@Joshua: your inquiry inspired me to do some research into this issue over the past few months resulting in the following:
1. *Use Cloud client libraries:* yep, your experience was not fun for any developer looking to use a Cloud API (whether App Engine or a simple cmd-line script). One solution is to avoid the Google APIs client library <https://developers.google.com/api-client-library> and use the Google Cloud client libraries <http://cloud.google.com/apis/docs/cloud-client-libraries> instead, and in your case just the one for Cloud Translation (basic/v2 <https://cloud.google.com/translate/docs/reference/libraries/v2/python> or advanced/v3 <https://cloud.google.com/translate/docs/reference/libraries/v3/python>). (I'm also working on a blog post to outline the differences between these *platform vs. product* client libraries, so stay tuned for that.) With the Cloud Translation client library (which hides a lot of low-level details), your code sample can be as simple as: from __future__ import print_function import google.auth from google.cloud import translate TRANSLATE = translate.TranslationServiceClient() _, PROJECT_ID = google.auth.default() PARENT = 'projects/{}'.format(PROJECT_ID) TARGET_LANG = 'es' TEXT = 'Hello world' DATA = { 'parent': PARENT, 'contents': [TEXT], 'target_language_code': TARGET_LANG, } try: # Python 3/advanced/v3 rsp = TRANSLATE.translate_text(request=DATA) except TypeError: # Python 2/basic/v2 rsp = TRANSLATE.translate_text(**DATA) print(TEXT, '=', rsp.translations[0].translated_text) It works in Python 2 and 3 without any modification: $ python2 translate_demo2.py Hello world = Hola Mundo $ python3 translate_demo2.py Hello world = Hola Mundo You should be able to just drop something like this right into your App Engine code (plus the necessary stuff in app.yaml and requirements.txt). App Engine comes with a default service account <https://cloud.google.com/appengine/docs/standard/python/service-account>, so you don't need to mess with all you did unless you need to (create a separate service account and public/private key-pair) for other reasons. To run this script *locally* (as I did above), you *do* need to do that (create a service acct & keypair, download the JSON credentials file to your local system, then point GOOGLE_APPLICATION_CREDENTIALS to it), but not on App Engine (nor Cloud Functions nor Cloud Run) as *all 3* have default service accounts. 2. *Sample app:* I created a simple Python 2 GAE app that uses that Cloud Translation code to get an idea of what you went through and discovered it wasn't that bad if the product client library is used. Then I wanted to see how challenging it would be to port it to Python 3 (since you got to at some point) as well as running it locally. Then I thought, "Why not try to throw the app into a Docker container for Cloud Run?" *Bottom-line*: today I pushed to GitHub this "nebulous" sample app <https://github.com/googlecodelabs/cloud-nebulous-serverless-python> that can be deployed (at least) 8 different ways w/just minor config changes. Eh, I'll write up a blog post on this one too when I get a chance. I know the challenges weren't fun to deal with, but I hope these can help you and other developers! --Wesley On Mon, Dec 7, 2020 at 10:10 AM Joshua Smith <mrjoshuaesm...@gmail.com> wrote: > This problem is more systemic than that. The documentation lacks a > step-by-step how-to. I understand that there are a lot of options, but I'm > pretty sure my use case is very common: > > 1. I have a google app engine app > 2. I want to call the translation API from that app > > I figured out how to do that from the translation API docs, but I lacked > permission. > > I could not find any step by step instructions for giving permission. I > found this: > > https://cloud.google.com/translate/docs/setup > > which pointed me to this: > > https://cloud.google.com/iam/docs/understanding-roles > > at which point a normal human is going to be ready to give up. Look at > that second page! It's an endless stream of gobledegook. > > After getting the pointer from Amit that I need to add the role to IAM, I > went to IAM & Admin in my console, and selected "roles". Spoiler alert: > this is not where you do this. > > Amit mentioned "service accounts" so I went looking for that. I chose the > "Service Accounts" section. I see my service account, and it has a "..." > Actions menu. None of those actions are about adding roles. > > I click on the link for my service account, and see there's a tab for > "permissions". Doesn't seem to be anywhere I can give it permissions there. > > Honestly, I've just given up again. I know that by fumbling around in the > console I eventually ended up on a page where it wanted me to type an email > address. And I eventually figured out that it wanted the email address of > the service account. But for the life of me, I can't find that now. > > You need to write a how-to for giving an app engine app permission to > access an API. Or if such a thing already exists, you need to elevate it to > make it findable. > > -Joshua > > On Dec 4, 2020, at 2:17 PM, wesley chun <wes...