This page describes how to use gsutil to create signed URLs, which are a mechanism for query string authentication for buckets and objects. Signed URLs are one way to control access to buckets and objects. A signed URL is associated with a bucket or object and gives time-limited read or write access to that specific resource. Anyone in possession of the URL has the access granted by the URL, regardless of whether they have a Google account.
Creating a signed URL with gsutil
gsutil signurl command
is the easiest way to create a signed URL, since it automates nearly all of
the steps required to generate one. This approach enables you to quickly generate a
signed URL for a resource.
To create a signed URL with gsutil:
Generate a new private key, or use an existing private key. The key can be in either JSON or PKCS12 format.
Expand for instructions on how to generate a private key using the console.
- Open the list of credentials in the Google Cloud Platform Console.
- Click Create credentials.
- Select Service account key.
A Create service account key window opens.
- Click the drop-down box below Service account, then click New service account.
- Enter a name for the service account in Name.
- Choose a Cloud Storage Role that grants the service account the desired level of access.
- Use the default Service account ID or generate a different one.
- Select the Key type: JSON or P12.
- Click Create.
A Service account created window is displayed and the private key for the Key type you selected is downloaded automatically. If you selected a P12 key, the private key's password ("notasecret") is displayed.
- Click Close.
For more information on private keys and service accounts, see Service account authentication.
gsutil signurlcommand, passing in the path to the private key (stored on your computer) and the URL of the bucket or object you want to generate a signed URL for.
For example, using a key stored in the folder
Desktop, the following command generates a signed URL for users to view the object
cat.jpegfor 10 minutes.
gsutil signurl -d 10m Desktop/private-key.json gs://example-bucket/cat.jpeg
For more information on the
gsutil signurlcommand, including flag options such as
-d, and how to specify different HTTP methods, see the
gsutil signurlpage, or display help with
gsutil signurl --help.
If successful, your response should look like:
URL HTTP Method Expiration Signed URL gs://example-bucket/cat.jpeg GET 2016-03-17 11:17:10 https://storage.googleapis. com/example-bucket/cat.jpeg?GoogleAccessIdemail@example.com ccount.com&Expires=1458238630&Signature=VVUgfqviDCov%2B%2BKnmVOkwBR2olSbId51kSib uQeiH8ucGFyOfAVbH5J%2B5V0gDYIioO2dDGH9Fsj6YdwxWv65HE71VEOEsVPuS8CVb%2BVeeIzmEe8z 7X7o1d%2BcWbPEo4exILQbj3ROM3T2OrkNBU9sbHq0mLbDMhiiQZ3xCaiCQdsrMEdYVvAFggPuPq%2FE QyQZmyJK3ty%2Bmr7kAFW16I9pD11jfBSD1XXjKTJzgd%2FMGSde4Va4J1RtHoX7r5i7YR7Mvf%2Fb17 zlAuGlzVUf%2FzmhLPqtfKinVrcqdlmamMcmLoW8eLG%2B1yYW%2F7tlS2hvqSfCW8eMUUjiHiSWgZLE VIG4Lw%3D%3D
The signed URL is the string beginning with
and will likely extend for several lines. This URL can be used by any person
to access the associated resource (in this case
cat.jpeg) for the
designated time frame (in this case, 10 minutes).