按照 Form_Parser 的 GCP 教程从 Cloud SDK Interactive python(缩写 ipython 或 Ipython)调用 Document AI v1beta3 时权限被拒绝
Permission denied when invoking Document AI v1beta3 from Cloud SDK Interactive python (abbr. ipython or Ipython)following GCP tutorial for Form_Parser
我正在学习 https://codelabs.developers.google.com/codelabs/docai-form-parser-v3-python#7 上的教程 我遵循了他们指定的所有步骤......
我将 Cloud SDK 用于教程中指定的开发目的,但后来
他们给出的代码如下:
project_id= 'YOUR_PROJECT_ID'
location = 'YOUR_PROJECT_LOCATION' # Format is 'us' or 'eu'
processor_id = 'YOUR_PROCESSOR_ID' # Create processor in Cloud Console
file_path = 'form.pdf' # The local file in your current working directory
from google.cloud import documentai_v1beta3 as documentai
from google.cloud import storage
def process_document(
project_id=project_id, location=location, processor_id=processor_id, file_path=file_path
):
# Instantiates a client
client = documentai.DocumentProcessorServiceClient()
# The full resource name of the processor, e.g.:
# projects/project-id/locations/location/processor/processor-id
# You must create new processors in the Cloud Console first
name = f"projects/{project_id}/locations/{location}/processors/{processor_id}"
with open(file_path, "rb") as image:
image_content = image.read()
# Read the file into memory
document = {"content": image_content, "mime_type": "application/pdf"}
# Configure the process request
request = {"name": name, "document": document}
# Use the Document AI client to process the sample form
result = client.process_document(request=request)
document = result.document
document_text = document.text
print("Document processing complete.")
print("Text: {}".format(document_text))
然后我调用函数 process_document()
,我从 GCP 得到的响应是下面的错误
Traceback (most recent call last):
File "C:\Users982\GCP_CLCBusinessMSGBOT\CLCBusinessMSGBOT\lib\site-packages\google\api_core\grpc_helpers.py", line 67, in error_remapped_callable
return callable_(*args, **kwargs)
File "C:\Users982\GCP_CLCBusinessMSGBOT\CLCBusinessMSGBOT\lib\site-packages\grpc\_channel.py", line 946, in __call__
return _end_unary_response_blocking(state, call, False, None)
File "C:\Users982\GCP_CLCBusinessMSGBOT\CLCBusinessMSGBOT\lib\site-packages\grpc\_channel.py", line 849, in _end_unary_response_blocking
raise _InactiveRpcError(state)
grpc._channel._InactiveRpcError: <_InactiveRpcError of RPC that terminated with:
status = StatusCode.PERMISSION_DENIED
details = "Permission 'documentai.processors.processOnline' denied on resource '//documentai.googleapis.com/projects/550698032251/locations/us/processors/640b1155e305c10e' (or it may not exist)."
debug_error_string = "{"created":"@1621998239.448000000","description":"Error received from peer ipv4:172.217.166.170:443","file":"src/core/lib/surface/call.cc","file_line":1067,"grpc_message":"Permission 'documentai.processors.processOnline' denied on resource '//documentai.googleapis.com/projects/550698032251/locations/us/processors/640b1155e305c10e' (or it may not exist).","grpc_status":7}"
>
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "C:\Users982\GCP_CLCBusinessMSGBOT\CLCBusinessMSGBOT_FormParser.py", line 77, in <module>
process_document_sample(project_id = project_id, location= location, processor_id= processor_id, file_path= file_path)
File "C:\Users982\GCP_CLCBusinessMSGBOT\CLCBusinessMSGBOT_FormParser.py", line 38, in process_document_sample
result = client.process_document(request=request)
File "C:\Users982\GCP_CLCBusinessMSGBOT\CLCBusinessMSGBOT\lib\site-packages\google\cloud\documentai_v1\services\document_processor_service\client.py", line 440, in process_document
response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
File "C:\Users982\GCP_CLCBusinessMSGBOT\CLCBusinessMSGBOT\lib\site-packages\google\api_core\gapic_v1\method.py", line 145, in __call__
return wrapped_func(*args, **kwargs)
File "C:\Users982\GCP_CLCBusinessMSGBOT\CLCBusinessMSGBOT\lib\site-packages\google\api_core\retry.py", line 285, in retry_wrapped_func
return retry_target(
File "C:\Users982\GCP_CLCBusinessMSGBOT\CLCBusinessMSGBOT\lib\site-packages\google\api_core\retry.py", line 188, in retry_target
return target()
File "C:\Users982\GCP_CLCBusinessMSGBOT\CLCBusinessMSGBOT\lib\site-packages\google\api_core\grpc_helpers.py", line 69, in error_remapped_callable
six.raise_from(exceptions.from_grpc_error(exc), exc)
File "<string>", line 3, in raise_from
google.api_core.exceptions.PermissionDenied: 403 Permission 'documentai.processors.processOnline' denied on resource '//documentai.googleapis.com/projects/550698032251/locations/us/processors/640b1155e305c10e' (or it may not exist).
