Google Appengine signed or temp URLs for images served from Google Blobstore

Question

I'm serving images from the blob store using ImagesService.getServingUrl(ServingUrlOptions options): https://cloud.google.com/appengine/docs/java/javadoc/com/google/appengine/api/images/ImagesService#getServingUrl-com.google.appengine.api.images.ServingUrlOptions-

Is there a way to sign these URLs to control the access to them? (Same as in Google Storage: https://cloud.google.com/storage/docs/access-control?hl=en#Signed-URLs)

Is there a way to make these URLs temporary?

I'm going to create these URLs on the fly from the blob store for users with permissions to view them.

Thanks!

Answer 1

You can use the corresponding deleteServingURL when you want to revoke access. From the docs:

If you wish to stop serving the URL, delete it using the deleteServingUrl() method.

Also:

Whether you store your images in Blobstore or Google Cloud Storage, the right way to stop an image from being publicly accessible through the serving URL is to call the deleteServingUrl() method.

This does require additional bookkeeping to determine when to delete the URL and a periodic task that does the deletion, so it is not ideal. But it seems like the only way.

You may want to consider whether this is necessary in the first place. Since the URL is not guessable, if you control who can get the URL in the first place, you are controlling access to the image. Why make it temporary when you have already restricted access to it?