This page describes how Cloud Storage users can download content from their browser by logging in to their Google account. This type of access uses browser cookies to verify a user's identity.
Cloud Audit Logs Data Access logs cannot be enabled on the bucket that contains the relevant object.
Users must have sufficient permission to download the object. When granting a permission, users are identified by their Google account. A Google account is a personal Gmail account, or an account connected to a G Suite or Cloud Identity domain.
If you are using Cloud Identity and Access Management to control access to your objects, the user should have
storage.objects.viewerpermission, which is granted in the Storage Object Viewer role.
If you are using Access Control Lists to control access to your objects, the user should have
To grant a user access to download an image in one of your Cloud Storage storage buckets:
- Give the user the URL to access the image. In this case, something similar to:
- If they are not logged in to their Google account, they will be prompted to sign in.
How cookie-based authentication works
When the user clicks the URL in their browser, they are automatically prompted to sign in to their Google account (if they're not already logged in). After they are authenticated, and their browser has acquired a cookie with an encapsulated identity token, they are redirected to the object in the Cloud Storage repository. Cloud Storage then verifies that the user is allowed to read the object, and the object is downloaded to the user's computer.
The following figure shows how the authentication process for browser-based authenticated downloads works.