Creating Signed URLs with gsutil

This page describes how to use gsutil to create signed URLs, which are a mechanism for query string authentication for buckets and objects. Signed URLs are one way to control access to buckets and objects. A signed URL is associated with a bucket or object and gives time-limited read or write access to that specific resource. Anyone in possession of the URL has the access granted by the URL, regardless of whether they have a Google account.

To learn more about Signed URLs, read the Overview of Signed URLs. To learn how to create signed URLs using a program, read Creating Signed URLs with a program.

Creating a signed URL with gsutil

The gsutil signurl command is the easiest way to create a signed URL, since it automates nearly all of the steps required to generate one. This approach enables you to quickly generate a signed URL for a resource.

To create a signed URL with gsutil:

  1. Generate a new private key, or use an existing private key. The key can be in either JSON or PKCS12 format.

    For more information on private keys and service accounts, see Service account authentication.

  2. Use the gsutil signurl command, passing in the path to the private key (stored on your computer) and the URL of the bucket or object you want to generate a signed URL for.

    For example, using a key stored in the folder Desktop, the following command generates a signed URL for users to view the object cat.jpeg for 10 minutes.

    gsutil signurl -d 10m Desktop/private-key.json gs://example-bucket/cat.jpeg

    For more information on the gsutil signurl command, including flag options such as -d, and how to specify different HTTP methods, see the gsutil signurl page, or display help with gsutil signurl --help.

If successful, your response should look like:

URL    HTTP Method    Expiration    Signed URL
gs://example-bucket/cat.jpeg GET 2016-03-17 11:17:10 https://storage.googleapis.
com/example-bucket/cat.jpeg?GoogleAccessId=example@example-project.iam.gservicea
ccount.com&Expires=1458238630&Signature=VVUgfqviDCov%2B%2BKnmVOkwBR2olSbId51kSib
uQeiH8ucGFyOfAVbH5J%2B5V0gDYIioO2dDGH9Fsj6YdwxWv65HE71VEOEsVPuS8CVb%2BVeeIzmEe8z
7X7o1d%2BcWbPEo4exILQbj3ROM3T2OrkNBU9sbHq0mLbDMhiiQZ3xCaiCQdsrMEdYVvAFggPuPq%2FE
QyQZmyJK3ty%2Bmr7kAFW16I9pD11jfBSD1XXjKTJzgd%2FMGSde4Va4J1RtHoX7r5i7YR7Mvf%2Fb17
zlAuGlzVUf%2FzmhLPqtfKinVrcqdlmamMcmLoW8eLG%2B1yYW%2F7tlS2hvqSfCW8eMUUjiHiSWgZLE
VIG4Lw%3D%3D

The signed URL is the string beginning with https://storage.googleapis.com and will likely extend for several lines. This URL can be used by any person to access the associated resource (in this case cat.jpeg) for the designated time frame (in this case, 10 minutes).

Send feedback about...

Cloud Storage Documentation