gsutil signurl

Mon, Mar 15, 2021 2-minute read

Affiliate Dislaimer

Generating signed URLs with gsutil

Signed urls are a way to share time limited access to your google cloud storage files to anyone with the link, google account not required.

gsutil is the main google cloud sdk tool for interacting with cloud storage and it’s also the tool you use for generating signed urls.

Google doesnt offer a straightforward tutoral on setting url signing, so I decided to write a quick walkthrough


  1. Create bucket gsutil mb gs://[BUCKET_NAME]

  2. Copy a file to bucket

    echo "hello bucket!" > hello_world.txt
    gsutil cp hello_world.txt gs://[BUCKET_NAME]
  3. Get & Set PROJECT_ID environment variable

    export PROJECT_ID=$(gcloud config get-value project)
  4. Create service account

    gcloud iam service-accounts create signer-service-account
  5. Add policy binding

    gcloud projects add-iam-policy-binding ${PROJECT_ID} --member=serviceAccount:signer-service-account@${PROJECT_ID} --role=roles/viewer
  6. Create JSON key

    gcloud iam service-accounts keys create key.json –iam-account signr-service-account@${PROJECT_ID}
  7. Make sure dependencies are installed

    pip3 install pyopenssl # python 3
    pip install pyopenssl  # python 2
  8. Generate signed url

    gsutil signurl -d 10m key.json gs://[BUCKET_NAME]/hello_world.txt

Additional details & resources

You may want to modify the parameters of the gsutil command above.

Below is the help output for the command.

You may be interested in flags -d, -m, and -p.

  gsutil signurl [-c <content_type>] [-d <duration>] [-m <http_method>] \
      [-p <password>] [-r <region>] [-b <project>]  (-u | <private-key-file>) \
      (gs://<bucket_name> | gs://<bucket_name>/<object_name>)...

Official gsutil signurl docuentation can be found here

-- Enjoyed the post? Let me know!