Re: [google-appengine] Google Translate API & Permissions

[wesley chun]

All, I'm happy to announce that I've finally published the blog post

(Tweet

& FB post

for sharing) I promised. Summarizing the 2 things that would've improved
Joshua's initial experience:

   1. Awareness of the *Google Cloud client libraries* (he used the Google
   APIs client libraries, lower-level and somewhat more challenging) — I'm
   working on a follow-up post explaining why we have two different types of
   client libraries and when you'd use one vs. the other.
   2. Awareness of *default service accounts* — these exist for all our
   serverless platforms and come pre-baked w/enough IAM permissions to get a
   prototype working; that gives you more time to research specific IAM
   roles/perms the app will need when you get closer to production.

The point is to make products that people can get started on without much
friction but also allow for more sophisticated usage as needed. I've also
provided Joshua's feedback directly to folks on our serverless platform
teams. Anyway, hope this helps and please let me know if you have any
questions; also reshare as desired to your developer social networks! (BTW,
thx for the kind words Eric!)

Cheers,
--Wesley

On Sat, May 8, 2021 at 6:09 AM Eric Hardy  wrote:

> Thank you Wesley.  I appreciate your efforts.  I want to spend more time
> site building than wrestling with a cloud platform.  I will follow the
> above mentioned links to nut this out.
>
> On Sat, May 8, 2021 at 9:20 AM wesley chun  wrote:
>
>> @Joshua: your inquiry inspired me to do some research into this issue
>> over the past few months resulting in the following:
>>
>> 1. *Use Cloud client libraries:* yep, your experience was not fun for
>> any developer looking to use a Cloud API (whether App Engine or a simple
>> cmd-line script). One solution is to avoid the Google APIs client library
>>  and use the Google
>> Cloud client libraries
>>  instead, and
>> in your case just the one for Cloud Translation
>> (basic/v2
>>  or
>> advanced/v3
>> ).
>> (I'm also working on a blog post to outline the differences between these 
>> *platform
>> vs. product* client libraries, so stay tuned for that.) With the Cloud
>> Translation client library (which hides a lot of low-level details), your
>> code sample can be as simple as:
>>
>> from __future__ import print_function
>> import google.auth
>> from google.cloud import translate
>>
>> TRANSLATE = translate.TranslationServiceClient()
>> _, PROJECT_ID = google.auth.default()
>> PARENT = 'projects/{}'.format(PROJECT_ID)
>> TARGET_LANG = 'es'
>> TEXT = 'Hello world'
>> DATA = {
>> 'parent': PARENT,
>> 'contents': [TEXT],
>> 'target_language_code': TARGET_LANG,
>> }
>> try:# Python 3/advanced/v3
>> rsp = TRANSLATE.translate_text(request=DATA)
>> except TypeError:   # Python 2/basic/v2
>> rsp = TRANSLATE.translate_text(**DATA)
>> print(TEXT, '=', rsp.translations[0].translated_text)
>>
>> It works in Python 2 and 3 without any modification:
>>
>> $ python2 translate_demo2.py
>> Hello world = Hola Mundo
>> $ python3 translate_demo2.py
>> Hello world = Hola Mundo
>>
>> You should be able to just drop something like this right into your App
>> Engine code (plus the necessary stuff in app.yaml and requirements.txt).
>> App Engine comes with a default service account
>> ,
>> so you don't need to mess with all you did unless you need to (create a
>> separate service account and public/private key-pair) for other reasons. To
>> run this script *locally* (as I did above), you *do* need to do that
>> (create a service acct & keypair, download the JSON credentials file to
>> your local system, then point GOOGLE_APPLICATION_CREDENTIALS to it), but
>> not on App Engine (nor Cloud Functions nor Cloud Run) as *all 3* have
>> default service accounts.
>>
>> 2. *Sample app:* I created a simple Python 2 GAE app that uses that
>> Cloud Translation code to get an idea of what you went through and
>> discovered it wasn't that bad if the product client library is used. Then I
>> wanted to see how challenging it would be to port it to Python 3 (since you
>> got to at some point) as well as running it locally. Then I though

Re: [google-appengine] Google Translate API & Permissions

[Eric Hardy]

Thank you Wesley.  I appreciate your efforts.  I want to spend more time
site building than wrestling with a cloud platform.  I will follow the
above mentioned links to nut this out.

