Generating signed URLs with gsutil

Signed urls are a way to share time limited access to your google cloud storage files to anyone with the link, google account not required.

gsutil is the main google cloud sdk tool for interacting with cloud storage and it’s also the tool you use for generating signed urls.

Google doesnt offer a straightforward tutoral on setting url signing, so I decided to write a quick walkthrough

Walkthrough

1. Create bucket gsutil mb gs://[BUCKET_NAME]

2. Copy a file to bucket

   echo "hello bucket!" > hello_world.txt
   gsutil cp hello_world.txt gs://[BUCKET_NAME]
   

3. Get & Set PROJECT_ID environment variable

   export PROJECT_ID=$(gcloud config get-value project)
   

4. Create service account

   gcloud iam service-accounts create signer-service-account
   

5. Add policy binding

   gcloud projects add-iam-policy-binding ${PROJECT_ID} --member=serviceAccount:signer-service-account@${PROJECT_ID}.iam.gserviceaccount.com --role=roles/viewer
   

6. Create JSON key

   gcloud iam service-accounts keys create key.json –iam-account signr-service-account@${PROJECT_ID}.iam.gserviceaccount.com
   

7. Make sure dependencies are installed

   pip3 install pyopenssl # python 3
   pip install pyopenssl  # python 2
   

8. Generate signed url

   gsutil signurl -d 10m key.json gs://[BUCKET_NAME]/hello_world.txt
   

Additional details & resources

You may want to modify the parameters of the gsutil command above.

Below is the help output for the command.

You may be interested in flags -d, -m, and -p.

  gsutil signurl [-c <content_type>] [-d <duration>] [-m <http_method>] \
      [-p <password>] [-r <region>] [-b <project>]  (-u | <private-key-file>) \
      (gs://<bucket_name> | gs://<bucket_name>/<object_name>)...

Official gsutil signurl docuentation can be found here

-- Enjoyed the post? Let me know!