Cloud Vision setup and cleanup

This guide provides all required setup steps to start using Cloud Vision. It also provides advice for possible cleanup steps after trying or testing Cloud Vision.

About the Google Cloud Console

The Google Cloud Console (visit documentation, open console) is a web UI used to provision, configure, manage, and monitor systems that use Google Cloud products. You use the Google Cloud Console to set up and manage Vision resources.

Create a project

To use services provided by Google Cloud, you must create a project. A project organizes all your Google Cloud resources. A project consists of a set of collaborators, enabled APIs (and other resources), monitoring tools, billing information, and authentication and access controls. You can create one project, or you can create multiple projects and use them to organize your Google Cloud resources in a resource hierarchy. When creating a project, take note of the project ID. You will need this ID to make API calls. For more information on projects, see the Resource Manager documentation.

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Go to project selector

Enable billing

A billing account is used to define who pays for a given set of resources, and it can be linked to one or more projects. Project usage is charged to the linked billing account. In most cases, you configure billing when you create a project. For more information, see the Billing documentation.

Make sure that billing is enabled for your Google Cloud project.

Enable the API

You must enable the Vision API for your project. For more information on enabling APIs, see the Service Usage documentation.

Enable the Vision API.

Enable the API

Install and initialize the Google Cloud CLI

If you plan to use the Vision API, you need to install and initialize the Google Cloud CLI. The gcloud CLI is a set of tools that you can use to manage resources and applications hosted on Google Cloud.

The following link provides instructions:

Install the Google Cloud CLI, then initialize it by running the following command:

gcloud init

Set up authentication and access control

If you plan to use the Vision API, you need to set up authentication. Any client application that uses the API must be authenticated and granted access to the requested resources. This section describes important authentication concepts and provides steps for setting it up. For more information, see the Google Cloud authentication overview.

Authentication with user accounts

User accounts are the best authentication option when learning the Vision API and for local development. You can utilize your user account to authenticate for either REST command line executions or client library calls.

REST command line user account authentication

To authenticate for REST command line calls, you use the gcloud CLI. The gcloud auth login command logs you in to gcloud with your user account, which should be done before calling the API. The gcloud auth print-access-token command is used throughout the REST command line samples in this documentation to authenticate REST calls.

To create user credentials for your local environment:

gcloud auth login

Client library user account authentication

To authenticate for client library calls, you use the gcloud CLI. The gcloud auth application-default login command logs you in to gcloud for application default credentials with your user account, which should be done before calling the API. The gcloud auth application-default set-quota-project command must be used to set your project for billing and quotas related to API calls. Normally, this is the same project used by your agent, and you supply the project ID for the project you created in steps above.

The GOOGLE_APPLICATION_CREDENTIALS environment variable must not be set in order for your application default credentials to be used by client libraries.

To create application default credentials for your local environment:

gcloud auth application-default login
gcloud auth application-default set-quota-project PROJECT_ID

Authentication with service accounts

Service accounts are another authentication option that should only be used in secured environments like production or staging. A service account provides credentials for applications, as opposed to end-users. Service accounts are owned by projects, and you can create many service accounts for a project. For more information, see:

Access control with roles

When a principal (user account, service account, and so on) calls an API, Google Cloud requires that the principal has the appropriate permissions. You can grant permissions by granting roles to a principal. For more information, see the role overview.

If you have created your project with your user account, your user account has the Owner basic role for the project. This role provides access to call any API for the project. However, if a different account created the project, you may need to have roles granted to your user account before you can call the API.

Install the Vision API client library

You have three options for calling the Vision API:

The client libraries are available for several popular languages. For information about installing the client libraries, see Vision API client libraries.

Cleanup

After setup and trying or testing Vision, you may want to delete resources you created:

  • You may want to shutdown your project.
  • If you called gcloud auth login, this stores credentials in your user directory on your computer. You may want to delete these credentials by calling:
    gcloud auth revoke
  • If you called gcloud auth application-default login, this stores credentials in your user directory on your computer. You may want to delete these credentials by calling:
    gcloud auth application-default revoke