service account role for production vision API

[Qua392]

Hi, first time here on GCP... 

I'm looking for the right role for my service account.

I've implemented a product that consumes Cloud Vision API  Object  Localization (client libraries). Following the get started guide, I've created a Service Account licensing json file with "owner" rights. Clearly and as mentioned  - it is not recommended for production environment. Reviewing the various options for roles (almost an endless list), I couldn't find even a single role that looked like what I need...

Can someone here recommends what should be the role for the case mentioned with minimum rights for my application only to consume (request and get results) the Cloud Vision API and nothing more?

Many thanks!

[Brendan Lundy]

Cloud Vision API itself doesn't require any roles on the service account.

If you are processing images in GCS, the service account will just need to have access to your GCS bucket.

[Qua392]

Hi Brendan thanks for replying. I'm actually using the API from outside the GCP, sending the image itself on each request. So you are saying I don't need at all any role? On the docs it mentions it as a mandatory action...

[Qua392]

Well, I just went a head and tried it - created a service account without assigning any role and it works as you just said. thanks. Don't know why google says otherwise on their docs.

Cheers.