I have a frustrating issue with the Google Cloud Translate API.
I set up correctly the restriction of the key to some domains including *.example.com/ * (without blank space at the end)
I launch the script on the URL https://www.example.com/translate and i have the following message :
"status": "PERMISSION_DENIED",
"details": [
{
"@type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "API_KEY_HTTP_REFERRER_BLOCKED",
"domain": "googleapis.com",
When i remove the restriction, everything works, but i need the restriction to avoid misuse/abuse.
Furthemore, i use this same API Key for others Google App API (Maps, Auth, etc) and it works perfectly from this domain...
So weird.
Do you have any ideas or any ways to investigate better this issue ? How i can know the referrer Google sees ? (or any external service)
Thanks a lot !!
Edit :
PHP code :
require_once(APPPATH . "libraries/GoogleTranslate/vendor/autoload.php");
require_once(APPPATH . "libraries/GoogleTranslate/vendor/google/cloud-translate/src/V2/TranslateClient.php");
$translate = new TranslateClient([
'key' => 'xXXXx'
]);
// Translate text from english to french.
$result = $translate->translate('Hello world!', [
'target' => 'fr'
]);
echo $result['text'];
Full error message :
Type: Google\Cloud\Core\Exception\ServiceException
Message: {
"error": { "code": 403, "message": "Requests from referer
\u003cempty\u003e are blocked.",
"errors": [ { "message": "Requests from referer \u003cempty\u003e are blocked.", "domain": "global", "reason": "forbidden" } ],
"status": "PERMISSION_DENIED",
"details": [ { "@type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "API_KEY_HTTP_REFERRER_BLOCKED",
"domain": "googleapis.com",
"metadata": { "service": "translate.googleapis.com", "consumer": "projects/XXXXX" } } ] } }
Filename: htdocs/application/libraries/GoogleTranslate/vendor/google/cloud-core/src/RequestWrapper.php
Line Number: 368
I will leave here my insights discussed on the Public Issue Tracker.
The HTTP restriction is working as intended, but the referer is always empty because this is not set by default. However, it can be added manually, so instead of doing:
-$translate = new TranslateClient([
'key' => 'XXX'
]);
You need to specify the referrer:
-$translate = new TranslateClient([
'key' => '[API_KEY]',
'restOptions' => [
'headers' => [
'referer' => '*.[URL].com/*'
]
]
]);
You have to take into account that this type of requests can be sent from whatever computer (if you have the key) since you’re not restricting the domain where the request is made, only checking who is the referrer (and you can set it manually). Moreover, API clients that run on a web browser expose their API keys publicly; that’s why I recommend you to use service accounts instead. For more information: adding application restrictions.
Regarding the HTTP referer, this is basically a header field that, basically, the web browsers put to let the web page know where the user is coming from. For example, if you click the above link (HTTP referer) your referer field will be this page.
In summary, since you can put whatever referer in the header of a request, this is pretty similar to not having any type of restrictions. Indeed, it’s recommended to use service accounts. To solve this issue easily, add the referer manually in the headers as exposed in the code above.