Using Signed URLs

Cloud CDN signed URLs enable you to serve responses from Google Cloud Platform's globally distributed caches, even when you need requests to be authorized.

Before you begin

Before you use signed URLs, ensure that Cloud CDN is enabled. For instructions, see Google Cloud CDN Documentation. You can configure signed URLs on a backend before enabling Cloud CDN, but there will be no effect until Cloud CDN is enabled.

If necessary, update to the latest version of Cloud SDK:

gcloud components update

For an overview of private content and URL signing, refer to Private content and signed URLs.

Configuring signed URL keys

Creating keys for your signed URLs requires several steps, which are described below.

Creating keys

You enable support for Cloud CDN signed URLs by creating one or more keys on a Cloud CDN-enabled backend service, backend bucket, or both.

For each backend service or backend bucket, you can create and delete signed URL keys as your security needs dictate. Each backend can have up to three (3) keys configured at a time. We suggest periodically rotating your keys by deleting the oldest, then adding a new key and using that when signing URLs. You can use the same key name in multiple backend services and backend buckets, because each set of keys is independent of the others. Key names can be up to 63 characters. Use the characters A-Z, a-z, 0-9, _ (underscore), and - (hyphen) to name your keys.

When you create keys, be sure to keep them secure, because anyone who has one of your keys can create signed URLs that Cloud CDN accepts until the key is deleted from Cloud CDN. The keys are stored on the computer where you generate the signed URLs. Cloud CDN also stores the keys to verify request signatures.

To keep the keys secret, the key values are not included in responses to any API requests. If you lose a key, you must create a new one.


To create keys using the Console:

  1. Go to the Cloud CDN page in the Google Cloud Console.
    Go to the Cloud CDN page
  2. Click Add Origin.
  3. Select an HTTP(S) load balancer as the origin.
  4. Decide which backend services and/or backend buckets should support signed URLs. For each one:
    1. Click Configure and then click Add signing key.
    2. Under Name, give the new signing key a name.
    3. Under Key creation method, elect Automatically generate or Let me enter.
    4. If you are entering your own key, type the key into the text field.
    5. Click Done.
    6. Under Cache entry maximum age, provide a value, and select a Unit of time from the drop-down list. You can choose among second, minute, hour, and day. The maximum amount of time is three (3) days.
  5. Click Save.
  6. Click Add.


The gcloud command line tool reads signed URL keys from a local file that you specify. The key file must be created by generating strongly random 128 bits, encoding them with base64, then replacing the character + with - and replacing the character / with _. For more information, see RFC 4648. It is vital that the key is strongly random. On a UNIX-like system, you can generate a strongly random key and store it in the key file with the following command:

head -c 16 /dev/urandom | base64 | tr +/ -_ > [KEY_FILE_NAME]

To add the key to a backend service or backend bucket:

gcloud compute backend-services \
   add-signed-url-key [BACKEND_NAME] \
   --key-name [KEY_NAME] \
   --key-file [KEY_FILE_NAME]
gcloud compute backend-buckets \
  add-signed-url-key [BACKEND_NAME] \
  --key-name [KEY_NAME] \
  --key-file [KEY_FILE_NAME]

Configuring Google Cloud Storage permissions

If you use Google Cloud Storage and you have restricted who can read the objects, you must give Cloud CDN permission to read the objects by adding the Cloud CDN service account to Cloud Storage's ACLs.

You don't need to create the service account. The service account is created automatically the first time you add a signed URL key to a backend bucket in a project.

Use the following command, where [PROJECT_NUM] is your project number and [BUCKET] is your storage bucket.

Run the command after you add at least one signed URL key to a backend bucket in your project. Otherwise, the command fails with an error because the Cloud CDN cache fill service account is not created until you add one or more signed URL keys for the project.

gsutil iam ch \ \

The Cloud CDN service account,, doesn't appear in the list of service accounts in your project. This is because the Cloud CDN service account is owned by Cloud CDN, not your project.