@gmail.com> wrote: > > Thanks for your feedback Joshua. Can you take a screenshot of the Cloud > Console where you think there should be a message or that is misleading, > then go to the appropriate page in the documentation you think additional > messaging would help, and click on the "Send feedback" button in the upper > right corner of that page? The tool will also let you highlight where on > the docs page your messaging should go. This will greatly help the team > analyze your feedback and take appropriate action as necessary. > > Cheers, > --Wesley > > On Fri, Nov 20, 2020 at 5:33 AM Joshua Smith <mrjoshuaesm...@gmail.com> > wrote: > >> That worked. Thank you so much. >> >> You guys need to work on your documentation. I never could have figured >> that out myself. And the process of adding that role to the service account >> was also weird. (The UX is asking for the email of a new user, when what I >> need to add is a service account that isn’t a new user, and isn’t even >> really an email.) >> >> -Joshua >> >> On Nov 19, 2020, at 2:19 PM, 'Amit Sinha' via Google App Engine < >> google-appengine@googlegroups.com> wrote: >> >> *Hello Joshua, could you try to add the “Cloud Translation API User” role >> in the service account from IAM? As of this [1] documentation, it includes >> the permission that showing in the error.[1] >> https://cloud.google.com/iam/docs/understanding-roles#cloud-translation-roles >> <https://cloud.google.com/iam/docs/understanding-roles#cloud-translation-roles>* >> On Monday, November 16, 2020 at 2:23:03 PM UTC-5 Joshua Smith wrote: >> >>> I don’t think Google could have come up with a more confusing and >>> convoluted system for API permission management if they tried. >>> >>> So I’ve enabled the “cloud translation” API within my project. >>> >>> I have some Python (2.7, old school) code that goes: >>> >>> credentials = >>> ServiceAccountCredentials.from_json_keyfile_name(CLIENT_SECRETS_FILE, >>> scopes=['https://www.googleapis.com/auth/cloud-platform’]) >>> http_auth = credentials.authorize(Http()) >>> service = build("translation", "v3", http=http_auth) >>> service.projects().translateText(parent=“projects/*my-project-id-here*",body={"contents":"bonjour", >>> "targetLanguageCode":"en"}).execute() >>> >>> And I get: >>> >>> googleapiclient.errors.HttpError: <HttpError 403 when requesting >>> https://translation.googleapis.com/v3/projects/*my-project-id-here*:translateText?alt=json >>> returned "Cloud IAM permission 'cloudtranslate.generalModels.predict' >>> denied."> >>> >>> So it seems like I need to check some box somewhere to make this work, >>> but I can’t figure out where. >>> >>> The service account in the client secrets file is working fine when I >>> use it to hit Google Analytics from the same app. And in fact, my code to >>> access GA is almost identical except the scope and service call. >>> >>> Any ideas? >>> >>> -Joshua >>> >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "Google App Engine" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to google-appengine+unsubscr...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/google-appengine/38511647-af55-4440-b8a9-47a2d26e1f42n%40googlegroups.com >> <https://groups.google.com/d/msgid/google-appengine/38511647-af55-4440-b8a9-47a2d26e1f42n%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Google App Engine" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to google-appengine+unsubscr...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/google-appengine/96693B33-8943-4948-8444-7F9ABAAAB70D%40gmail.com >> <https://groups.google.com/d/msgid/google-appengine/96693B33-8943-4948-8444-7F9ABAAAB70D%40gmail.com?utm_medium=email&utm_source=footer> >> . >> > > > -- > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > "A computer never does what you want... only what you tell it." > wesley chun :: @wescpy <http://twitter.com/wescpy> :: Software > Architect & Engineer > Developer Advocate at Google Cloud by day; at night... > Python training & consulting : http://CyberwebConsulting.com > <http://cyberwebconsulting.com/> > "Core Python" books : http://CorePython.com <http://corepython.com/> > Python blog: http://wescpy.blogspot.com > > -- > You received this message because you are subscribed to the Google Groups > "Google App Engine" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to google-appengine+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/google-appengine/CAB6eaA6qha4NWpPqtRQvSt3v86vPwJQ02j%3D_UtFT8w5m6KnHGQ%40mail.gmail.com > <https://groups.google.com/d/msgid/google-appengine/CAB6eaA6qha4NWpPqtRQvSt3v86vPwJQ02j%3D_UtFT8w5m6KnHGQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > > -- > You received this message because you are subscribed to the Google Groups > "Google App Engine" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to google-appengine+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/google-appengine/8779DD22-2BCF-4834-B50B-57BB5B8B0017%40gmail.com > <https://groups.google.com/d/msgid/google-appengine/8779DD22-2BCF-4834-B50B-57BB5B8B0017%40gmail.com?utm_medium=email&utm_source=footer> > . > -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - "A computer never does what you want... only what you tell it." wesley chun :: @wescpy <http://twitter.com/wescpy> :: Software Architect & Engineer Developer Advocate at Google Cloud by day; at night... Python training & consulting : http://CyberwebConsulting.com "Core Python" books : http://CorePython.com Python blog: http://wescpy.blogspot.com -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to google-appengine+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/CAB6eaA4DfSXvzKwK6oZPiw%3D7fq2Rvbaj6TFZ7hh7vyZL3m0Q3Q%40mail.gmail.com.
