public sealed class UrlSigner
Class which helps create signed URLs which can be used to provide limited access to specific buckets and objects to anyone in possession of the URL, regardless of whether they have a Google account.
Namespace
Google.Cloud.Storage.V1Assembly
Google.Cloud.Storage.V1.dll
Remarks
See https://cloud.google.com/storage/docs/access-control/signed-urls for more information on signed URLs.
Properties
ResumableHttpMethod
public static HttpMethod ResumableHttpMethod { get; }
Gets a special HTTP method which can be used to create a signed URL for initiating a resumable upload. See https://cloud.google.com/storage/docs/access-control/signed-urls#signing-resumable for more information.
Property Value | |
---|---|
Type | Description |
HttpMethod |
Note: When using the RESUMABLE method to create a signed URL, a URL will actually be signed for the POST method with a header of 'x-goog-resumable:start'. The caller must perform a POST request with this URL and specify the 'x-goog-resumable:start' header as well or signature validation will fail.
Methods
FromBlobSigner(UrlSigner.IBlobSigner)
public static UrlSigner FromBlobSigner(UrlSigner.IBlobSigner signer)
Creates a new UrlSigner instance for a custom blob signer.
Parameter | |
---|---|
Name | Description |
signer | UrlSigner.IBlobSigner The blob signer to use. Must not be null. |
Returns | |
---|---|
Type | Description |
UrlSigner | A new UrlSigner using the specified blob signer. |
This method is typically used when a service account credential file isn't available, either for testing or to use the IAM service's blob signing capabilities.
FromServiceAccountCredential(ServiceAccountCredential)
public static UrlSigner FromServiceAccountCredential(ServiceAccountCredential credential)
Creates a new UrlSigner instance for a service account.
Parameter | |
---|---|
Name | Description |
credential | ServiceAccountCredential The credential for the a service account. Must not be null. |
Returns | |
---|---|
Type | Description |
UrlSigner |
FromServiceAccountData(Stream)
public static UrlSigner FromServiceAccountData(Stream credentialData)
Creates a new UrlSigner instance for a service account.
Parameter | |
---|---|
Name | Description |
credentialData | Stream The stream from which to read the JSON key data for a service account. Must not be null. |
Returns | |
---|---|
Type | Description |
UrlSigner |
Exceptions | |
---|---|
Type | Description |
InvalidOperationException | The |
FromServiceAccountPath(String)
public static UrlSigner FromServiceAccountPath(string credentialFilePath)
Creates a new UrlSigner instance for a service account.
Parameter | |
---|---|
Name | Description |
credentialFilePath | String The path to the JSON key file for a service account. Must not be null. |
Returns | |
---|---|
Type | Description |
UrlSigner |
Exceptions | |
---|---|
Type | Description |
InvalidOperationException | The |
Sign(UrlSigner.PostPolicy, UrlSigner.Options)
public UrlSigner.SignedPostPolicy Sign(UrlSigner.PostPolicy postPolicy, UrlSigner.Options options)
Signs the given post policy. The result can be used to make form posting requests matching the conditions set in the post policy.
Parameters | |
---|---|
Name | Description |
postPolicy | UrlSigner.PostPolicy The post policy to signed and that will be enforced when making the post request. Must not be null. |
options | UrlSigner.Options The options used to generate the signed post policy. Must not be null. |
Returns | |
---|---|
Type | Description |
UrlSigner.SignedPostPolicy | The signed post policy, which contains all the fields that should be including in the form to post. |
Signing post policies is not supported by V2. A NotSupportedException will be thrown if an attempt is made to sign a post policy using V2.
When a UrlSigner is created with a service account credential, the signing can be performed with no network access. When it is created with an implementation of UrlSigner.IBlobSigner, that may require network access or other IO. In that case, one of the asynchronous methods should be used when the caller is in a context that should not block.
See https://cloud.google.com/storage/docs/xml-api/post-object for more information on signed post policies.
Sign(UrlSigner.RequestTemplate, UrlSigner.Options)
public string Sign(UrlSigner.RequestTemplate requestTemplate, UrlSigner.Options options)
Creates a signed URL which can be used to provide limited access to specific buckets and objects to anyone in possession of the URL, regardless of whether they have a Google account.
Parameters | |
---|---|
Name | Description |
requestTemplate | UrlSigner.RequestTemplate The request template that will be used to generate the signed URL for. Must not be null. |
options | UrlSigner.Options The options used to generate the signed URL. Must not be null. |
Returns | |
---|---|
Type | Description |
String | The signed URL which can be used to provide access to a bucket or object for a limited amount of time. |
When a UrlSigner is created with a service account credential, the signing can be performed with no network access. When it is created with an implementation of UrlSigner.IBlobSigner, that may require network access or other IO. In that case, one of the asynchronous methods should be used when the caller is in a context that should not block.
See https://cloud.google.com/storage/docs/access-control/signed-urls for more information on signed URLs.
See Sign for an example using an alternative overload.
Sign(String, String, TimeSpan, HttpMethod, Nullable<SigningVersion>)
public string Sign(string bucket, string objectName, TimeSpan duration, HttpMethod httpMethod = null, SigningVersion? signingVersion = null)
Creates a signed URL which can be used to provide limited access to specific buckets and objects to anyone in possession of the URL, regardless of whether they have a Google account.