For more information on project numbers, read Locate the project ID and project number in the Cloud Platform Console Help documentation.

Configuring Google Compute Engine VM instances

Your VMs should validate the signatures on every signed request they serve, and should be prepared to accept or reject unsigned requests. Cloud CDN does not block requests without a Signature query parameter, and your project may be configured to allow requests that bypass the backend service configured above.

When your application detects an invalid signature, make sure that your application responds with an HTTP 403 (Unauthorized) response code. HTTP 403 response codes aren't cacheable. If your application sends a cacheable response code, valid future requests might be incorrectly rejected.

Optionally customizing the maximum cache time

Cloud CDN caches signed URL responses regardless of the backend’s Cache-Control header. The maximum time they can be cached without revalidation is set by the signed URL cache maximum age flag, which defaults to 1 hour and can be modified as shown here.

To set the maximum cache time for a backend service or backend bucket:

gcloud compute backend-services update [BACKEND_NAME]
  --signed-url-cache-max-age [max-age]
gcloud compute backend-buckets update [BACKEND_NAME]
  --signed-url-cache-max-age [max-age]

Listing key names

To list the keys on a backend service or backend bucket, use these commands.

gcloud compute backend-services describe [BACKEND_NAME]
gcloud compute backend-buckets describe [BACKEND_NAME]

Deleting keys

When URLs signed by a particular key should no longer be honored, delete that key from the backend service or backend bucket.

gcloud compute backend-services \
   delete-signed-url-key [BACKEND_NAME] --key-name [KEY_NAME]
gcloud compute backend-buckets \
   delete-signed-url-key [BACKEND_NAME] --key-name [KEY_NAME]

Signing URLs

The last step is to sign URLs and distribute them. You can sign URLs with the gcloud compute sign-url command or with code you write yourself, following the examples below. If you need a large number of signed URLs, custom code provides better performance.

Creating signed URLs

Use these instructions to create signed URLs.

This step assumes that you have already created the keys.


You cannot create signed URLs using the Console. You can use the gcloud command-line tool or write custom code, following the examples below.


The gcloud command line tool includes a command for signing URLs. The command implements the algorithm described in the section on writing your own code.

gcloud compute sign-url \
  --key-name [KEY_NAME] \
  --key-file [KEY_FILE_NAME] \
  --expires-in [TIME_UNTIL_EXPIRATION] \
  [--validate] \

This command reads and decodes the base64url encoded key value from [KEY_FILE_NAME], then outputs a signed URL that you can use for GET or HEAD requests for the given URL.

For example:

gcloud compute sign-url \
  --key-name my-test-key \
  --expires-in 30m \
  --key-file sign-url-key-file \

The URL must be a valid URL that has a path component. For example, is invalid, but and are both valid URLs.

If the optional --validate flag is given, this command sends a HEAD request with the resulting URL, and prints out the HTTP response code. If the signed URL is correct, the response code is the same as the result code sent by your backend. If the response code isn't the same, recheck [KEY_NAME] and the contents of the specified file, and make sure that the value of [TIME_UNTIL_EXPIRATION] is at least several seconds. If --validate is not given, neither the inputs nor the generated URL are verified.

If the --validate flag is not given, the generated signed URL is not verified.

Programmatically creating signed URLs

The code samples below demonstrate how to programmatically create signed URLs.


// SignURL creates a signed URL for an endpoint on Cloud CDN. url must start
// with "https://" and should not have the "Expires", "KeyName", or "Signature"
// query parameters. key should be in raw form (not base64url-encoded) which is
// 16-bytes long. keyName should be added to the backend service or bucket.
func SignURL(url, keyName string, key []byte, expiration time.Time) string {
	sep := "?"
	if strings.Contains(url, "?") {
		sep = "&"
	url += sep
	url += fmt.Sprintf("Expires=%d", expiration.Unix())
	url += fmt.Sprintf("&KeyName=%s", keyName)

	mac := hmac.New(sha1.New, key)
	sig := base64.URLEncoding.EncodeToString(mac.Sum(nil))
	url += fmt.Sprintf("&Signature=%s", sig)
	return url

