Signed URLs are URLs with query string authentication parameters that grant access to buckets and objects stored in Google Cloud Storage. Signed URLs grants access to Cloud Storage for a given amount of time. Anyone with the signed URL can access the objects until the signed URL expires. This is particularly useful for granting access to individuals outside of your organization.
In this Lab, you will learn the mechanics of creating signed URLs using the
gcloud CLI. You will also fully understand the capabilities and limitations of signed URLs.
Upon completion of this Lab you will be able to:
- Explain when signed URLs are the right choice among the alternatives for granting access to Google Cloud Storage object
- Understand the requirements for generating signed URLs
- Use signed URLs to grant access to Google Cloud Storage objects for a limited time
- Revoke access to Google Cloud Storage objects accessed via a signed URL
- Debug common issues related to creating signed URLs
Creating a Service Account Key using gcloud
To generate signed URLs to Cloud Storage objects, you must have a service account key. You can use an existing key or create one, as you will do in this Lab Step.
In GCP, service accounts are accounts used by applications or VMs rather than users. Applications can assume the identity of service accounts to perform authorized requests. Service account keys are used for authenticating requests. You will create a service account key in this Lab Step.
1. List the service accounts for the project:
gcloud iam service-accounts list
2. Create a Service account with name as “storage-singer”:
3. Give “storage admin” role to the newly created service account
gcloud projects add-iam-policy-binding secret-proton-312811 \ > --member="serviceAccount:firstname.lastname@example.org" \ > --role="roles/storage.admin"
4. Validate that “storage-singer” service account has Storage Admin role now:
5. Create a key for the service account:
sa_email=$(gcloud iam service-accounts list --format='value(email)' | grep iam) # service account email (ID) gcloud iam service-accounts keys create --iam-account $sa_email key.json
6. View the contents of the JSON key file:
The JSON properties include the project_id, private_key, client_email, among others. Everything needed to verify the identity of the service account.
Creating a Signed URL for Cloud Storage Objects
1. Create a Storage bucket called “signed-url-demo-bucket”:
gsutil mb gs://signed-url-demo-bucket
2. upload an image to cloud shell and then copy to storage bucket:
- Click on the 3 Dots next to the cloud shell icon and click on Upload:
- Select File and then click on “Choose Files“:
- I have selected an image from computer called “cloud_blogg.ipg” and uploaded it.
- Copy file to storage bucket:
gsutil cp cloud_blogg.jpg gs://signed-url-demo-bucket/
- Validate that the image has been copied to storage bucket:
3. Install the Python library for OpenSSL using the pip Python package manager( This package doesn’t come pre-installed with cloud shell):
sudo pip install pyopenssl
4. Also install python3-openssl package:
apt-get install python3-openssl
5. Now Create the signed url:
Run the command as below:
gsutil signurl -d 5m /home/rajeevgcp14/key.json $bucket/cloud_blogg.jpg
Note: here 5m means the url will be valid for 5 mins only.
6. Clicking on the url should display our image.
7. Try the url after 5 minutes. you should see something like below:
That concludes our Tutorial.