Skip to main content

Applying Signed URLs to Cloud Storage Objects

Hands-On Lab

 

Photo of Joseph Lowery

Joseph Lowery

Google Cloud Training Architect II in Content

Length

00:30:00

Difficulty

Beginner

By default, the contents of Cloud Storage buckets are not publicly available. You can, however, make an object or an entire bucket viewable by all. But sometimes neither of these approaches – totally blocking or totally allowing access – is the right one. Google Cloud offers a method for providing limited access to one or more individuals for a specified time: the signed URL. Anyone using the signed URL can access a secure bucket object for the predetermined period, regardless of whether they are in your organization or even have a Google account. In this hands-on lab, we’ll set up a bucket with an object that is not publicly available and then create the necessary structure – a service account with a private key – required to generate the signed URL.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Applying Signed URLs to Cloud Storage Objects

Introduction

By default, the contents of Cloud Storage buckets are not publicly available. You can, however, make an object or an entire bucket viewable by all. But sometimes neither of these approaches – totally blocking or totally allowing access – is the right one. Google Cloud offers a method for providing limited access to one or more individuals for a specified time: the signed URL. Anyone using the signed URL can access a secure bucket object for the predetermined period, regardless of whether they are in your organization or even have a Google account. In this hands-on lab, we’ll set up a bucket with an object that is not publicly available and then create the necessary structure – a service account with a private key – required to generate the signed URL.

Logging In to the Environment

  1. On the lab instructions page, right-click the Open GPC Console button.
  2. From the dropdown, select the option to open the link in a private browser window. (Note: Different browsers have different names for a private browser window. On Chrome, you'll choose Open Link in Incognito Window. If you're using Firefox, click Open Link in New Private Window. Etc.)
  3. On the Google sign-in page, enter the unique username you were provided on the lab instructions page. Click Next.
  4. Enter the unique password you were provided on the lab instructions page. Click Next.
  5. On the Welcome to your new account page, click Accept.
  6. In the Welcome L.A.! menu, check the box under Terms of service.
  7. Choose your country of residence, then click AGREE AND CONTINUE.

Create a Cloud Storage Bucket and Copy the File to It

  1. From the Google Cloud Platform dashboard, click the navigation menu at the top left of the page.
  2. In the dropdown, select Storage > Browser.
  3. Click the Cloud Shell icon at the top right of the page.
  4. Click START CLOUD SHELL.
  5. Run the following command to create a new bucket:
    gsutil mb -c regional -l us-east1 gs://[BUCKET_NAME]

    >(Note: The bucket name must be unique.)

  6. Clone the GitHub repository.
    git clone https://github.com/linuxacademy/content-gcpro-security-engineer
  7. Change to the content-gcpro-security-engineer/signed-url-lab directory.
    cd content-gcpro-security-engineer/signed-url-lab
  8. List the contents of the current directory.
    ls
  9. Refresh the page of the GCP console to verify that the new bucket was created.
  10. Copy the restricted-logo.png file to the bucket.
    gsutil cp restricted-logo.png gs://[BUCKET_NAME]
  11. In the GCP console, click the name of the bucket to open it and verify that the file was successfully copied into it.

Create a Service Account and Key

  1. In the Cloud Shell, run the following command to establish a variable:
    export PROJECT_ID=[YOUR_PROJECT_ID]
  2. Create a new service account.
    gcloud iam service-accounts create la-service-account --display-name "LA Service Account"
  3. Establish the appropriate permissions for the service account.
    gcloud projects add-iam-policy-binding ${PROJECT_ID} --member serviceAccount:la-service-account@${PROJECT_ID}.iam.gserviceaccount.com --role roles/viewer
  4. Create a JSON key for authentication.
    gcloud iam service-accounts keys create key.json --iam-account la-service-account@${PROJECT_ID}.iam.gserviceaccount.com

Generate a Signed URL

  1. In the Cloud Shell, install the pyopenssl library.
    sudo pip install pyopenssl
  2. Generate a signed URL.
    gsutil signurl -d 10m key.json gs://[BUCKET_NAME]/restricted-logo.png
  3. Test the URL by clicking the generated link.

Conclusion

Congratulations, you've successfully completed this hands-on lab!