// readKeyFile reads the base64url-encoded key file and decodes it.
func readKeyFile(path string) ([]byte, error) {
	b, err := ioutil.ReadFile(path)
	if err != nil {
		return nil, fmt.Errorf("failed to read key file: %+v", err)
	d := make([]byte, base64.URLEncoding.DecodedLen(len(b)))
	n, err := base64.URLEncoding.Decode(d, b)
	if err != nil {
		return nil, fmt.Errorf("failed to base64url decode: %+v", err)
	return d[:n], nil

func main() {
	key, err := readKeyFile("/path/to/key")
	if err != nil {
	url := SignURL("", "MY-KEY", key, time.Now().Add(time.Hour*24))


def signed_url url:, key_name:, key:, expiration:
  # url        = "URL of the endpoint served by Cloud CDN"
  # key_name   = "Name of the signing key added to the Google Cloud Storage bucket or service"
  # key        = "Signing key as urlsafe base64 encoded string"
  # expiration = Ruby Time object with expiration time

  require "base64"
  require "openssl"
  require "time"

  # Decode the URL safe base64 encode key
  decoded_key = Base64.urlsafe_decode64 key

  # Get UTC time in seconds
  expiration_utc = expiration.utc.to_i

  # Determine which separator makes sense given a URL
  separator = "?"
  separator = "&" if url.include? "?"

  # Concatenate url with expected query parameters Expires and KeyName
  url = "#{url}#{separator}Expires=#{expiration_utc}&KeyName=#{key_name}"

  # Sign the url using the key and url safe base64 encode the signature
  signature         = OpenSSL::HMAC.digest "SHA1", decoded_key, url
  encoded_signature = Base64.urlsafe_encode64 signature

  # Concatenate the URL and encoded signature
  signed_url = "#{url}&Signature=#{encoded_signature}"


        /// <summary>
        /// Creates signed URL for Google Cloud SDN
        /// More details about order of operations is here: 
        /// <see cref=""/>
        /// </summary>
        /// <param name="url">The Url to sign. This URL can't include Expires and KeyName query parameters in it</param>
        /// <param name="keyName">The name of the key used to sign the URL</param>
        /// <param name="encodedKey">The key used to sign the Url</param>
        /// <param name="expirationTime">Expiration time of the signature</param>
        /// <returns>Signed Url that is valid until {expirationTime}</returns>
        public static string CreateSignedUrl(string url, string keyName, string encodedKey, DateTime expirationTime)
            var builder = new UriBuilder(url);

            long unixTimestampExpiration = ToUnixTime(expirationTime);

            char queryParam = string.IsNullOrEmpty(builder.Query) ? '?' : '&';
            builder.Query += $"{queryParam}Expires={unixTimestampExpiration}&KeyName={keyName}".ToString();

            // Key is passed as base64url encoded
            byte[] decodedKey = Base64UrlDecode(encodedKey);

            // Computes HMAC SHA-1 hash of the URL using the key
            byte[] hash = ComputeHash(decodedKey, builder.Uri.AbsoluteUri);
            string encodedHash = Base64UrlEncode(hash);

            builder.Query += $"&Signature={encodedHash}";
            return builder.Uri.AbsoluteUri;

        private static long ToUnixTime(DateTime date)
            var epoch = new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc);
            return Convert.ToInt64((date - epoch).TotalSeconds);

        private static byte[] Base64UrlDecode(string arg)
            string s = arg;
            s = s.Replace('-', '+'); // 62nd char of encoding
            s = s.Replace('_', '/'); // 63rd char of encoding

            return Convert.FromBase64String(s); // Standard base64 decoder

        private static string Base64UrlEncode(byte[] inputBytes)
            var output = Convert.ToBase64String(inputBytes);

            output = output.Replace('+', '-')      // 62nd char of encoding
                           .Replace('/', '_');     // 63rd char of encoding

            return output;

        private static byte[] ComputeHash(byte[] secretKey, string signatureString)
            var enc = Encoding.ASCII;
            using (HMACSHA1 hmac = new HMACSHA1(secretKey))

                byte[] buffer = enc.GetBytes(signatureString);

                return hmac.ComputeHash(buffer);


