2

I want to use Google Cloud Natural Language API with its Node.js lib. For authentication, I use a service-account as suggested by the docs Docs suggest to use role "Owner" but for production "more granular" permissions. Unfortunately they dont mention available roles. Nor do I find roles at IAM docs, where I usually lookup roles/permissions.

Which roles are available for NLP API ? There are AutoML roles and as AutoML is related to NLP, maybe they fit?

My tests have shown that it actually doesnt matter which role I use. Even sth like "BigQuery MetadataViewer" will grant access to NLP API ?! However I would like to use the correct role instead of a random one and somewhen later stuff will break.

And to add to the confusion, API keys doc says that NLP API is only accessible via API-key, but the NLP doc itself tells you to use a service-account. I guess API key is legacy information..

pHiL
  • 1,722
  • 18
  • 19
  • When it comes to IAM, I usually think about negative ramifications of inappropriate access. For example, deleting a file or inserting a record in a database. My understanding of NLP is that I give a piece of text and it comes back with annotations on what that text contains. This then begs the question ... other than the cost of using the service, what if any negative ramification could result from invoking NLP? What roles might possibly make sense for this service? – Kolban Jul 31 '19 at 18:53
  • Well, I use IAM per service for security reasons and every service only gets the permissions it really needs. So the attack surface is minimized in case of a breach in a microservice. Also being able to break down which key caused which cost helps alot – pHiL Aug 02 '19 at 16:34

1 Answers1

4

Cloud Natural Language uses AutoML roles since is part of the AutoML products. At this moment Auto ML roles has: AutoML Admin, AutoML Editor, AutoML Predictor and AutoML Viewer.

You have to analyze which roles you will use in your application and once you determine it you could decide which type of roles fits to your app, remember that with custom roles you can define the level access you need to your users.

Keep in mind that service account is as special type of Google account and is not attached to a user; thus, the resources which used that service account don't need end-user authentication, that's why is recommended to use a service account where you are working with a client library (Node.JS).

Enrique Zetina
  • 825
  • 5
  • 16
  • Thanks. I'll use a AutoML role then. I know GCP and IAM quite well btw. API key vs service-account is still confusing for NLP API. Its still listed as "only available via API key", like Maps API – pHiL Aug 02 '19 at 16:29
  • I think that "only available via API key" means that only the APIs mentioned should be used with an API key and is not possible to use API keys to restrict access to specific users or service accounts. – Enrique Zetina Aug 02 '19 at 22:00