Skip to content

lrakai/google-cloud-storage-signed-urls

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits

infrastructure

infrastructure

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

Repository files navigation

google-cloud-storage-signed-urls

Lab to demonstrate how to create signed URLs for granting anyone with the URL access to objects in Cloud Storage.

Final Environment

Getting Started

  1. Ensure the Following APIs are enabled (enable with gcloud services enable [service]):

    • iam.googleapis.com
    • storage-component.googleapis.com

  2. Ensure the default Google APIs service account (used by deployment manager) has permission to create roles:

    gcloud projects add-iam-policy-binding [PROJECT_ID] \
--member serviceAccount:[PROJECT_NUMBER]@cloudservices.gserviceaccount.com  \
--role roles/iam.roleAdmin

    You can use gcloud list projects to get the project ID and number.

  3. Deploy the deployment manager config in the infrastructure directory:

    gcloud deployment-manager deployments create lab --config infrastructure/deployment.yaml

  4. Bind the Lab role to the student user or group

    • In macOS/Linux:

      member="[GROUP_OR_USER]"
project_id=$(gcloud config list --format 'value(core.project)')
role=$(gcloud iam roles list --project $project_id \
                             --filter "name:projects/$project_id/roles/studentrole*" \
                             --format "value(name)")
gcloud projects add-iam-policy-binding $project_id \
--member $member  \
--role $role

    • In Windows (PowerShell):

      $member = "[GROUP_OR_USER]"
$project_id = gcloud config list --format 'value(core.project)'
$role = gcloud iam roles list --project $project_id `
                              --filter "name:projects/$project_id/roles/studentrole*" `
                              --format "value(name)"
gcloud projects add-iam-policy-binding $project_id `
--member $member  `
--role $role

    An example of [GROUP_OR_USER] is user:student@gmail.com.

Following Along

  1. Start a Google Cloud Shell session.

  2. Create a key for the pre-created storage account:

    sa_email=$(gcloud iam service-accounts list --format='value(email)' | grep storage-signer) # service account email (ID)
gcloud iam service-accounts keys create --iam-account $sa_email key.json

  3. Upload a file to the pre-created bucket:

    curl -L https://github.com/cloudacademy/gcp-lab-artifacts/raw/master/gcs/ca.png -o ca.png
bucket=$(gsutil ls -b | sed 's/\/$//') # bucket with trailing slash removed
gsutil cp ca.png $bucket

  4. Install the Python OpenSSL library (required for signing URLs):

    pip install pyopenssl --user

  5. Grant the service account read access to the object:

    gsutil acl ch -u $sa_email:READ $bucket/ca.png

  6. Create a signed URL to access the object for five minutes:

    gsutil signurl -d 5m key.json $bucket/ca.png

Tearing Down

When finished, remove the GCP resources with:

  • In macOS/Linux:

    bucket=$(gsutil ls -b gs://ca-lab-bucket-*)
gsutil rm -r $bucket
gcloud projects remove-iam-policy-binding $project_id \
    --member $member  \
    --role $role
gcloud deployment-manager deployments delete -q lab

  • In Windows (PowerShell):

    $bucket = gsutil ls -b gs://ca-lab-bucket-*
gsutil rm -r $bucket
gcloud projects remove-iam-policy-binding $project_id `
    --member $member  `
    --role $role
gcloud deployment-manager deployments delete -q lab

About

Lab to demonstrate how to create presigned URLs for secure access to objects in Cloud Storage

Topics

google-cloud-storage gcp gsutil signed-urls

Resources

Readme

License

MIT license
Activity

Stars

3 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages