documentai_v1beta3 as documentai
from google.cloud import storage

def process_document(
    project_id=project_id, location=location, processor_id=processor_id,  file_path=file_path
):

    # Instantiates a client
    client = documentai.DocumentProcessorServiceClient()

    # The full resource name of the processor, e.g.:
    # projects/project-id/locations/location/processor/processor-id
    # You must create new processors in the Cloud Console first
    name = f"projects/{project_id}/locations/{location}/processors/{processor_id}"

    with open(file_path, "rb") as image:
        image_content = image.read()
    
    # Read the file into memory
    document = {"content": image_content, "mime_type": "application/pdf"}

    # Configure the process request
    request = {"name": name, "document": document}

    # Use the Document AI client to process the sample form
    result = client.process_document(request=request)

    document = result.document
    document_text = document.text
    print("Document processing complete.")
    print("Text: {}".format(document_text)) 

然后我调用函数 process_document(),我从 GCP 得到的响应是下面的错误

Traceback (most recent call last):
  File "C:\Users982\GCP_CLCBusinessMSGBOT\CLCBusinessMSGBOT\lib\site-packages\google\api_core\grpc_helpers.py", line 67, in error_remapped_callable
    return callable_(*args, **kwargs)
  File "C:\Users982\GCP_CLCBusinessMSGBOT\CLCBusinessMSGBOT\lib\site-packages\grpc\_channel.py", line 946, in __call__
    return _end_unary_response_blocking(state, call, False, None)
  File "C:\Users982\GCP_CLCBusinessMSGBOT\CLCBusinessMSGBOT\lib\site-packages\grpc\_channel.py", line 849, in _end_unary_response_blocking
    raise _InactiveRpcError(state)
grpc._channel._InactiveRpcError: <_InactiveRpcError of RPC that terminated with:
        status = StatusCode.PERMISSION_DENIED
        details = "Permission 'documentai.processors.processOnline' denied on resource '//documentai.googleapis.com/projects/550698032251/locations/us/processors/640b1155e305c10e' (or it may not exist)."
        debug_error_string = "{"created":"@1621998239.448000000","description":"Error received from peer ipv4:172.217.166.170:443","file":"src/core/lib/surface/call.cc","file_line":1067,"grpc_message":"Permission 'documentai.processors.processOnline' denied on resource '//documentai.googleapis.com/projects/550698032251/locations/us/processors/640b1155e305c10e' (or it may not exist).","grpc_status":7}"
>

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "C:\Users982\GCP_CLCBusinessMSGBOT\CLCBusinessMSGBOT_FormParser.py", line 77, in <module>
    process_document_sample(project_id = project_id, location= location, processor_id= processor_id, file_path= file_path)
  File "C:\Users982\GCP_CLCBusinessMSGBOT\CLCBusinessMSGBOT_FormParser.py", line 38, in process_document_sample
    result = client.process_document(request=request)
  File "C:\Users982\GCP_CLCBusinessMSGBOT\CLCBusinessMSGBOT\lib\site-packages\google\cloud\documentai_v1\services\document_processor_service\client.py", line 440, in process_document
    response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
  File "C:\Users982\GCP_CLCBusinessMSGBOT\CLCBusinessMSGBOT\lib\site-packages\google\api_core\gapic_v1\method.py", line 145, in __call__
    return wrapped_func(*args, **kwargs)
  File "C:\Users982\GCP_CLCBusinessMSGBOT\CLCBusinessMSGBOT\lib\site-packages\google\api_core\retry.py", line 285, in retry_wrapped_func
    return retry_target(
  File "C:\Users982\GCP_CLCBusinessMSGBOT\CLCBusinessMSGBOT\lib\site-packages\google\api_core\retry.py", line 188, in retry_target
    return target()
  File "C:\Users982\GCP_CLCBusinessMSGBOT\CLCBusinessMSGBOT\lib\site-packages\google\api_core\grpc_helpers.py", line 69, in error_remapped_callable
    six.raise_from(exceptions.from_grpc_error(exc), exc)
  File "<string>", line 3, in raise_from
google.api_core.exceptions.PermissionDenied: 403 Permission 'documentai.processors.processOnline' denied on resource '//documentai.googleapis.com/projects/550698032251/locations/us/processors/640b1155e305c10e' (or it may not exist).

我确实按照指定的方式设置了环境变量,我的账户访问项目的 IAM 权限也被赋予了所有者的所有角色,所以所有的权限都被授予,即使这样仍然存在

错误消息提到 documentai.processors.processOnline - 表示未授予提到的权限,但我拥有与文档 AI 处理器关联的特定服务帐户的所有权限,因为我具有所有者角色

我哪里出错了,我应该如何解决这个问题?

我按照教程操作,遇到了和你一样的错误。本教程缺少向创建的服务帐户 (my-docai-sa@your-project-name.iam.gserviceaccount.com) 授予文档 AI 权限的步骤(步骤 5)。为此,您可以 运行 此命令:

#Set your project_id by exporting it on a environment variable
export GOOGLE_CLOUD_PROJECT=$(gcloud config get-value core/project)

#Run this command to grand your created service account with Document AI Editor role (read and write)
gcloud projects add-iam-policy-binding ${GOOGLE_CLOUD_PROJECT} --member="serviceAccount:my-docai-sa@${GOOGLE_CLOUD_PROJECT}.iam.gserviceaccount.com" --role="roles/documentai.editor"

#Set environment variable to use the credentials from the created service account
export GOOGLE_APPLICATION_CREDENTIALS="/path/to/key.json"

如果您想控制对 API 的访问,可以参考 Document AI Roles 了解更多信息。完成所有这些后,您应该不会再遇到此错误。

您可以通过调用此命令检查角色是否已正确分配给您的服务帐户。

gcloud projects get-iam-policy ${GOOGLE_CLOUD_PROJECT} --flatten=bindings --filter=bindings.role:roles/documentai.editor

它应该显示以下内容:

---
auditConfigs:
- auditLogConfigs:
  - logType: ADMIN_READ
  - logType: DATA_READ
  service: cloudsql.googleapis.com
bindings:
  members:
  - serviceAccount:my-docai-sa@your-project-name.iam.gserviceaccount.com
  role: roles/documentai.editor
etag: xxxxxxxx
version: 1