On Sat, May 8, 2021 at 9:20 AM wesley chun  wrote:

> @Joshua: your inquiry inspired me to do some research into this issue over
> the past few months resulting in the following:
>
> 1. *Use Cloud client libraries:* yep, your experience was not fun for any
> developer looking to use a Cloud API (whether App Engine or a simple
> cmd-line script). One solution is to avoid the Google APIs client library
>  and use the Google
> Cloud client libraries
>  instead, and
> in your case just the one for Cloud Translation
> (basic/v2
>  or
> advanced/v3
> ).
> (I'm also working on a blog post to outline the differences between these 
> *platform
> vs. product* client libraries, so stay tuned for that.) With the Cloud
> Translation client library (which hides a lot of low-level details), your
> code sample can be as simple as:
>
> from __future__ import print_function
> import google.auth
> from google.cloud import translate
>
> TRANSLATE = translate.TranslationServiceClient()
> _, PROJECT_ID = google.auth.default()
> PARENT = 'projects/{}'.format(PROJECT_ID)
> TARGET_LANG = 'es'
> TEXT = 'Hello world'
> DATA = {
> 'parent': PARENT,
> 'contents': [TEXT],
> 'target_language_code': TARGET_LANG,
> }
> try:# Python 3/advanced/v3
> rsp = TRANSLATE.translate_text(request=DATA)
> except TypeError:   # Python 2/basic/v2
> rsp = TRANSLATE.translate_text(**DATA)
> print(TEXT, '=', rsp.translations[0].translated_text)
>
> It works in Python 2 and 3 without any modification:
>
> $ python2 translate_demo2.py
> Hello world = Hola Mundo
> $ python3 translate_demo2.py
> Hello world = Hola Mundo
>
> You should be able to just drop something like this right into your App
> Engine code (plus the necessary stuff in app.yaml and requirements.txt).
> App Engine comes with a default service account
> ,
> so you don't need to mess with all you did unless you need to (create a
> separate service account and public/private key-pair) for other reasons. To
> run this script *locally* (as I did above), you *do* need to do that
> (create a service acct & keypair, download the JSON credentials file to
> your local system, then point GOOGLE_APPLICATION_CREDENTIALS to it), but
> not on App Engine (nor Cloud Functions nor Cloud Run) as *all 3* have
> default service accounts.
>
> 2. *Sample app:* I created a simple Python 2 GAE app that uses that Cloud
> Translation code to get an idea of what you went through and discovered it
> wasn't that bad if the product client library is used. Then I wanted to see
> how challenging it would be to port it to Python 3 (since you got to at
> some point) as well as running it locally. Then I thought, "Why not try to
> throw the app into a Docker container for Cloud Run?" *Bottom-line*:
> today I pushed to GitHub this "nebulous" sample app
>  that
> can be deployed (at least) 8 different ways w/just minor config changes.
> Eh, I'll write up a blog post on this one too when I get a chance.
>
> I know the challenges weren't fun to deal with, but I hope these can help
> you and other developers!
> --Wesley
>
> On Mon, Dec 7, 2020 at 10:10 AM Joshua Smith 
> wrote:
>
>> This problem is more systemic than that. The documentation lacks a
>> step-by-step how-to. I understand that there are a lot of options, but I'm
>> pretty sure my use case is very common:
>>
>> 1. I have a google app engine app
>> 2. I want to call the translation API from that app
>>
>> I figured out how to do that from the translation API docs, but I lacked
>> permission.
>>
>> I could not find any step by step instructions for giving permission. I
>> found this:
>>
>> https://cloud.google.com/translate/docs/setup
>>
>> which pointed me to this:
>>
>> https://cloud.google.com/iam/docs/understanding-roles
>>
>> at which point a normal human is going to be ready to give up. Look at
>> that second page! It's an endless stream of gobledegook.
>>
>> After getting the pointer from Amit that I need to add the role to IAM, I
>> went to IAM & Admin in my console, and selected "roles". Spoiler alert:
>> this is not where you do this.
>>
>> Amit mentioned "service accounts" so I went looking for that. I chose the
>> "Service Accounts" section. I see my service account, and it has a "..."
>> Actions menu. None of those actions are about adding roles.
>>
>> I click on the link for my service account, and see there's a tab for
>> "permissions". Doesn't seem to be any