我确实按照指定的方式设置了环境变量,我的账户访问项目的 IAM 权限也被赋予了所有者的所有角色,所以所有的权限都被授予,即使这样仍然存在
错误消息提到 documentai.processors.processOnline
- 表示未授予提到的权限,但我拥有与文档 AI 处理器关联的特定服务帐户的所有权限,因为我具有所有者角色
我哪里出错了,我应该如何解决这个问题?
我按照教程操作,遇到了和你一样的错误。本教程缺少向创建的服务帐户 (my-docai-sa@your-project-name.iam.gserviceaccount.com) 授予文档 AI 权限的步骤(步骤 5)。为此,您可以 运行 此命令:
#Set your project_id by exporting it on a environment variable
export GOOGLE_CLOUD_PROJECT=$(gcloud config get-value core/project)
#Run this command to grand your created service account with Document AI Editor role (read and write)
gcloud projects add-iam-policy-binding ${GOOGLE_CLOUD_PROJECT} --member="serviceAccount:my-docai-sa@${GOOGLE_CLOUD_PROJECT}.iam.gserviceaccount.com" --role="roles/documentai.editor"
#Set environment variable to use the credentials from the created service account
export GOOGLE_APPLICATION_CREDENTIALS="/path/to/key.json"
如果您想控制对 API 的访问,可以参考 Document AI Roles 了解更多信息。完成所有这些后,您应该不会再遇到此错误。
您可以通过调用此命令检查角色是否已正确分配给您的服务帐户。
gcloud projects get-iam-policy ${GOOGLE_CLOUD_PROJECT} --flatten=bindings --filter=bindings.role:roles/documentai.editor
它应该显示以下内容:
---
auditConfigs:
- auditLogConfigs:
- logType: ADMIN_READ
- logType: DATA_READ
service: cloudsql.googleapis.com
bindings:
members:
- serviceAccount:my-docai-sa@your-project-name.iam.gserviceaccount.com
role: roles/documentai.editor
etag: xxxxxxxx
version: 1
我正在学习 https://codelabs.developers.google.com/codelabs/docai-form-parser-v3-python#7 上的教程 我遵循了他们指定的所有步骤......
我将 Cloud SDK 用于教程中指定的开发目的,但后来
他们给出的代码如下:
project_id= 'YOUR_PROJECT_ID'
location = 'YOUR_PROJECT_LOCATION' # Format is 'us' or 'eu'
processor_id = 'YOUR_PROCESSOR_ID' # Create processor in Cloud Console
file_path = 'form.pdf' # The local file in your current working directory
from google.cloud import documentai_v1beta3 as documentai
from google.cloud import storage
def process_document(
project_id=project_id, location=location, processor_id=processor_id, file_path=file_path
):
# Instantiates a client
client = documentai.DocumentProcessorServiceClient()
# The full resource name of the processor, e.g.:
# projects/project-id/locations/location/processor/processor-id
# You must create new processors in the Cloud Console first
name = f"projects/{project_id}/locations/{location}/processors/{processor_id}"
with open(file_path, "rb") as image:
image_content = image.read()
# Read the file into memory
document = {"content": image_content, "mime_type": "application/pdf"}
# Configure the process request
request = {"name": name, "document": document}
# Use the Document AI client to process the sample form
result = client.process_document(request=request)
document = result.document
document_text = document.text
print("Document processing complete.")
print("Text: {}".format(document_text))
然后我调用函数 process_document()
,我从 GCP 得到的响应是下面的错误
Traceback (most recent call last):
File "C:\Users982\GCP_CLCBusinessMSGBOT\CLCBusinessMSGBOT\lib\site-packages\google\api_core\grpc_helpers.py", line 67, in error_remapped_callable
return callable_(*args, **kwargs)
File "C:\Users982\GCP_CLCBusinessMSGBOT\CLCBusinessMSGBOT\lib\site-packages\grpc\_channel.py", line 946, in __call__
return _end_unary_response_blocking(state, call, False, None)
File "C:\Users982\GCP_CLCBusinessMSGBOT\CLCBusinessMSGBOT\lib\site-packages\grpc\_channel.py", line 849, in _end_unary_response_blocking
raise _InactiveRpcError(state)
grpc._channel._InactiveRpcError: <_InactiveRpcError of RPC that terminated with:
status = StatusCode.PERMISSION_DENIED
details = "Permission 'documentai.processors.processOnline' denied on resource '//documentai.googleapis.com/projects/550698032251/locations/us/processors/640b1155e305c10e' (or it may not exist)."
