GCPcloud~5 mins

Signed URLs for temporary access in GCP - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Sometimes you want to let someone access a file in your cloud storage for a short time without giving them full permission. Signed URLs let you create a special link that works only for a limited time to solve this.

When you want to share a private file with a friend for just a few hours.

When your app needs to let users download files securely without making them public.

When you want to give temporary upload access to a storage bucket without opening it fully.

When you want to avoid managing user accounts but still control file access.

When you want to track who accessed a file by giving unique signed URLs.

Commands

This command logs you in using a service account that has permission to create signed URLs. You need this to generate the URL securely.

Terminal

gcloud auth activate-service-account signed-url-user@example-project.iam.gserviceaccount.com --key-file=service-account-key.json

Expected OutputExpected

Activated service account credentials for: [signed-url-user@example-project.iam.gserviceaccount.com]

→

--key-file - Specifies the JSON key file for the service account

This command creates a signed URL for the file 'my-file.txt' in the bucket 'example-bucket' that will work for 1 hour.

Terminal

gsutil signurl -d 1h service-account-key.json gs://example-bucket/my-file.txt

Expected OutputExpected

URL: https://storage.googleapis.com/example-bucket/my-file.txt?X-Goog-Algorithm=GOOG4-RSA-SHA256&X-Goog-Credential=signed-url-user%40example-project.iam.gserviceaccount.com%2F20240601%2Fauto%2Fstorage%2Fgoog4_request&X-Goog-Date=20240601T000000Z&X-Goog-Expires=3600&X-Goog-SignedHeaders=host&X-Goog-Signature=abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890

→

-d - Sets how long the signed URL will be valid

This command uses the signed URL to download the file. It shows that the URL works and gives temporary access.

Terminal

curl "https://storage.googleapis.com/example-bucket/my-file.txt?X-Goog-Algorithm=GOOG4-RSA-SHA256&X-Goog-Credential=signed-url-user%40example-project.iam.gserviceaccount.com%2F20240601%2Fauto%2Fstorage%2Fgoog4_request&X-Goog-Date=20240601T000000Z&X-Goog-Expires=3600&X-Goog-SignedHeaders=host&X-Goog-Signature=abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890"

Expected OutputExpected

This is the content of my-file.txt

Key Concept

If you remember nothing else from this pattern, remember: signed URLs let you share private files safely for a short time without changing permissions.

Common Mistakes

Using a signed URL after it has expired

The URL stops working after the set time, so access is denied.

Generate a new signed URL with a fresh expiration time when access is needed again.

Not using a service account with proper permissions to create signed URLs

The command to create signed URLs will fail due to lack of permission.

Use a service account with the 'roles/storage.objectViewer' or similar role to generate signed URLs.

Sharing the signed URL publicly for longer than intended

Anyone with the URL can access the file until it expires, risking unwanted access.

Keep signed URLs private and set short expiration times to limit exposure.

Summary

Activate a service account with permission to create signed URLs.

Use the gsutil signurl command to generate a temporary URL for a file.

Use the signed URL to access the file securely for the limited time.