Re: [google-appengine] Google Translate API & Permissions

[wesley chun]

@Joshua: your inquiry inspired me to do some research into this issue over
the past few months resulting in the following:

1. *Use Cloud client libraries:* yep, your experience was not fun for any
developer looking to use a Cloud API (whether App Engine or a simple
cmd-line script). One solution is to avoid the Google APIs client library
 and use the Google Cloud
client libraries 
instead, and in your case just the one for Cloud Translation
(basic/v2
 or
advanced/v3
).
(I'm also working on a blog post to outline the differences between
these *platform
vs. product* client libraries, so stay tuned for that.) With the Cloud
Translation client library (which hides a lot of low-level details), your
code sample can be as simple as:

from __future__ import print_function
import google.auth
from google.cloud import translate

TRANSLATE = translate.TranslationServiceClient()
_, PROJECT_ID = google.auth.default()
PARENT = 'projects/{}'.format(PROJECT_ID)
TARGET_LANG = 'es'
TEXT = 'Hello world'
DATA = {
'parent': PARENT,
'contents': [TEXT],
'target_language_code': TARGET_LANG,
}
try:# Python 3/advanced/v3
rsp = TRANSLATE.translate_text(request=DATA)
except TypeError:   # Python 2/basic/v2
rsp = TRANSLATE.translate_text(**DATA)
print(TEXT, '=', rsp.translations[0].translated_text)

It works in Python 2 and 3 without any modification:

$ python2 translate_demo2.py
Hello world = Hola Mundo
$ python3 translate_demo2.py
Hello world = Hola Mundo

You should be able to just drop something like this right into your App
Engine code (plus the necessary stuff in app.yaml and requirements.txt).
App Engine comes with a default service account
,
so you don't need to mess with all you did unless you need to (create a
separate service account and public/private key-pair) for other reasons. To
run this script *locally* (as I did above), you *do* need to do that
(create a service acct & keypair, download the JSON credentials file to
your local system, then point GOOGLE_APPLICATION_CREDENTIALS to it), but
not on App Engine (nor Cloud Functions nor Cloud Run) as *all 3* have
default service accounts.

2. *Sample app:* I created a simple Python 2 GAE app that uses that Cloud
Translation code to get an idea of what you went through and discovered it
wasn't that bad if the product client library is used. Then I wanted to see
how challenging it would be to port it to Python 3 (since you got to at
some point) as well as running it locally. Then I thought, "Why not try to
throw the app into a Docker container for Cloud Run?" *Bottom-line*: today
I pushed to GitHub this "nebulous" sample app
 that
can be deployed (at least) 8 different ways w/just minor config changes.
Eh, I'll write up a blog post on this one too when I get a chance.

