This guide provides all required setup steps to start using Cloud Vision. It also provides advice for possible cleanup steps after trying or testing Cloud Vision.
About the Google Cloud Console
The Google Cloud Console (visit documentation, open console) is a web UI used to provision, configure, manage, and monitor systems that use Google Cloud products. You use the Google Cloud Console to set up and manage Vision resources.
Create a project
To use services provided by Google Cloud, you must create a project. A project organizes all your Google Cloud resources. A project consists of a set of collaborators, enabled APIs (and other resources), monitoring tools, billing information, and authentication and access controls. You can create one project, or you can create multiple projects and use them to organize your Google Cloud resources in a resource hierarchy. When creating a project, take note of the project ID. You will need this ID to make API calls. For more information on projects, see the Resource Manager documentation.
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Enable billing
A billing account is used to define who pays for a given set of resources, and it can be linked to one or more projects. Project usage is charged to the linked billing account. In most cases, you configure billing when you create a project. For more information, see the Billing documentation.
Make sure that billing is enabled for your Google Cloud project.
Enable the API
You must enable the Vision API for your project. For more information on enabling APIs, see the Service Usage documentation.
Enable the Vision API.
Install and initialize the Google Cloud CLI
If you plan to use the Vision API, you need to install and initialize the Google Cloud CLI. The gcloud CLI is a set of tools that you can use to manage resources and applications hosted on Google Cloud.
The following link provides instructions:
Install the Google Cloud CLI, then initialize it by running the following command:
gcloud init
Set up authentication and access control
If you plan to use the Vision API, you need to set up authentication. Any client application that uses the API must be authenticated and granted access to the requested resources. This section describes important authentication concepts and provides steps for setting it up. For more information, see the Google Cloud authentication overview.
Authentication with user accounts
User accounts are the best authentication option when learning the Vision API and for local development. You can utilize your user account to authenticate for either REST command line executions or client library calls.
REST command line user account authentication
To authenticate for REST command line calls,
you use the gcloud CLI.
The
gcloud auth login
command logs you in to gcloud with your user account,
which should be done before calling the API.
The
gcloud auth print-access-token
command is used throughout the REST command line samples in this documentation
to authenticate REST calls.
To create user credentials for your local environment:
gcloud auth login
Client library user account authentication
To authenticate for client library calls,
you use the gcloud CLI.
The
gcloud auth application-default login
command logs you in to gcloud for application default credentials with your user account,
which should be done before calling the API.
The
gcloud auth application-default set-quota-project
command must be used to set your project for billing and quotas
related to API calls.
Normally, this is the same project used by your agent,
and you supply the project ID for the project you created in steps above.
The
GOOGLE_APPLICATION_CREDENTIALS
environment variable must not be set in order for your
application default credentials to be used by client libraries.
To create application default credentials for your local environment:
gcloud auth application-default login gcloud auth application-default set-quota-project PROJECT_ID
Authentication with service accounts
Service accounts are another authentication option that should only be used in secured environments like production or staging. A service account provides credentials for applications, as opposed to end-users. Service accounts are owned by projects, and you can create many service accounts for a project. For more information, see:
- The service account overview
- Service account best practices
- Create and manage service accounts
- Create and manage service account keys
- Authenticating with service account keys
Access control with roles
When a principal (user account, service account, and so on) calls an API, Google Cloud requires that the principal has the appropriate permissions. You can grant permissions by granting roles to a principal. For more information, see the role overview.
If you have created your project with your user account, your user account has the Owner basic role for the project. This role provides access to call any API for the project. However, if a different account created the project, you may need to have roles granted to your user account before you can call the API.
Install the Vision API client library
You have three options for calling the Vision API:
- Google supported client libraries (recommended)
- REST
- gRPC
The client libraries are available for several popular languages. For information about installing the client libraries, see Vision API client libraries.
Cleanup
After setup and trying or testing Vision, you may want to delete resources you created:
- You may want to shutdown your project.
-
If you called
gcloud auth login
, this stores credentials in your user directory on your computer. You may want to delete these credentials by calling:gcloud auth revoke
-
If you called
gcloud auth application-default login
, this stores credentials in your user directory on your computer. You may want to delete these credentials by calling:gcloud auth application-default revoke