Reputation: 128
Obtain temporary access to folder inside Google Storage bucket
I'm looking for way how to provide temporary access to "folder" inside Google Cloud Storage.
My problem: I have buckets with a lots of "folders" (I know that folder don't exists on GCS).
\Bucket
|-Folder1
\-File2.csv
|-File3.csv
|-File4.csv
|-Folder2
\-File5.csv
|-File6.csv
And I want to give users a temporary access (something with automatic expiration) for reading Bucket/Folder1/*, so user will be able to access whole directory "Folder1" and download all files inside this directory (File2.csv, File3.csv, File4.csv).
I found signedUrls https://cloud.google.com/storage/docs/gsutil/commands/signurl, but I did not found the way how to provide access for whole Folder1 directory.
I was able to run same scenario on AWS S3 with following policy:
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": [
"arn:aws:s3:::name-of-a-bucket"
],
"Condition": {
"StringLike": {
"s3:prefix": "Folder1/*"
}
}
}
Is there any way how to provide temporary access for multiples files ?
Upvotes: 0
Views: 1487
Answers (2)
Reputation: 21
Using signed url, the way I got it was listing all the files and then generating the url
For example:
const options = {
prefix: 'foldeName',
};
const optionsBucket = {
version: 'v2',
action: 'read',
expires: Date.now() + 1000 * 60 * 9, // 9 minutes
};
const [files] = await storage.bucket('your-bucket-name').getFiles(options);
for (let nota of files) {
let fileName = nota.name;
const [url] = await storage
.bucket(bucketName)
.file(fileName)
.getSignedUrl(optionsBucket);
... continue your code
Upvotes: 0
Reputation: 154
You can specify many objects in your bucket by using the * wildcard. Using it while specifying the subdirectory you are targeting will identify all objects under it. For example, if you are trying to access objects in Folder1 in your Bucket, you would use:
gs://Bucket/Folder1/*
You will then access File2.csv, File3.csv and File4.csv.
To grant temporary access to your bucket objects by using signed URLs, you can use the -d flag to specify the duration of the availability of your objects with the following suffixes: - s for seconds - m for minutes - h for hours - d for days
Remember those details: - Not specifying the -d flag will set the duration to 1 hour. - Specifying no suffix sets the duration in hours. - 7 days is the maximum duration.
The following would create a signed URL for 2 hours:
gsutil signurl -d 2 <private-key-file> gs://some-bucket/some-object/
Where using -d 2h would have done the same thing.
The following would create a signed URL for 15 minutes:
gsutil signurl -d 15m <private-key-file> gs://some-bucket/some-object/
Finally, to grant access to all your object in Folder1 for downloading, use the following the objects available for 1 hour:
gsutil signurl <private-key-file> gs://Bucket/Folder1/*
Where adding -d 1 or -d 1h would have done the same thing.
The private key file is a JSON or P12 format file that gets created when you create your key. You should choose a location of your liking to store it, then replace with its path when running the command to create the signed URLs.
Upvotes: 1
Related Questions
- How to set access permissions of google cloud storage bucket folder
- any way to enable GCP service account access to specific folder in GCS bucket?
- How to access Google Cloud Storage bucket using aws-cli
- s3->GCS access denied error
- How can I access files from a Google Cloud Storage bucket from a browser?
- Unable to access file kept in google storage bucket path through python script
- Copy Files from S3 bucket to Google Cloud Storage
- Access private files from a google cloud storage bucket
- How do I browse the contents of a Google Cloud Storage bucket I don't own?
- Bucket URL access denied