I know the challenges weren't fun to deal with, but I hope these can help
you and other developers!
--Wesley

On Mon, Dec 7, 2020 at 10:10 AM Joshua Smith 
wrote:

> This problem is more systemic than that. The documentation lacks a
> step-by-step how-to. I understand that there are a lot of options, but I'm
> pretty sure my use case is very common:
>
> 1. I have a google app engine app
> 2. I want to call the translation API from that app
>
> I figured out how to do that from the translation API docs, but I lacked
> permission.
>
> I could not find any step by step instructions for giving permission. I
> found this:
>
> https://cloud.google.com/translate/docs/setup
>
> which pointed me to this:
>
> https://cloud.google.com/iam/docs/understanding-roles
>
> at which point a normal human is going to be ready to give up. Look at
> that second page! It's an endless stream of gobledegook.
>
> After getting the pointer from Amit that I need to add the role to IAM, I
> went to IAM & Admin in my console, and selected "roles". Spoiler alert:
> this is not where you do this.
>
> Amit mentioned "service accounts" so I went looking for that. I chose the
> "Service Accounts" section. I see my service account, and it has a "..."
> Actions menu. None of those actions are about adding roles.
>
> I click on the link for my service account, and see there's a tab for
> "permissions". Doesn't seem to be anywhere I can give it permissions there.
>
> Honestly, I've just given up again. I know that by fumbling around in the
> console I eventually ended up on a page where it wanted me to type an email
> address. And I eventually figured out that it wanted the email address of
> the service account. But for the life of me, I can't find that now.
>
> You need to write a how-to for giving an app engine app permission t

Re: [google-appengine] Google Translate API & Permissions

[Joshua Smith]

This problem is more systemic than that. The documentation lacks a step-by-step 
how-to. I understand that there are a lot of options, but I'm pretty sure my 
use case is very common:

1. I have a google app engine app
2. I want to call the translation API from that app

I figured out how to do that from the translation API docs, but I lacked 
permission.

I could not find any step by step instructions for giving permission. I found 
this:

https://cloud.google.com/translate/docs/setup

which pointed me to this:

https://cloud.google.com/iam/docs/understanding-roles

at which point a normal human is going to be ready to give up. Look at that 
second page! It's an endless stream of gobledegook.

After getting the pointer from Amit that I need to add the role to IAM, I went 
to IAM & Admin in my console, and selected "roles". Spoiler alert: this is not 
where you do this.

Amit mentioned "service accounts" so I went looking for that. I chose the 
"Service Accounts" section. I see my service account, and it has a "..." 
Actions menu. None of those actions are about adding roles.

I click on the link for my service account, and see there's a tab for 
"permissions". Doesn't seem to be anywhere I can give it permissions there.

Honestly, I've just given up again. I know that by fumbling around in the 
console I eventually ended up on a page where it wanted me to type an email 
address. And I eventually figured out that it wanted the email address of the 
service account. But for the life of me, I can't find that now.

You need to write a how-to for giving an app engine app permission to access an 
API. Or if such a thing already exists, you need to elevate it to make it 
findable.

