Quickstart: Set up the Document AI API

This guide provides all required setup steps to start using Document AI.

About the Google Cloud console

The Google Cloud console is a web UI used to provision, configure, manage, and monitor systems that use Google Cloud products. You use the Google Cloud console to set up and manage Document AI resources.

Create a project

To use services provided by Google Cloud, you must create a project, which organizes all your Google Cloud resources and consists of the following components:

  • A set of collaborators
  • Enabled APIs (and other resources)
  • Monitoring tools
  • Billing information
  • Authentication and access controls
  • Document AI processors

You can create one project, or you can create multiple projects. You can use your projects to organize your Google Cloud resources in a resource hierarchy. For more information on projects, see the Resource Manager documentation.

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Go to project selector

Enable the API

You must enable the Document AI API for your project. For more information on enabling APIs, see the Service Usage documentation.

Enable the Document AI API.

Enable the API

Enable billing

A billing account defines who pays for a given set of resources. Billing accounts can be linked to one or more projects. Project usage is charged to the linked billing account. You configure billing when you create a project. For more information, see the Billing documentation.

Make sure that billing is enabled for your Google Cloud project.

Locations

Document AI offers you some control over where the resources for your project are stored and processed. In particular, when you create a processor, you must choose a location to store and process your data. By default Document AI stores and processes resources in a US location. If you choose the European Union location, your data and processes are only stored in the European Union.

Setting location using API

You must specify your processor's location whenever you send a processing request using the API. For example, if your processor is configured to store and process your data in the European Union, then use the URI eu-documentai.googleapis.com as follows:

Process
  • https://eu-documentai.googleapis.com/v1/projects/$PROJECT_ID/locations/eu/processors/$PROCESSOR_ID:process
  • https://eu-documentai.googleapis.com/v1beta3/projects/$PROJECT_ID/locations/eu/processors/$PROCESSOR_ID:process
batchProcess
  • https://eu-documentai.googleapis.com/v1/projects/$PROJECT_ID/locations/eu/processors/$PROCESSOR_ID:batchProcess
  • https://eu-documentai.googleapis.com/v1beta3/projects/$PROJECT_ID/locations/eu/processors/$PROCESSOR_ID:batchProcess

Install the Document AI API client library

You have three options for calling the Document AI API:

The client libraries are available for several popular languages. For information on installing the client libraries, see Document AI API client libraries.

Set up authentication

Any client application that uses the API must be authenticated and granted access to the requested resources. This section describes important authentication concepts and provides steps for setting it up. For more information, see the Authentication overview.

About roles

When calling an API, Google Cloud requires the calling identity (any applicable person, entity, or process and their defined attributes) to have the appropriate permissions. You can grant permissions by granting roles to a service account. For more information, see the Identity and Access Management (IAM) documentation.

For the purpose of trying the Document AI API, you can use the Project > Owner role in steps below. The Project > Owner role grants the service account full permission to resources in your project. If your service account does not require full permissions, you specify a more restrictive role using the Google Cloud console. For a list of permissions and roles for Document AI, see Document AI permissions and Document AI roles. For information on managing permissions using IAM roles, see granting roles to service accounts.

About service accounts

There are multiple options for authentication, but it is recommended that you use service accounts for authentication and access control. A service account provides credentials for applications, as opposed to individuals. Projects own their service accounts. You can create many service accounts for a project. For more information, see Service accounts.

About service account keys

Service accounts are associated with one or more public/private key pairs. When you create a new key pair, you download the private key. The Google Cloud CLI uses your private key to generate credentials when calling the API. You are responsible for security of the private key and other management operations, such as key rotation.

Create a service account and download the private key file

Create a service account:

  1. In the Google Cloud console, go to the Create service account page.

    Go to Create service account
  2. Select your project.
  3. In the Service account name field, enter a name. The Google Cloud console fills in the Service account ID field based on this name.

    In the Service account description field, enter a description. For example, Service account for quickstart.

  4. Click Create and continue.
  5. Grant the Project > Owner role to the service account.

    To grant the role, find the Select a role list, then select Project > Owner.

  6. Click Continue.
  7. Click Done to finish creating the service account.

    Do not close your browser window. You will use it in the next step.

Create a service account key:

  1. In the Google Cloud console, click the email address for the service account that you created.
  2. Click Keys.
  3. Click Add key, and then click Create new key.
  4. Click Create. A JSON key file is downloaded to your computer.
  5. Click Close.

Use the service account key file in your environment

Provide authentication credentials to your application code by setting the environment variable GOOGLE_APPLICATION_CREDENTIALS. This variable applies only to your current shell session. If you want the variable to apply to future shell sessions, set the variable in your shell startup file, for example in the ~/.bashrc or ~/.profile file.

Linux or macOS

export GOOGLE_APPLICATION_CREDENTIALS="KEY_PATH"

Replace KEY_PATH with the path of the JSON file that contains your credentials.

For example:

export GOOGLE_APPLICATION_CREDENTIALS="/home/user/Downloads/service-account-file.json"

Windows

For PowerShell:

$env:GOOGLE_APPLICATION_CREDENTIALS="KEY_PATH"

Replace KEY_PATH with the path of the JSON file that contains your credentials.

For example:

$env:GOOGLE_APPLICATION_CREDENTIALS="C:\Users\username\Downloads\service-account-file.json"

For command prompt:

set GOOGLE_APPLICATION_CREDENTIALS=KEY_PATH

Replace KEY_PATH with the path of the JSON file that contains your credentials.

Install and initialize the Google Cloud CLI (optional)

The gcloud CLI provides a set of tools that you can use to manage resources and applications hosted on Google Cloud.

The following link provides instructions:

Install the Google Cloud CLI, then initialize it by running the following command:

gcloud init

Test client libraries and authentication

If you have set up authentication in previous steps, you can use the gcloud CLI to test your authentication environment. Execute the following command and verify that no error occurs and that credentials are returned:

gcloud auth application-default print-access-token

That command is used by all Document AI API command line REST samples to authenticate API calls.

Cross project file access setup

When you set up your Document AI processor in one project, you might want this project to access input files stored in a different project in the same org that hosts Document AI processors.

To allow cross-project access, you must grant the Storage Object Viewer role to the default Document AI service account, as shown in the following figure.

setup-1

Example

  • Suppose project A hosts Document AI processors, and optionally hosts a bucket to which processor output is written.
  • Project B owns the bucket that contains input files for Document AI processors.
  • To make files in project B accessible to project A, you must grant Storage Object Viewer permissions for the input bucket in project B to the Document AI service account of project A.

    setup-2

For more information about IAM and Storage Object Viewer, see IAM roles for Cloud Storage.

Built-in service accounts

A Document AI service account follows this naming convention:

service-{project number}@gcp-sa-prod-dai-core.iam.gserviceaccount.com

Example: service-361747088407@gcp-sa-prod-dai-core.iam.gserviceaccount.com

setup-3

Next Steps: Use cases

After the Document AI API has been enabled, then Document AI processors can be created and used. Which type of processor is best depends on your use case.