My issue
I am using the Google Speech API to transcribe text from audio files. I am using Python and have a existing solution, that is working as expected. However, when I run the same code with the exact same configuration from a Docker container, I get a 403 Permission error.
The concrete error is displayed below. However, as it is working from outside Docker, I feel pretty sure, that this is not a role/permission issue with the service account. Although, I am not sure what "resource" is in this case.
api-1 | grpc._channel._InactiveRpcError: <_InactiveRpcError of RPC that terminated with:
api-1 | status = StatusCode.PERMISSION_DENIED
api-1 | details = "Permission 'speech.recognizers.recognize' denied on resource (or it may not exist)."
api-1 | debug_error_string = "UNKNOWN:Error received from peer ipv4:142.250.186.74:443 {grpc_message:"Permission \'speech.recognizers.recognize\' denied on resource (or it may not exist).", grpc_status:7, created_time:"2024-02-22T22:48:19.993472495+00:00"}"
<and a bit further down>
api-1 | google.api_core.exceptions.PermissionDenied: 403 Permission 'speech.recognizers.recognize' denied on resource (or it may not
exist). [reason: "IAM_PERMISSION_DENIED"
api-1 | domain: "iam.googleapis.com"
api-1 | metadata {
api-1 | key: "permission"
api-1 | value: "speech.recognizers.recognize"
api-1 | }
Some observations and thoughts
- I use a service account and a downloaded json-key.
- The code runs from behind an NGINX reverse proxy in the same Docker setup.
- My Python code makes other requests to external services with no issues.
- Running in Docker from my local machine and from my DigitalOcean gives the same error.
My questions
- Has anyone else experienced this issue?
- Do I need to be aware of anything when calling Google from a Docker image?
- Can running from "behind" an NGINX have any influence on requests?
UPDATE [SOLVED]
I found the issue and the simple solution. As @DazWilkin mentions the service looks for the GOOGLE_APPLICATION_CREDENTIALS environment variable, which was net setup correctly in my docker image. However, as a slight twist, I had another credentials file that I tried loading actively - but that, I found, had no effect on the service. So the missing ENV VAR was the culprit.