Restrict Bucket Access to Certain Origin(s)

Question

I have a Google Cloud Storage bucket with images that I want to serve to users of my website. The public URL is something like this:

https://storage.googleapis.com/example-bucket/filename.jpg

So my website can easily access it, and any random internet user can enter the URL in a browser directly to access it.

Is it possible, via Google Cloud, to restrict this so that if my website tries to access the file, it succeeds, but if a random user tries to enter the URL into a browser window, they get denied?

Cloud Storage lets us set CORS policies, but they only apply for the XML API: https://cloud.google.com/storage/docs/cross-origin#server-side-support

Is it possible to restrict this via a Load Balancer, Cloud Armor, or Cloud CDN?

FYI, let's say my website is accessing it from the DOM directly, like this:

<html>
  <body>
    <img src="https://storage.googleapis.com/example-bucket/filename.jpg"></img>
  </body
</html>

Answer 1

Based on your use-case. Google Cloud Storage has no mechanism as of now to allow read but restrict download. Once the image/file has been set to public, any random user/website with the URL can read or download the file.

I would suggest:

1. Use another 3rd party app to render the documents as graphic/image inside the app which prevents any user from downloading.
2. You can change your use-case. Have a user sign-in to your website using their google account and configure using IAM permissions with ACLs which makes the Google Cloud Storage object only accessible if they are allowed to read and also authenticated.

You could also check this blog on how to control access to Google Cloud Storage.