Retrieving Google Cloud Storage images (non-public) from browser

Question

I have some images in my Google Cloud Storage bucket and I would like to pass the image urls to the front-end for displaying on a web application. However I'm not quite sure how the authentication works. There seem to be 2 methods that seem feasible to me.

1. Using curl: https://cloud.google.com/storage/docs/downloading-objects#download-object-json

   curl -X GET \ -H "Authorization: Bearer [OAUTH2_TOKEN]" \ -o "[SAVE_TO_LOCATION]" \ "https://www.googleapis.com/storage/v1/b/[BUCKET_NAME]/o/[OBJECT_NAME]?alt=media"

However, I could not manage to generate a jwt token from my service key created in Google IAM. Using jsonwebtoken couldn't seem to parse my json file, and when I extracted the private_key portion into a pem file, an error message would be thrown: Error: error:0906D06C:PEM routines:PEM_read_bio:no start line

2. Using signed-url: https://cloud.google.com/storage/docs/access-control/signed-urls

For this method, I'm not quite sure whether this is meant for my back-end server to pass a signed-url to the front-end for access, or whether it can be constructed on the front-end. Are there any security issues for doing so and are there any best practices?

Answer 1

Signed URL is a good way to go. When it comes to contructing it either on the back- or frontend, you should definitely stick to the first one. Doing it in the frontend doesn't really make sense, because if you are able to generate the signed URL in the frontend it means that you already have access to the bucket, because this is the requirement (so why even bothering to create the signed URL?). If you do it in the backend, you ensure the permissions to access the bucket are only there and you pass just the desired URL to the frontend.