Signed URLs
Signed URLs is a mechanism for query string authentication for buckets and objects. Signed URLs provide a way to give time-limited read or write access to anyone in possession of the URL, regardless of whether they have a Google account.
Why use a signed URL? Sometimes, it is necessary to control the access of users who do not have a Google account. To grant these users access to Google Cloud Storage we can provide them with a signed URL, which allows the user to read, write, or delete access to that resource for a limited period of time. Access to the resource is allowed to the owner of the URL until the URL expires.
There are two ways to create a signed URL:
- Creating signed URLs with gsutil
- Creating signed URLs with a program.
The easiest way to create a signed URL is to use the gsutil signurl command. To do this, you first need to generate a private key or use an existing private key. To create a private key you first have to create an OAuth client ID for a service account.
To create a new private key visit: https://console.cloud.Google.com/apis/credentials?project=packt-gcp
Follow the instructions and download the file. Two formats are available:
- JSON: Required if you are using application default credentials in a production environment outside of Google Cloud platform
- PKCS12: Supported by many different programming languages and libraries
You can now create a signed URL for one of your files with gsutil via the following command:
gsutil signurl -d 10m -m GET Desktop/privatekey1.json gs://packt-gcp/file1.csv
Remember, signed URLs do not work on directories. If you want to give access to multiple files you can use wildcards as follows:
gsutil signurl -d 10m -m GET Desktop/privatekey1.json gs://packt-gcp/img/.png
But that will generate one signed URL per .png file in the img/ folder.
Signed URLs can also be used to upload files (-m PUT and POST) and specify the content type with -c text/plain or -c image/jpg.