Hi there I’ve built an app that uses Google’s Document AI https://cloud.google.com/document-ai

I can connect / authenticate with it locally, but when I deploy my app on Streamlit Cloud I get an “IAM_PERMISSION_DENIED” error.

I’ve read the Streamlit Secrets documentation Secrets management - Streamlit Docs Secrets management - Streamlit Docs but no help. I’ve granted IAM permission to the project on GC.

I think I have to modify my existing Google Document AI code to take into account the additional credentials created when the IAM permission was created, however, I’ve not found any examples.

If anyone has any ideas I would be very grateful.

Cheers

If you are encountering an “IAM_PERMISSION_DENIED” error when deploying your Streamlit app on Streamlit Cloud and using Google’s Document AI, it indicates that the service account or credentials used by your app do not have the necessary IAM permissions to access the Document AI API.

To resolve this issue, you can follow these steps:

1. Ensure that you have created and downloaded the JSON key file for a service account with the appropriate IAM permissions. Make sure that the service account has the necessary roles assigned, such as the “Document AI Admin” or “Document AI Viewer” role.

2. In your Streamlit app code, make sure you are using the correct path to load the JSON key file. For example, if you have placed the JSON key file in a folder named “secrets” in the root directory of your Streamlit app, you can load it using the following code snippet:

import streamlit as st
import os
import google.auth

# Load the JSON key file path
key_path = os.path.join("secrets", "your-key-file.json")

# Set the environment variable to point to the key file
os.environ["GOOGLE_APPLICATION_CREDENTIALS"] = key_path

# Authenticate using the key file
credentials, project_id = google.auth.default()

Make sure to update the your-key-file.json placeholder with the actual filename of your JSON key file.

3. If you are using Streamlit Secrets to manage secrets, you can still use it to store the path to your JSON key file and retrieve it in your app code. Make sure that the path is correctly stored as a secret in Streamlit Secrets, and then retrieve it using st.secrets:

import streamlit as st
import os
import google.auth

# Retrieve the JSON key file path from Streamlit Secrets
key_path = st.secrets["google_key_path"]

# Set the environment variable to point to the key file
os.environ["GOOGLE_APPLICATION_CREDENTIALS"] = key_path

# Authenticate using the key file
credentials, project_id = google.auth.default()

Make sure to update "google_key_path" with the name you used to store the secret in Streamlit Secrets.

4. Confirm that the service account associated with the JSON key file has the necessary IAM permissions granted at the project level in Google Cloud. Check if it has the required roles and permissions to access the Document AI API.

By following these steps, you should be able to authenticate your Streamlit app with the correct credentials and resolve the “IAM_PERMISSION_DENIED” error.

Hi Shraavani thank you so much for your reply . I have been able to get my deployed app working because of your suggestions .

The major difference was I had the incorrect IAM permission set on my service account - I set it as “Document AI Admin” - however, your clear concise explanation and examples were also a major help.

I wasn’t sure how to connect to the credentials once I entered them in the st App settings/Secrets, so I used the following code:

import streamlit as st
from google.cloud import documentai
from google.oauth2 import service_account

credentials = service_account.Credentials.from_service_account_info(
    st.secrets["gcs_connections"]

client = documentai.DocumentProcessorServiceClient(credentials=credentials)

where “gcs_connections” is the TOML section for the GCS auth crednetials in Secrets https://docs.streamlit.io/streamlit-community-cloud/get-started/deploy-an-app/connect-to-data-sources/secrets-management

Thank you so much once again

Cheers

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.