Google Cloud Application Default Credentials Permission Denied - Quota Project not set as Default

Question

I'm using the Cloud Vision API for a project and I'm trying to build and run the quickstart example, but I am receiving the following error:

google::cloud::Status thrown: PERMISSION_DENIED: Error in non-idempotent operation: Your application is authenticating by using local Application Default Credentials. 
The vision.googleapis.com API requires a quota project, which is not set by default. 
To learn how to set your quota project, see https://cloud.google.com/docs/authentication/adc-troubleshooting/user-creds . 
error_info={reason=SERVICE_DISABLED, domain=googleapis.com, metadata={gcloud-cpp.retry.reason=non-idempotent, 
gcloud-cpp.retry.original-message=Your application is authenticating by using local Application Default Credentials. 
The vision.googleapis.com API requires a quota project, which is not set by default.
To learn how to set your quota project, see https://cloud.google.com/docs/authentication/adc-troubleshooting/user-creds .,
consumer=projects/764086051850, gcloud-cpp.retry.function=BatchAnnotateImages, service=vision.googleapis.com}}

I ran gcloud auth applicataion-default set-quota-project [project-id] a couple of times, with multiple different proejcts, to no avail.

What's going on here?

Answer 1

This error message

Your application is authenticating by using local Application Default Credentials. The vision.googleapis.com API requires a quota project, which is not set by default. To learn how to set your quota project, see https://cloud.google.com/docs/authentication/adc-troubleshooting/user-creds ...

...is not true, but not completely unhelpful.

I got a similar error message when using identitytoolkit.googleapis.com , invoking the REST API directly, not through a library. Just using curl etc.

I had obtained my token from gcloud auth print-access-token , so the error message "Your application is authenticating by using local Application Default Credentials." was plainly incorrect .

and "The vision.googleapis.com API requires a quota project, which is not set by default." was also wrong. For me, same as with you, even after setting a quota project for ADC with the suggested step of

gcloud auth applicataion-default set-quota-project [project-id]

..it still gives the same error message. Good for you, for trying the same thing multiple times before surrendering. I did too. But really, we should know that it wouldn't work, because we weren't using ADC to begin with.

But it isn't completely unhelpful, because it's talking about billing.

The solution is described here, in the doc explaining how to troubleshoot ADCs

There are two kinds of Google Cloud APIs:

Resource-based APIs, which use the project associated with the resources being accessed for billing and quota.

Client-based APIs, which use the project associated with the account accessing the resources for billing and quota.

When you provide user credentials to authenticate to a client-based API, you must specify the project to use for billing and quota. This project is called the quota project.

There are a number of ways to specify a quota project, including the following options:

• Update ADC to use a different project as the quota project:
  gcloud auth application-default set-quota-project YOUR_PROJECT

• If you are calling the REST or RPC API directly, use the x-goog-user-project HTTP header to specify a quota project in each request. For details, see Set the quota project with a REST request.

Vision and identitytoolkit are client-billed APIs, and so if you are going to use the API directly, then you need to use the X-goog-user-project header.

WHY, you might ask, is a fact about invoking REST APIs that have special billing requirements, described ONLY in the doc page for troubleshooting ADCs" ? Diabolical I tell you. It's like telling people to read the documentation on your dishwasher to understand how to start your car.

tl;dr.
The error message is wrong. The doc is right, but is in the wrong place. it would be better if the error message just redirected to this stackoverflow thread.