debug_error_string = "{"created":"@1621998239.448000000","description":"Error received from peer ipv4:172.217.166.170:443","file":"src/core/lib/surface/call.cc","file_line":1067,"grpc_message":"Permission 'documentai.processors.processOnline' denied on resource '//documentai.googleapis.com/projects/550698032251/locations/us/processors/640b1155e305c10e' (or it may not exist).","grpc_status":7}"
>
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "C:\Users982\GCP_CLCBusinessMSGBOT\CLCBusinessMSGBOT_FormParser.py", line 77, in <module>
process_document_sample(project_id = project_id, location= location, processor_id= processor_id, file_path= file_path)
File "C:\Users982\GCP_CLCBusinessMSGBOT\CLCBusinessMSGBOT_FormParser.py", line 38, in process_document_sample
result = client.process_document(request=request)
File "C:\Users982\GCP_CLCBusinessMSGBOT\CLCBusinessMSGBOT\lib\site-packages\google\cloud\documentai_v1\services\document_processor_service\client.py", line 440, in process_document
response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
File "C:\Users982\GCP_CLCBusinessMSGBOT\CLCBusinessMSGBOT\lib\site-packages\google\api_core\gapic_v1\method.py", line 145, in __call__
return wrapped_func(*args, **kwargs)
File "C:\Users982\GCP_CLCBusinessMSGBOT\CLCBusinessMSGBOT\lib\site-packages\google\api_core\retry.py", line 285, in retry_wrapped_func
return retry_target(
File "C:\Users982\GCP_CLCBusinessMSGBOT\CLCBusinessMSGBOT\lib\site-packages\google\api_core\retry.py", line 188, in retry_target
return target()
File "C:\Users982\GCP_CLCBusinessMSGBOT\CLCBusinessMSGBOT\lib\site-packages\google\api_core\grpc_helpers.py", line 69, in error_remapped_callable
six.raise_from(exceptions.from_grpc_error(exc), exc)
File "<string>", line 3, in raise_from
google.api_core.exceptions.PermissionDenied: 403 Permission 'documentai.processors.processOnline' denied on resource '//documentai.googleapis.com/projects/550698032251/locations/us/processors/640b1155e305c10e' (or it may not exist).
我确实按照指定的方式设置了环境变量,我的账户访问项目的 IAM 权限也被赋予了所有者的所有角色,所以所有的权限都被授予,即使这样仍然存在
错误消息提到 documentai.processors.processOnline
- 表示未授予提到的权限,但我拥有与文档 AI 处理器关联的特定服务帐户的所有权限,因为我具有所有者角色
我哪里出错了,我应该如何解决这个问题?
我按照教程操作,遇到了和你一样的错误。本教程缺少向创建的服务帐户 (my-docai-sa@your-project-name.iam.gserviceaccount.com) 授予文档 AI 权限的步骤(步骤 5)。为此,您可以 运行 此命令:
#Set your project_id by exporting it on a environment variable
export GOOGLE_CLOUD_PROJECT=$(gcloud config get-value core/project)
#Run this command to grand your created service account with Document AI Editor role (read and write)
gcloud projects add-iam-policy-binding ${GOOGLE_CLOUD_PROJECT} --member="serviceAccount:my-docai-sa@${GOOGLE_CLOUD_PROJECT}.iam.gserviceaccount.com" --role="roles/documentai.editor"
#Set environment variable to use the credentials from the created service account
export GOOGLE_APPLICATION_CREDENTIALS="/path/to/key.json"
如果您想控制对 API 的访问,可以参考 Document AI Roles 了解更多信息。完成所有这些后,您应该不会再遇到此错误。
您可以通过调用此命令检查角色是否已正确分配给您的服务帐户。
gcloud projects get-iam-policy ${GOOGLE_CLOUD_PROJECT} --flatten=bindings --filter=bindings.role:roles/documentai.editor
它应该显示以下内容:
---
auditConfigs:
- auditLogConfigs:
- logType: ADMIN_READ
- logType: DATA_READ
service: cloudsql.googleapis.com
bindings:
members:
- serviceAccount:my-docai-sa@your-project-name.iam.gserviceaccount.com
role: roles/documentai.editor
etag: xxxxxxxx
version: 1