 * Creates a signed URL for a Cloud CDN endpoint with the given key
 * URL must start with http:// or https://, and must contain a forward
 * slash (/) after the hostname.
 * @param url the Cloud CDN endpoint to sign
 * @param key url signing key uploaded to the backend service/bucket, as a 16-byte array
 * @param keyName the name of the signing key added to the back end bucket or service
 * @param expirationTime the date that the signed URL expires
 * @return a properly formatted signed URL
 * @throws InvalidKeyException when there is an error generating the signature for the input key
 * @throws NoSuchAlgorithmException when HmacSHA1 algorithm is not available in the environment
public static String signUrl(String url,
                             byte[] key,
                             String keyName,
                             Date expirationTime)
        throws InvalidKeyException, NoSuchAlgorithmException {

  final long unixTime = expirationTime.getTime() / 1000;

  String urlToSign = url
                      + (url.contains("?") ? "&" : "?")
                      + "Expires=" + unixTime
                      + "&KeyName=" + keyName;

  String encoded = SignedUrls.getSignature(key, urlToSign);
  return urlToSign + "&Signature=" + encoded;

public static String getSignature(byte[] privateKey, String input)
    throws InvalidKeyException, NoSuchAlgorithmException {

  final String algorithm = "HmacSHA1";
  final int offset = 0;
  Key key = new SecretKeySpec(privateKey, offset, privateKey.length, algorithm);
  Mac mac = Mac.getInstance(algorithm);
  return  Base64.getUrlEncoder().encodeToString(mac.doFinal(input.getBytes()));


def sign_url(url, key_name, base64_key, expiration_time):
    """Gets the Signed URL string for the specified URL and configuration.

        url: URL to sign as a string.
        key_name: name of the signing key as a string.
        base64_key: signing key as a base64 encoded string.
        expiration_time: expiration time as a UTC datetime object.

        Returns the Signed URL appended with the query parameters based on the
        specified configuration.
    stripped_url = url.strip()
    parsed_url = urllib.parse.urlsplit(stripped_url)
    query_params = urllib.parse.parse_qs(
        parsed_url.query, keep_blank_values=True)
    epoch = datetime.datetime.utcfromtimestamp(0)
    expiration_timestamp = int((expiration_time - epoch).total_seconds())
    decoded_key = base64.urlsafe_b64decode(base64_key)

    url_pattern = u'{url}{separator}Expires={expires}&KeyName={key_name}'

    url_to_sign = url_pattern.format(
            separator='&' if query_params else '?',

    digest =
        decoded_key, url_to_sign.encode('utf-8'), hashlib.sha1).digest()
    signature = base64.urlsafe_b64encode(digest).decode('utf-8')

    signed_url = u'{url}&Signature={signature}'.format(
            url=url_to_sign, signature=signature)



 * Decodes base64url (RFC4648 Section 5) string
 * @param string $input base64url encoded string
 * @return string
function base64url_decode($input)
    $input .= str_repeat('=', (4 - strlen($input) % 4) % 4);
    return base64_decode(strtr($input, '-_', '+/'));

* Encodes a string with base64url (RFC4648 Section 5)
* Keeps the '=' padding by default.
* @param string $input   String to be encoded
* @param bool   $padding Keep the '=' padding
* @return string
function base64url_encode($input, $padding = true)
    $output = strtr(base64_encode($input), '+/', '-_');
    return ($padding) ? $output : str_replace('=', '',  $output);

