Skip to content

Lab to demonstrate how to create presigned URLs for secure access to objects in Cloud Storage

License

Notifications You must be signed in to change notification settings

lrakai/google-cloud-storage-signed-urls

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
 
 
 
 
 
 

Repository files navigation

google-cloud-storage-signed-urls

Lab to demonstrate how to create signed URLs for granting anyone with the URL access to objects in Cloud Storage.

Final Environment

Getting Started

  1. Ensure the Following APIs are enabled (enable with gcloud services enable [service]):

    • iam.googleapis.com
    • storage-component.googleapis.com
  2. Ensure the default Google APIs service account (used by deployment manager) has permission to create roles:

    gcloud projects add-iam-policy-binding [PROJECT_ID] \
    --member serviceAccount:[PROJECT_NUMBER]@cloudservices.gserviceaccount.com  \
    --role roles/iam.roleAdmin

    You can use gcloud list projects to get the project ID and number.

  3. Deploy the deployment manager config in the infrastructure directory:

    gcloud deployment-manager deployments create lab --config infrastructure/deployment.yaml
  4. Bind the Lab role to the student user or group

    • In macOS/Linux:

      member="[GROUP_OR_USER]"
      project_id=$(gcloud config list --format 'value(core.project)')
      role=$(gcloud iam roles list --project $project_id \
                                   --filter "name:projects/$project_id/roles/studentrole*" \
                                   --format "value(name)")
      gcloud projects add-iam-policy-binding $project_id \
      --member $member  \
      --role $role
    • In Windows (PowerShell):

      $member = "[GROUP_OR_USER]"
      $project_id = gcloud config list --format 'value(core.project)'
      $role = gcloud iam roles list --project $project_id `
                                    --filter "name:projects/$project_id/roles/studentrole*" `
                                    --format "value(name)"
      gcloud projects add-iam-policy-binding $project_id `
      --member $member  `
      --role $role

    An example of [GROUP_OR_USER] is user:student@gmail.com.

Following Along

  1. Start a Google Cloud Shell session.

  2. Create a key for the pre-created storage account:

    sa_email=$(gcloud iam service-accounts list --format='value(email)' | grep storage-signer) # service account email (ID)
    gcloud iam service-accounts keys create --iam-account $sa_email key.json
  3. Upload a file to the pre-created bucket:

    curl -L https://github.com/cloudacademy/gcp-lab-artifacts/raw/master/gcs/ca.png -o ca.png
    bucket=$(gsutil ls -b | sed 's/\/$//') # bucket with trailing slash removed
    gsutil cp ca.png $bucket
  4. Install the Python OpenSSL library (required for signing URLs):

    pip install pyopenssl --user
  5. Grant the service account read access to the object:

    gsutil acl ch -u $sa_email:READ $bucket/ca.png
  6. Create a signed URL to access the object for five minutes:

    gsutil signurl -d 5m key.json $bucket/ca.png

Tearing Down

When finished, remove the GCP resources with:

  • In macOS/Linux:

    bucket=$(gsutil ls -b gs://ca-lab-bucket-*)
    gsutil rm -r $bucket
    gcloud projects remove-iam-policy-binding $project_id \
        --member $member  \
        --role $role
    gcloud deployment-manager deployments delete -q lab
  • In Windows (PowerShell):

    $bucket = gsutil ls -b gs://ca-lab-bucket-*
    gsutil rm -r $bucket
    gcloud projects remove-iam-policy-binding $project_id `
        --member $member  `
        --role $role
    gcloud deployment-manager deployments delete -q lab

About

Lab to demonstrate how to create presigned URLs for secure access to objects in Cloud Storage

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages