Class UrlSigner (3.6.0)

public sealed class UrlSigner

Class which helps create signed URLs which can be used to provide limited access to specific buckets and objects to anyone in possession of the URL, regardless of whether they have a Google account.

Inheritance

Object > UrlSigner

Namespace

Google.Cloud.Storage.V1

Assembly

Google.Cloud.Storage.V1.dll

Remarks

Properties

ResumableHttpMethod

public static HttpMethod ResumableHttpMethod { get; }

Gets a special HTTP method which can be used to create a signed URL for initiating a resumable upload. See https://cloud.google.com/storage/docs/access-control/signed-urls#signing-resumable for more information.

Property Value
TypeDescription
HttpMethod
Remarks

Note: When using the RESUMABLE method to create a signed URL, a URL will actually be signed for the POST method with a header of 'x-goog-resumable:start'. The caller must perform a POST request with this URL and specify the 'x-goog-resumable:start' header as well or signature validation will fail.

Methods

FromBlobSigner(UrlSigner.IBlobSigner)

public static UrlSigner FromBlobSigner(UrlSigner.IBlobSigner signer)

Creates a new UrlSigner instance for a custom blob signer.

Parameter
NameDescription
signerUrlSigner.IBlobSigner

The blob signer to use. Must not be null.

Returns
TypeDescription
UrlSigner

A new UrlSigner using the specified blob signer.

Remarks

This method is typically used when a service account credential file isn't available, either for testing or to use the IAM service's blob signing capabilities.

FromServiceAccountCredential(ServiceAccountCredential)

public static UrlSigner FromServiceAccountCredential(ServiceAccountCredential credential)

Creates a new UrlSigner instance for a service account.

Parameter
NameDescription
credentialServiceAccountCredential

The credential for the a service account. Must not be null.

Returns
TypeDescription
UrlSigner

FromServiceAccountData(Stream)

public static UrlSigner FromServiceAccountData(Stream credentialData)

Creates a new UrlSigner instance for a service account.

Parameter
NameDescription
credentialDataStream

The stream from which to read the JSON key data for a service account. Must not be null.

Returns
TypeDescription
UrlSigner
Exceptions
TypeDescription
InvalidOperationException

The credentialData does not contain valid JSON service account key data.

FromServiceAccountPath(String)

public static UrlSigner FromServiceAccountPath(string credentialFilePath)

Creates a new UrlSigner instance for a service account.

Parameter
NameDescription
credentialFilePathString

The path to the JSON key file for a service account. Must not be null.

Returns
TypeDescription
UrlSigner
Exceptions
TypeDescription
InvalidOperationException

The credentialFilePath does not refer to a valid JSON service account key file.

Sign(UrlSigner.PostPolicy, UrlSigner.Options)

public UrlSigner.SignedPostPolicy Sign(UrlSigner.PostPolicy postPolicy, UrlSigner.Options options)

Signs the given post policy. The result can be used to make form posting requests matching the conditions set in the post policy.

Parameters
NameDescription
postPolicyUrlSigner.PostPolicy

The post policy to signed and that will be enforced when making the post request. Must not be null.

optionsUrlSigner.Options

The options used to generate the signed post policy. Must not be null.

Returns
TypeDescription
UrlSigner.SignedPostPolicy

The signed post policy, which contains all the fields that should be including in the form to post.

Remarks

Signing post policies is not supported by V2. A NotSupportedException will be thrown if an attempt is made to sign a post policy using V2.

When a UrlSigner is created with a service account credential, the signing can be performed with no network access. When it is created with an implementation of UrlSigner.IBlobSigner, that may require network access or other IO. In that case, one of the asynchronous methods should be used when the caller is in a context that should not block.

See https://cloud.google.com/storage/docs/xml-api/post-object for more information on signed post policies.

Sign(UrlSigner.RequestTemplate, UrlSigner.Options)

public string Sign(UrlSigner.RequestTemplate requestTemplate, UrlSigner.Options options)

Creates a signed URL which can be used to provide limited access to specific buckets and objects to anyone in possession of the URL, regardless of whether they have a Google account.

Parameters
NameDescription
requestTemplateUrlSigner.RequestTemplate

The request template that will be used to generate the signed URL for. Must not be null.

optionsUrlSigner.Options

The options used to generate the signed URL. Must not be null.

Returns
TypeDescription
String

The signed URL which can be used to provide access to a bucket or object for a limited amount of time.

Remarks

When a UrlSigner is created with a service account credential, the signing can be performed with no network access. When it is created with an implementation of UrlSigner.IBlobSigner, that may require network access or other IO. In that case, one of the asynchronous methods should be used when the caller is in a context that should not block.

See https://cloud.google.com/storage/docs/access-control/signed-urls for more information on signed URLs.

Example

See Sign for an example using an alternative overload.

Sign(String, String, TimeSpan, HttpMethod, Nullable<SigningVersion>)

public string Sign(string bucket, string objectName, TimeSpan duration, HttpMethod httpMethod = null, SigningVersion? signingVersion = default(SigningVersion? ))

Creates a signed URL which can be used to provide limited access to specific buckets and objects to anyone in possession of the URL, regardless of whether they have a Google account.

Parameters
NameDescription
bucketString

The name of the bucket. Must not be null.

objectNameString

The name of the object within the bucket. May be null, in which case the signed URL will refer to the bucket instead of an object.

durationTimeSpan

The length of time for which the signed URL should remain usable.

httpMethodHttpMethod

The HTTP request method for which the signed URL is allowed to be used. May be null, in which case GET will be used.

signingVersionNullable<SigningVersion>

The signing version to use to generate the signed URL. May be null, in which case Default will be used.

Returns
TypeDescription
String

The signed URL which can be used to provide access to a bucket or object for a limited amount of time.

Remarks

When a UrlSigner is created with a service account credential, the signing can be performed with no network access. When it is created with an implementation of UrlSigner.IBlobSigner, that may require network access or other IO. In that case, one of the asynchronous methods should be used when the caller is in a context that should not block.

See https://cloud.google.com/storage/docs/access-control/signed-urls for more information on signed URLs.

Note that when GET is specified as the httpMethod (or it is null, in which case GET is used), both GET and HEAD requests can be made with the created signed URL.

Example
// Create a signed URL which can be used to get a specific object for one hour.
UrlSigner urlSigner = UrlSigner.FromServiceAccountCredential(credential);
string url = urlSigner.Sign(bucketName, objectName, TimeSpan.FromHours(1));

// Get the content at the created URL.
HttpResponseMessage response = await httpClient.GetAsync(url);
string content = await response.Content.ReadAsStringAsync();

SignAsync(UrlSigner.PostPolicy, UrlSigner.Options, CancellationToken)

public Task<UrlSigner.SignedPostPolicy> SignAsync(UrlSigner.PostPolicy postPolicy, UrlSigner.Options options, CancellationToken cancellationToken = default(CancellationToken))

Signs the given post policy. The result can be used to make form posting requests matching the conditions set in the post policy.

Parameters
NameDescription
postPolicyUrlSigner.PostPolicy

The post policy to signed and that will be enforced when making the post request. Most not be null.

optionsUrlSigner.Options

The options used to generate the signed post policy. Must not be null.

cancellationTokenCancellationToken

The token to monitor for cancellation requests.

Returns
TypeDescription
Task<UrlSigner.SignedPostPolicy>

The signed post policy, which contains all the fields that should be including in the form to post.

Remarks

Signing post policies is not supported by V2. A NotSupportedException will be thrown if an attempt is made to sign a post policy using V2.

When a UrlSigner is created with a service account credential, the signing can be performed with no network access. When it is created with an implementation of UrlSigner.IBlobSigner, that may require network access or other IO. In that case, one of the asynchronous methods should be used when the caller is in a context that should not block.

See https://cloud.google.com/storage/docs/xml-api/post-object for more information on signed post policies.

SignAsync(UrlSigner.RequestTemplate, UrlSigner.Options, CancellationToken)

public Task<string> SignAsync(UrlSigner.RequestTemplate requestTemplate, UrlSigner.Options options, CancellationToken cancellationToken = default(CancellationToken))

Asynchronously creates a signed URL which can be used to provide limited access to specific buckets and objects to anyone in possession of the URL, regardless of whether they have a Google account.

Parameters
NameDescription
requestTemplateUrlSigner.RequestTemplate

The request template that will be used to generate the signed URL for. Must not be null.

optionsUrlSigner.Options

The options used to generate the signed URL. Must not be null.

cancellationTokenCancellationToken

The token to monitor for cancellation requests.

Returns
TypeDescription
Task<String>

A task representing the asynchronous operation, with a result returning the signed URL which can be used to provide access to a bucket or object for a limited amount of time.

Remarks

When a UrlSigner is created with a service account credential, the signing can be performed with no network access. When it is created with an implementation of UrlSigner.IBlobSigner, that may require network access or other IO. In that case, one of the asynchronous methods should be used when the caller is in a context that should not block.

See https://cloud.google.com/storage/docs/access-control/signed-urls for more information on signed URLs.

SignAsync(String, String, TimeSpan, HttpMethod, Nullable<SigningVersion>, CancellationToken)

public Task<string> SignAsync(string bucket, string objectName, TimeSpan duration, HttpMethod httpMethod = null, SigningVersion? signingVersion = default(SigningVersion? ), CancellationToken cancellationToken = default(CancellationToken))

Creates a signed URL which can be used to provide limited access to specific buckets and objects to anyone in possession of the URL, regardless of whether they have a Google account.

Parameters
NameDescription
bucketString

The name of the bucket. Must not be null.

objectNameString

The name of the object within the bucket. May be null, in which case the signed URL will refer to the bucket instead of an object.

durationTimeSpan

The length of time for which the signed URL should remain usable.

httpMethodHttpMethod

The HTTP request method for which the signed URL is allowed to be used. May be null, in which case GET will be used.

signingVersionNullable<SigningVersion>

The signing version to use to generate the signed URL. May be null, in which case Default will be used.

cancellationTokenCancellationToken

The token to monitor for cancellation requests.

Returns
TypeDescription
Task<String>

A task representing the asynchronous operation, with a result returning the signed URL which can be used to provide access to a bucket or object for a limited amount of time.

Remarks

When a UrlSigner is created with a service account credential, the signing can be performed with no network access. When it is created with an implementation of UrlSigner.IBlobSigner, that may require network access or other IO. In that case, one of the asynchronous methods should be used when the caller is in a context that should not block.

See https://cloud.google.com/storage/docs/access-control/signed-urls for more information on signed URLs.

Note that when GET is specified as the httpMethod (or it is null, in which case GET is used), both GET and HEAD requests can be made with the created signed URL.