How to use signed url cloud storage

GcpHow-ToBeginner · 4 min read

How to Use Signed URL in Google Cloud Storage

Use signed URLs in Google Cloud Storage to grant temporary access to private files without requiring authentication. Generate a signed URL with a set expiration time using the Google Cloud SDK or client libraries, then share the URL to allow secure, time-limited downloads or uploads.

📐

Syntax

A signed URL in Google Cloud Storage is created by specifying the HTTP method (GET, PUT, etc.), the bucket and object name, and an expiration time. The URL includes a signature that authorizes access until the expiration.

HTTP method: The action allowed (e.g., GET for download).
Bucket and object: The storage location and file name.
Expiration: Time when the URL stops working.
Signature: A cryptographic token proving permission.

python

from google.cloud import storage
from datetime import timedelta

def generate_signed_url(bucket_name, blob_name, expiration_minutes=15):
    storage_client = storage.Client()
    bucket = storage_client.bucket(bucket_name)
    blob = bucket.blob(blob_name)

    url = blob.generate_signed_url(
        version='v4',
        expiration=timedelta(minutes=expiration_minutes),
        method='GET'
    )
    return url

💻

Example

This example shows how to generate a signed URL for downloading a file from a Google Cloud Storage bucket. The URL will be valid for 15 minutes.

python

from google.cloud import storage
from datetime import timedelta

# Replace with your bucket and file name
bucket_name = 'my-bucket'
blob_name = 'example.txt'

storage_client = storage.Client()
bucket = storage_client.bucket(bucket_name)
blob = bucket.blob(blob_name)

url = blob.generate_signed_url(
    version='v4',
    expiration=timedelta(minutes=15),
    method='GET'
)

print('Generated signed URL:')
print(url)

Output

Generated signed URL: https://storage.googleapis.com/my-bucket/example.txt?X-Goog-Algorithm=GOOG4-RSA-SHA256&X-Goog-Credential=...&X-Goog-Date=...&X-Goog-Expires=900&X-Goog-SignedHeaders=host&X-Goog-Signature=...

⚠️

Common Pitfalls

Not setting the correct HTTP method for the intended operation (e.g., using GET for upload).
Using expired URLs by setting too short expiration or reusing old URLs.
Not having proper permissions on the service account used to generate the signed URL.
Confusing signed URLs with public URLs; signed URLs provide temporary access only.

python

from google.cloud import storage
from datetime import timedelta

# Assuming 'blob' is already defined as in previous examples

# Wrong: Using GET method for uploading
url_wrong = blob.generate_signed_url(
    version='v4',
    expiration=timedelta(minutes=15),
    method='GET'  # Should be 'PUT' for upload
)

# Correct: Use PUT method for uploading
url_right = blob.generate_signed_url(
    version='v4',
    expiration=timedelta(minutes=15),
    method='PUT'
)

📊

Quick Reference

Remember these key points when using signed URLs:

Use generate_signed_url with version='v4' for the latest signing method.
Set the expiration to control how long the URL is valid.
Choose the correct method matching your use case (GET for download, PUT for upload).
Ensure your service account has roles/storage.objectViewer or roles/storage.objectAdmin as needed.

✅

Key Takeaways

Signed URLs grant temporary, secure access to private Cloud Storage objects without requiring user authentication.

Always specify the correct HTTP method and expiration time when generating signed URLs.

Use the latest V4 signing method for better security and compatibility.

Ensure your service account has the right permissions to generate signed URLs.

Expired signed URLs will no longer grant access, so manage expiration carefully.