Reputation: 10349
Is it possible to make Cloud Storage objects visible to users authenticated via application?
As it stands, my web application allows end-users to upload images to Google Cloud Storage using signed URLs which are generated on the back-end.
I'd like to also make these objects visible to these users after they've been uploaded. The simplest solution I can imagine would be to allow read access using something like allAuthenticatedUsers but winnowed to only apply to users who've authenticated using my application. I haven't found a way to do this, but it seems like it would be a pretty obvious solution to what must be a common problem. If it's not possible, I'm guessing it's because Google makes no distinction about how this user became authenticated, just that they are.
The alternative solution that comes to mind is creating IAM member accounts for users after they log in for the first time and restricting access to only those accounts, but I'd like to take the path of least resistance.
Upvotes: 0
Views: 94
Answers (2)
Reputation: 1520
You can check this example python signed url implementation. With the following steps:
- Construct canonical request with the path to resource to sign.
- Create a hex-encodec hash value of the above request. You can use haslib.
- Construct the string-to-sign, that includes following elments:
SIGNING_ALGORITHM: This should be GOOG4-RSA-SHA256.
CURRENT_DATETIME: The current date and time, in the ISO 8601 basic format YYYYMMDD'T'HHMMSS'Z'.
CREDENTIAL SCOPE: The credential scope of the request for signing the string-to-sign.
HASHED_CANONICAL_REQUEST: The hex-encoded, SHA-256 hash of the canonical request, which you created in the previous step.
- Sign the string-to-sign using an RSA signature with SHA-256, for example
- Construct the signed URL by using the following concatenation:
https://storage.googleapis.com/ + PATH_TO_RESOURCE + "?" + CANONICAL_QUERY_STRING + "&X-Goog-Signature=" + REQUEST_SIGNATURE
Please check this python sample of implementation.
Upvotes: 1
Reputation: 2048
In the case you are using App Engine you can use the App Engine App Identity service. In this way your users will be able to access the data using the App Engine service account credentials. More information about configuring this can be found here.
If this is not the case for you, creating IAM service account would be the single option I can see. You can do it programmatically using the Identity and Access Management (IAM) API. You can also create a Google group and add only invited users to the group. Then, you can give the group members the role : storage.objectViewer.
Upvotes: 1
Related Questions
- How could I control access to Google Cloud Storage objects using my own auth system?
- Serve content from a Google Cloud Storage bucket using Identity-Aware Proxy (IAP)
- Google Cloud Storage: Grant User / Pass credentials per object
- Google Cloud Storage authentication for App Engine
- How can I make a Google Cloud Storage object publicly visible while uploading it?
- How does one grant authenticated website users (App Engine standard) access to Google Cloud Storage bucket?
- Accessing Cloud Storage Objects via App Engine without making bucket publicly readable
- Separate access to Google Cloud Storage for hundreds of users
- Google Cloud Storage - make objects in a bucket publicly viewable
- How could I allow users to access to my google cloud storage