-Joshua

> On Dec 4, 2020, at 2:17 PM, wesley chun  wrote:
> 
> Thanks for your feedback Joshua. Can you take a screenshot of the Cloud 
> Console where you think there should be a message or that is misleading, then 
> go to the appropriate page in the documentation you think additional 
> messaging would help, and click on the "Send feedback" button in the upper 
> right corner of that page? The tool will also let you highlight where on the 
> docs page your messaging should go. This will greatly help the team analyze 
> your feedback and take appropriate action as necessary.
> 
> Cheers,
> --Wesley
> 
> On Fri, Nov 20, 2020 at 5:33 AM Joshua Smith  > wrote:
> That worked. Thank you so much.
> 
> You guys need to work on your documentation. I never could have figured that 
> out myself. And the process of adding that role to the service account was 
> also weird. (The UX is asking for the email of a new user, when what I need 
> to add is a service account that isn’t a new user, and isn’t even really an 
> email.)
> 
> -Joshua
> 
>> On Nov 19, 2020, at 2:19 PM, 'Amit Sinha' via Google App Engine 
>> > > wrote:
>> 
>> Hello Joshua, could you try to add the “Cloud Translation API User” role in 
>> the service account from IAM? As of this [1] documentation, it includes the 
>> permission that showing in the error.
>> 
>> [1] 
>> https://cloud.google.com/iam/docs/understanding-roles#cloud-translation-roles
>>  
>> 
>> On Monday, November 16, 2020 at 2:23:03 PM UTC-5 Joshua Smith wrote:
>> I don’t think Google could have come up with a more confusing and convoluted 
>> system for API permission management if they tried.
>> 
>> So I’ve enabled the “cloud translation” API within my project.
>> 
>> I have some Python (2.7, old school) code that goes:
>> 
>> credentials = 
>> ServiceAccountCredentials.from_json_keyfile_name(CLIENT_SECRETS_FILE, 
>> scopes=['https://www.googleapis.com/auth/cloud-platform’ 
>> ])
>> http_auth = credentials.authorize(Http())
>> service = build("translation", "v3", http=http_auth)
>> service.projects().translateText(parent=“projects/my-project-id-here",body={"contents":"bonjour",
>>  "targetLanguageCode":"en"}).execute()
>> 
>> And I get:
>> 
>> googleapiclient.errors.HttpError: > https://translation.googleapis.com/v3/projects/ 
>> my-project-id-here:translateText?alt=json
>>  returned "Cloud IAM permission 'cloudtranslate.generalModels.predict' 
>> denied.">
>> 
>> So it seems like I need to check some box somewhere to make this work, but I 
>> can’t figure out where.
>> 
>> The service account in the client secrets file is working fine when I use it 
>> to hit Google Analytics from the same app. And in fact, my code to access GA 
>> is almost identical except the scope and service call.
>> 
>> Any ideas?
>> 
>> -Joshua
>> 
>> 
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Google App Engine" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to google-appengine+unsubscr..

Re: [google-appengine] Google Translate API & Permissions

[wesley chun]

Thanks for your feedback Joshua. Can you take a screenshot of the Cloud
Console where you think there should be a message or that is misleading,
then go to the appropriate page in the documentation you think additional
messaging would help, and click on the "Send feedback" button in the upper
right corner of that page? The tool will also let you highlight where on
the docs page your messaging should go. This will greatly help the team
analyze your feedback and take appropriate action as necessary.

Cheers,
--Wesley

On Fri, Nov 20, 2020 at 5:33 AM Joshua Smith 
wrote:

> That worked. Thank you so much.
>
> You guys need to work on your documentation. I never could have figured
> that out myself. And the process of adding that role to the service account
> was also weird. (The UX is asking for the email of a new user, when what I
> need to add is a service account that isn’t a new user, and isn’t even
> really an email.)
>
> -Joshua
>
> On Nov 19, 2020, at 2:19 PM, 'Amit Sinha' via Google App Engine <
> google-appengine@googlegroups.com> wrote:
>
> *Hello Joshua, could you try to add the “Cloud Translation API User” role
> in the service account from IAM? As of this [1] documentation, it includes
> the permission that showing in the error.[1]
> https://cloud.google.com/iam/docs/understanding-roles#cloud-translation-roles
> *
> On Monday, November 16, 2020 at 2:23:03 PM UTC-5 Joshua Smith wrote:
>
>> I don’t think Google could have come up with a more confusing and
>> convoluted system for API permission management if they tried.
>>
>> So I’ve enabled the “cloud translation” API within my project.
>>
>> I have some Python (2.7, old school) code that goes:
>>
>> credentials =
>> ServiceAccountCredentials.from_json_keyfile_name(CLIENT_SECRETS_FILE,
>> scopes=['https://www.googleapis.com/auth/cloud-platform’])
>> http_auth = credentials.authorize(Http())
>> service = build("translation", "v3", http=http_auth)
>> service.projects().translateText(parent=“projects/*my-project-id-here*",body={"contents":"bonjour",
>> "targetLanguageCode":"en"}).execute()
>>
>> And I get:
>>
>> googleapiclient.errors.HttpError: > https://translation.googleapis.com/v3/projects/*my-project-id-here*:translateText?alt=json
>> returned "Cloud IAM permission 'cloudtranslate.generalModels.predict'
>> denied.">
>>
>> So it seems like I need to check some box somewhere to make this work,
>> but I can’t figure out where.
>>
>> The service account in the client secrets file is working fine when I use
>> it to hit Google Analytics from the same app. And in fact, my code to
>> access GA is almost identical except the scope and service call.
>>
>> Any ideas?
>>
>> -Joshua
>>
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Google App Engine" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to google-appengine+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/google-appengine/38511647-af55-4440-b8a9-47a2d26e1f42n%40googlegroups.com
> 
> .
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Google App Engine" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to google-appengine+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/google-appengine/96693B33-8943-4948-8444-7F9ABAAAB70D%40gmail.com
> 
> .
>


