IssueTracker

Problem you have encountered

When using Document AI within a VPC Service Controls (VPC-SC) perimeter, requests to preview document thumbnails are blocked. These requests originate from the user's browser but are made using the identity of the Document AI service agent, which isn't typically whitelisted within the perimeter's security settings.

What you expected to happen

We expected thumbnail preview requests to be made under the user's identity, not the service agent's. This would allow the requests to be evaluated against the user's permissions within the VPC-SC perimeter, providing consistent security control and auditing.

Steps to reproduce

1. Set up a VPC-SC perimeter with appropriate access controls.
2. Deploy Document AI within this perimeter.
3. Attempt to preview a document thumbnail within the DocAI UI.
4. Observe that the request is blocked by the VPC-SC perimeter due to the service agent's identity being used.

Other information (workarounds you have tried, documentation consulted, etc)

Workarounds attempted

Whitelisting the Document AI service agent's IP addresses within the VPC-SC perimeter. This is a suboptimal solution as it requires granting broader access to the service agent than is ideally necessary.

Documentation consulted

Google Cloud documentation on VPC Service Controls and Document AI. However, the documentation doesn't explicitly address this specific issue of thumbnail requests and identity management.

Additional findings

• The Document AI team confirmed that using the service agent's identity for thumbnail requests is the current product behavior.
• The issue is not related to service networking.

Proposed solution

We propose that Document AI be enhanced to allow for user impersonation for thumbnail requests. This would enable the requests to be made under the user's identity, providing a more secure and auditable solution that aligns with the intended purpose of VPC-SC perimeters.