gsutil signurl
Generating signed URLs with gsutil
Signed urls are a way to share time limited access to your google cloud storage files to anyone with the link, google account not required.
gsutil
is the main google cloud sdk tool for interacting with cloud storage and it’s also the tool you use for generating signed urls.
Google doesnt offer a straightforward tutoral on setting url signing, so I decided to write a quick walkthrough
Walkthrough
Create bucket
gsutil mb gs://[BUCKET_NAME]
Copy a file to bucket
echo "hello bucket!" > hello_world.txt gsutil cp hello_world.txt gs://[BUCKET_NAME]
Get & Set PROJECT_ID environment variable
export PROJECT_ID=$(gcloud config get-value project)
Create service account
gcloud iam service-accounts create signer-service-account
Add policy binding
gcloud projects add-iam-policy-binding ${PROJECT_ID} --member=serviceAccount:signer-service-account@${PROJECT_ID}.iam.gserviceaccount.com --role=roles/viewer
Create JSON key
gcloud iam service-accounts keys create key.json –iam-account signr-service-account@${PROJECT_ID}.iam.gserviceaccount.com
Make sure dependencies are installed
pip3 install pyopenssl # python 3 pip install pyopenssl # python 2
Generate signed url
gsutil signurl -d 10m key.json gs://[BUCKET_NAME]/hello_world.txt
Additional details & resources
You may want to modify the parameters of the gsutil
command above.
Below is the help output for the command.
You may be interested in flags -d
, -m
, and -p
.
gsutil signurl [-c <content_type>] [-d <duration>] [-m <http_method>] \
[-p <password>] [-r <region>] [-b <project>] (-u | <private-key-file>) \
(gs://<bucket_name> | gs://<bucket_name>/<object_name>)...
Official gsutil signurl
docuentation can be found here
-- Enjoyed the post? Let me know!