Parameters | |
---|---|
Name | Description |
bucket | String The name of the bucket. Must not be null. |
objectName | String The name of the object within the bucket. May be null, in which case the signed URL will refer to the bucket instead of an object. |
duration | TimeSpan The length of time for which the signed URL should remain usable. |
httpMethod | HttpMethod The HTTP request method for which the signed URL is allowed to be used. May be null, in which case GET will be used. |
signingVersion | Nullable<SigningVersion> The signing version to use to generate the signed URL. May be null, in which case Default will be used. |
Returns | |
---|---|
Type | Description |
String | The signed URL which can be used to provide access to a bucket or object for a limited amount of time. |
When a UrlSigner is created with a service account credential, the signing can be performed with no network access. When it is created with an implementation of UrlSigner.IBlobSigner, that may require network access or other IO. In that case, one of the asynchronous methods should be used when the caller is in a context that should not block.
See https://cloud.google.com/storage/docs/access-control/signed-urls for more information on signed URLs.
Note that when GET is specified as the httpMethod
(or it is null, in which case GET is
used), both GET and HEAD requests can be made with the created signed URL.
// Create a signed URL which can be used to get a specific object for one hour.
UrlSigner urlSigner = UrlSigner.FromServiceAccountCredential(credential);
string url = urlSigner.Sign(bucketName, objectName, TimeSpan.FromHours(1));
// Get the content at the created URL.
HttpResponseMessage response = await httpClient.GetAsync(url);
string content = await response.Content.ReadAsStringAsync();
SignAsync(UrlSigner.PostPolicy, UrlSigner.Options, CancellationToken)
public Task<UrlSigner.SignedPostPolicy> SignAsync(UrlSigner.PostPolicy postPolicy, UrlSigner.Options options, CancellationToken cancellationToken = default(CancellationToken))
Signs the given post policy. The result can be used to make form posting requests matching the conditions set in the post policy.
Parameters | |
---|---|
Name | Description |
postPolicy | UrlSigner.PostPolicy The post policy to signed and that will be enforced when making the post request. Most not be null. |
options | UrlSigner.Options The options used to generate the signed post policy. Must not be null. |
cancellationToken | CancellationToken The token to monitor for cancellation requests. |
Returns | |
---|---|
Type | Description |
Task<UrlSigner.SignedPostPolicy> | The signed post policy, which contains all the fields that should be including in the form to post. |
Signing post policies is not supported by V2. A NotSupportedException will be thrown if an attempt is made to sign a post policy using V2.
When a UrlSigner is created with a service account credential, the signing can be performed with no network access. When it is created with an implementation of UrlSigner.IBlobSigner, that may require network access or other IO. In that case, one of the asynchronous methods should be used when the caller is in a context that should not block.
See https://cloud.google.com/storage/docs/xml-api/post-object for more information on signed post policies.
SignAsync(UrlSigner.RequestTemplate, UrlSigner.Options, CancellationToken)
public Task<string> SignAsync(UrlSigner.RequestTemplate requestTemplate, UrlSigner.Options options, CancellationToken cancellationToken = default(CancellationToken))
Asynchronously creates a signed URL which can be used to provide limited access to specific buckets and objects to anyone in possession of the URL, regardless of whether they have a Google account.
Parameters | |
---|---|
Name | Description |
requestTemplate | UrlSigner.RequestTemplate The request template that will be used to generate the signed URL for. Must not be null. |
options | UrlSigner.Options The options used to generate the signed URL. Must not be null. |
cancellationToken | CancellationToken The token to monitor for cancellation requests. |
Returns | |
---|---|
Type | Description |
Task<String> | A task representing the asynchronous operation, with a result returning the signed URL which can be used to provide access to a bucket or object for a limited amount of time. |
When a UrlSigner is created with a service account credential, the signing can be performed with no network access. When it is created with an implementation of UrlSigner.IBlobSigner, that may require network access or other IO. In that case, one of the asynchronous methods should be used when the caller is in a context that should not block.
See https://cloud.google.com/storage/docs/access-control/signed-urls for more information on signed URLs.
SignAsync(String, String, TimeSpan, HttpMethod, Nullable<SigningVersion>, CancellationToken)
public async Task<string> SignAsync(string bucket, string objectName, TimeSpan duration, HttpMethod httpMethod = null, SigningVersion? signingVersion = null, CancellationToken cancellationToken = default(CancellationToken))
Creates a signed URL which can be used to provide limited access to specific buckets and objects to anyone in possession of the URL, regardless of whether they have a Google account.
Parameters | |
---|---|
Name | Description |
bucket | String The name of the bucket. Must not be null. |
objectName | String The name of the object within the bucket. May be null, in which case the signed URL will refer to the bucket instead of an object. |
duration | TimeSpan The length of time for which the signed URL should remain usable. |
httpMethod | HttpMethod The HTTP request method for which the signed URL is allowed to be used. May be null, in which case GET will be used. |
signingVersion | Nullable<SigningVersion> The signing version to use to generate the signed URL. May be null, in which case Default will be used. |
cancellationToken | CancellationToken The token to monitor for cancellation requests. |
Returns | |
---|---|
Type | Description |
Task<String> | A task representing the asynchronous operation, with a result returning the signed URL which can be used to provide access to a bucket or object for a limited amount of time. |
When a UrlSigner is created with a service account credential, the signing can be performed with no network access. When it is created with an implementation of UrlSigner.IBlobSigner, that may require network access or other IO. In that case, one of the asynchronous methods should be used when the caller is in a context that should not block.
See https://cloud.google.com/storage/docs/access-control/signed-urls for more information on signed URLs.
Note that when GET is specified as the httpMethod
(or it is null, in which case GET is
used), both GET and HEAD requests can be made with the created signed URL.