How to hide real URL with Google Cloud Storage?

Question

Scenario: I place some files on Google web storage.

And I want only paid users can download this file. So my question is, how to hide this file from paid user to prevent them from sharing this URL with other unpaid users.

So, is there a way to hide the real file location? Single-use or time-restricted URLs or any other?

May be hiding URL is possible with other CDN providers - MIcrosoft Azure Storage or Amazon S3?

Answer 1

Here's an alternative that truly hides the S3 URL. Instead of creating a query string authenticated URL that has a limited viability, this approach takes a user's request, authorizes the user, fetches the S3 data, and finally returns the data to the requestor.

The advantage of this approach is that the user has no way of knowing the S3 URL and cannot pass the URL along to anyone else, as is the case in the query string authenticated URL during its validity period. The disadvantages to this approach are: 1) there is an extra intermediary in the middle of the S3 "get", and 2) it's possible that extra bandwidth charges will be incurred, depending on where the S3 data physically resides.

public void streamContent( User requestor, String contentFilename, OutputStream outputStream ) throws Exception {

    // is the requestor entitled to this content?       
    Boolean isAuthorized = authorizeUser( requestor, filename );

    if( isAuthorized ) {
        AWSCredentials myCredentials = new BasicAWSCredentials( s3accessKey, s3secretKey );
        AmazonS3 s3  = new AmazonS3Client( myCredentials );
        S3Object object = s3.getObject( s3bucketName, contentFilename );
        FileCopyUtils.copy( object.getObjectContent(), outputStream );
    } 
}

Answer 2

You can use Signed URLs in Google Cloud Storage to do this: https://developers.google.com/storage/docs/accesscontrol#Signed-URLs

Answer 3

Azure Storage has the concept of a Shared Access Signature. It's basically the URL for a BLOB (file) with parameters that limit access. I believe it's nearly identical to the Amazon S3 query string authentication mentioned in Steffen Opel's answer.

Microsoft provides a .NET library for handling Shared Access Signatures. They also provide the documentation you would need to roll your own library.

Answer 4

Amazon S3 provides query string authentication (usually referred to as pre-signed URLs) for this purpose, see Using Query String Authentication:

Query string authentication is useful for giving HTTP or browser access to resources that would normally require authentication. The signature in the query string secures the request. Query string authentication requests require an expiration date. [...]

All AWS Software Development Kits (SDKs) provide support for this, here is an example using the GetPreSignedUrlRequest Class from the AWS SDK for .NET, generating a pre-signed URL expiring 42 minutes from now:

using (var s3Client = AWSClientFactory.CreateAmazonS3Client("AccessKey", "SecretKey"))
{
    GetPreSignedUrlRequest request = new GetPreSignedUrlRequest()
        .WithBucketName("BucketName")
        .WithKey("Key")
        .WithProtocol(Protocol.HTTP)
        .WithExpires(DateTime.Now.AddMinutes(42));

    string url = s3Client.GetPreSignedURL(request);
}

Answer 5

One way would be to create a Google Group containing only your paid users. Then, for the object's of interest, grant read permission to the group's email address (via the object's Access Control List). With that arrangement, only your paid members will be able to download these projected objects. If someone outside that group tries to access the URL, they'll get an access denied error.

After you set this up, you'll be able to control who can access your objects by editing your group membership, without needing to mess with object ACLs.