Performing authenticated browser downloads

This page describes how Cloud Storage users can download content from their browser by logging in to their Google account. This type of access uses browser cookies to verify a user's identity.


  • Data Access logs cannot be enabled on the bucket that contains the relevant object.

  • Users must have sufficient permission to download the object. When granting a permission, users are identified by their Google account. A Google account is a personal Gmail account, or an account connected to a Google Workspace or Cloud Identity domain.

To grant a user access to download an image in one of your Cloud Storage storage buckets:

  1. Give the user the URL to access the image. In this case, something similar to:
  2. If they are not logged in to their Google account, they are prompted to sign in.

When the user clicks the URL in their browser, they are automatically prompted to sign in to their Google account (if they're not already logged in). After they are authenticated, and their browser has acquired a cookie with an encapsulated identity token, they are redirected to the object in the Cloud Storage repository. Cloud Storage then verifies that the user is allowed to read the object, and the object is downloaded to the user's computer.

The following figure shows how the authentication process for browser-based authenticated downloads works.

Diagram showing cookie authentication

What's Next