-- 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
"A computer never does what you want... only what you tell it."
wesley chun :: @wescpy  :: Software
Architect & Engineer
Developer Advocate at Google Cloud by day; at night...
Python training & consulting : http://CyberwebConsulting.com
"Core Python" books : http://CorePython.com
Python blog: http://wescpy.blogspot.com

-- 
You received this message because you are subscribed to the Google Groups 
"Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-appengine+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/google-appengine/CAB6eaA6qha4NWpPqtRQvSt3v86vPwJQ02j%3D_UtFT8w5m6KnHGQ%40mail.gmail.com.

Re: [google-appengine] Google Translate API & Permissions

[Joshua Smith]

That worked. Thank you so much.

You guys need to work on your documentation. I never could have figured that 
out myself. And the process of adding that role to the service account was also 
weird. (The UX is asking for the email of a new user, when what I need to add 
is a service account that isn’t a new user, and isn’t even really an email.)

-Joshua

> On Nov 19, 2020, at 2:19 PM, 'Amit Sinha' via Google App Engine 
>  wrote:
> 
> Hello Joshua, could you try to add the “Cloud Translation API User” role in 
> the service account from IAM? As of this [1] documentation, it includes the 
> permission that showing in the error.
> 
> [1] 
> https://cloud.google.com/iam/docs/understanding-roles#cloud-translation-roles
> 
> On Monday, November 16, 2020 at 2:23:03 PM UTC-5 Joshua Smith wrote:
> I don’t think Google could have come up with a more confusing and convoluted 
> system for API permission management if they tried.
> 
> So I’ve enabled the “cloud translation” API within my project.
> 
> I have some Python (2.7, old school) code that goes:
> 
> credentials = 
> ServiceAccountCredentials.from_json_keyfile_name(CLIENT_SECRETS_FILE, 
> scopes=['https://www.googleapis.com/auth/cloud-platform’ 
> ])
> http_auth = credentials.authorize(Http())
> service = build("translation", "v3", http=http_auth)
> service.projects().translateText(parent=“projects/my-project-id-here",body={"contents":"bonjour",
>  "targetLanguageCode":"en"}).execute()
> 
> And I get:
> 
> googleapiclient.errors.HttpError:  https://translation.googleapis.com/v3/projects/ 
> my-project-id-here:translateText?alt=json
>  returned "Cloud IAM permission 'cloudtranslate.generalModels.predict' 
> denied.">
> 
> So it seems like I need to check some box somewhere to make this work, but I 
> can’t figure out where.
> 
> The service account in the client secrets file is working fine when I use it 
> to hit Google Analytics from the same app. And in fact, my code to access GA 
> is almost identical except the scope and service call.
> 
> Any ideas?
> 
> -Joshua
> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Google App Engine" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to google-appengine+unsubscr...@googlegroups.com 
> .
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/google-appengine/38511647-af55-4440-b8a9-47a2d26e1f42n%40googlegroups.com
>  
> .

-- 
You received this message because you are subscribed to the Google Groups 
"Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-appengine+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/google-appengine/96693B33-8943-4948-8444-7F9ABAAAB70D%40gmail.com.