Authenticating to the Video Intelligence API

This page describes what a service account is, how to create one to authenticate requests to the Video Intelligence API, and how to use your service account to set Application Default Credentials.

To allow your application code to use the Video Intelligence API, you must set up the proper credentials for your application to authenticate its identity to the service and to obtain authorization to perform tasks. (These credential-related mechanisms are known as auth schemes.)

Google Cloud API authentication and authorization (commonly grouped together as "auth") is typically done using a service account. A service account allows your code to send application credentials directly to the Video Intelligence API. A service account, like a user account, is represented by an email address. Unlike a user account, a service account is associated only with an application.

Enabling the API

Before you can authenticate, you must first enable the Video Intelligence API.

  1. Sign in to your Google Account.

    If you don't already have one, sign up for a new account.

  2. In the Cloud Console, on the project selector page, select or create a Cloud project.

    Go to the project selector page

  3. Make sure that billing is enabled for your Google Cloud project. Learn how to confirm billing is enabled for your project.

  4. Enable the Cloud Video Intelligence API.

    Enable the API

  5. Set up authentication:
    1. In the Cloud Console, go to the Create service account key page.

      Go to the Create Service Account Key page
    2. From the Service account list, select New service account.
    3. In the Service account name field, enter a name.
    4. Don't select a value from the Role list. No role is required to access this service.
    5. Click Create. A note appears, warning that this service account has no role.
    6. Click Create without role. A JSON file that contains your key downloads to your computer.
  6. Set the environment variable GOOGLE_APPLICATION_CREDENTIALS to the path of the JSON file that contains your service account key. This variable only applies to your current shell session, so if you open a new session, set the variable again.

  7. Install and initialize the Cloud SDK.

Creating a service account in the Cloud Console

To create a service account using the Google Cloud Console, do the following:

  1. From the Cloud Console Credentials page, select Create credentials > Service account key.

  2. Next, under Service account select New service account.

  3. In the Service account name box, enter a name for your service account. This name is used as the default name for your Service account ID (to the left of the "@" in the generated service account ID address), but you can change this service account ID name. These names are arbitrary; it is only important that you remember them.

  4. Under Key type select JSON for most new projects.

  5. Click Create.

The Cloud Console then generates a JSON key (as a .json text file), prompts you to download the file to your computer, and displays a Service account created dialog box.

The generated JSON key will be similar to the following sample JSON key:

  "type": "service_account",
  "project_id": "project-id",
  "private_key_id": "some_number",
  "private_key": "-----BEGIN PRIVATE KEY-----\n....
  =\n-----END PRIVATE KEY-----\n",
  "client_email": "<api-name>",
  "client_id": "...",
  "auth_uri": "",
  "token_uri": "",
  "auth_provider_x509_cert_url": "",
  "client_x509_cert_url": "<api-name>"

Store this JSON file securely, as it contains your private key (and this file is the only copy of that key). You must refer to this service account key file within your code when you send annotation requests to Video Intelligence API.

Authenticating with Application Default Credentials

The simplest way for applications to authenticate to Video Intelligence API is by using Application Default Credentials (ADC). Services using ADC first search for credentials within a GOOGLE_APPLICATION_CREDENTIALS environment variable. Unless you specifically require ADC to use other credentials (for example, user credentials), you should set this environment variable to point to your service account key file (the .json file downloaded when you created a service account key.

$ export GOOGLE_APPLICATION_CREDENTIALS=path_to_service_account_file