Authenticated browser downloads with audit logging
Contributed by Google employees.
The code that accompanies this document provides an example means of serving images, documents, and other files stored in Cloud Storage while requiring the user to be authenticated with Google. This solution is useful because the Cloud Storage authenticated browser downloads feature does not currently work with internal logging.
- A web user makes a request to your file server.
- If the user is not authenticated, they are redirected to a Google login page by Identity-Aware Proxy.
- After authentication, the user's request is forwarded to App Engine.
- App Engine validates the request and retrieves the file from Cloud Storage.
- If a watermark or other transformation is required, it is processed.
- The file is then returned to the web user.
Requests from users who aren't authenticated or who aren't authorized to access the files don't reach App Engine. Requests that don't match an object in
Cloud Storage return a
404 File not found error. Requests with no filename or with a missing filename extension receive a
400 Bad request error.
Deploying the code
- Download the code in this repository.
app.yamlto identify the Cloud Storage bucket that holds the assets.
- Set up and configure the Cloud SDK, including the
Deploy the application:
gcloud app deploy
Enable Identity-Aware Proxy for the App Engine app that you created.
Lock down the permissions of the App Engine service account.
When your service is deployed, it is available at a URL similar to the following:
Filenames and paths requested from this host map to object addresses in Cloud Storage. For example, a request to
https://my-authenticated-fileserver.appspot.com/assets/heroimage.png maps to this object:
A request for a missing file returns a
404 File not found error.
The application deduces the MIME type based on the filename extension. Therefore,
requests without a filename extension return a
400 Bad Request error. Ensure that all of the files that you want to serve have an appropriate filename
Opportunities for customization
This code provides a plain authenticated file server. Often, you might have requirements for transforming files before delivering them to the user. Here are a few ways that this code can be modified to fit more specific needs:
- Image or document watermarking
- Image resizing and other alterations
- Data loss prevention (DLP) redaction to hide sensitive information from users not authorized to view those parts
- Pub/Sub event triggers
- Object request tallying and object deletion, for objects that can only be downloaded a specific number of times