 * Creates signed URL for Google Cloud CDN
 * Details about order of operations:
 * Example function invocation (In production store the key safely with other secrets):
 *     <?php
 *     $base64UrlKey = 'wpLL7f4VB9RNe_WI0BBGmA=='; // head -c 16 /dev/urandom | base64 | tr +/ -_
 *     $signedUrl = sign_url('', 'my-key', $base64UrlKey, time() + 1800);
 *     echo $signedUrl;
 *     ?>
 * @param string $url             URL of the endpoint served by Cloud CDN
 * @param string $keyName         Name of the signing key added to the Google Cloud Storage bucket or service
 * @param string $base64UrlKey    Signing key as base64url (RFC4648 Section 5) encoded string
 * @param int    $expirationTime  Expiration time as a UNIX timestamp (GMT, e.g. time())
 * @return string
function sign_url($url, $keyName, $base64UrlKey, $expirationTime)
    // Decode the key
    $decodedKey = base64url_decode($base64UrlKey, true);

    // Determine which separator makes sense given a URL
    $separator = (strpos($url, '?') === false) ? '?' : '&';

    // Concatenate url with expected query parameters Expires and KeyName
    $url = "{$url}{$separator}Expires={$expirationTime}&KeyName={$keyName}";

    // Sign the url using the key and encode the signature using base64url
    $signature = hash_hmac('sha1', $url, $decodedKey, true);
    $encodedSignature = base64url_encode($signature);

    // Concatenate the URL and encoded signature
    return "{$url}&Signature={$encodedSignature}";

Algorithm for signing URLs

When you write your own code to generate signed URLs, your goal is to create URLs with the following format:[EXPIRATION]&KeyName=[KEY_NAME]&Signature=[SIGNATURE]

All URL parameters are case sensitive and must be in the order above.

  1. Ensure that the URL for signing does not have a Signature query parameter.

  2. Determine when the URL expires and append an Expires query parameter with the desired expiration time in UTC time (the number of seconds since 1970-01-01 00:00:00 UTC). To maximize security, set the value to the shortest time period possible for your use case. The longer a signed URL is valid, the bigger the risk that the user you give it to shares it with others, accidentally or otherwise.

  3. Set the key name. The URL must be signed with a signed URL key of the backend service or backend bucket that will serve the URL. It is best to use the most recently added signed URL key for key rotation. Add the signed URL key to the URL by appending &KeyName=[KEY_NAME], where [KEY_NAME] is the name of the chosen key created in Create keys.

  4. Sign the URL. Create the signed URL by following these steps. Make sure that the query parameters are in the order shown immediately before Step 1, and make sure that nothing in the signed URL changes case.

    a. Hash the entire URL (including http:// or https:// at the beginning and the `&KeyName... at the end) with HMAC-SHA1, using the secret key that corresponds to the key name chosen above. Use the raw 16-byte secret key, not the base64url encoded key. Decode it if needed.

    b. Base64url encode the result.

    c. Append &Signature= to the URL, followed by the encoded signature.

Removing public access to the Cloud Storage bucket

For signed URLs to properly protect content, it is important that the origin server not grant public access to that content. When using a Cloud Storage bucket, a common approach is to make objects public temporarily for testing purposes. After enabling signed URLs, it's important to remove the allUsers (and allAuthenticatedUsers, if applicable) READ permissions (in other words, the Storage Object Viewer IAM role) on the bucket.

After you disable public access on the bucket, individual users can still access Cloud Storage without signed URLs if they have access permission, such as OWNER permission.

To remove public allUsers READ access on a Cloud Storage bucket, reverse the action described in Making groups of objects publicly readable.

Distributing and using signed URLs

The URL returned from the gcloud command line tool or produced by your custom code can be distributed according to your needs. We recommend signing only HTTPS URLs, because HTTPS provides a secure transport that will prevent the Signature component of the signed URL from being intercepted. Similarly, you should distribute the signed URLs over secure transport protocols such as TLS/HTTPS.