V4 signing is a process you can use to generate signatures for authentication in Cloud Storage XML API requests. This page describes how to use the Google Cloud CLI and Cloud Storage client libraries to create signed URLs, using service account credentials. Signed URLs give time-limited read or write access to a specific Cloud Storage resource. If you want to make your own program for creating signed URLs, read V4 signing with your own program instead.
Before you begin
To create signed URLs, complete the tasks in the following sections.
Enable the Service Account Credentials API
Enable the Service Account Credentials API.
Get required roles
In order to get the required permissions for creating a signed URL to download and upload objects, ask your administrator to grant the following roles:
Storage Object User (
roles/storage.objectUser
): this role is required for downloading, uploading, and overwriting objects. This role should be granted to the service account whose key will be used to sign the URL.If you only want to download objects, ask your administrator to grant the service account the Storage Object Viewer (
roles/storage.objectViewer
) role instead of the Storage Object User role.If you only want to upload objects (without overwriting), ask your administrator to grant the service account the Storage Object Creator (
roles/storage.objectCreator
) role instead of the Storage Object User role.
Service Account Token Creator (
roles/iam.serviceAccountTokenCreator
): this role is required for generating short-lived credentials for a service account when a private key file is not provided locally. This role should be granted to the principal that will create the signed URL.If you use user credentials for authentication, your user identity must have this role and you must modify commands to impersonate the service account that is used to sign the URL.
If you use a service account attached to a compute instance for authentication, the service account must have this role to impersonate itself and you must modify commands to impersonate the service account used to sign the URL.
If you use a private key file for authentication, this role is not necessary.
These predefined roles contain the permissions required for a service account to download and upload objects using signed URLs. To see the exact permissions that are required, expand the Required permissions section:
Required permissions
storage.objects.get
storage.objects.create
(not required if you only want to download objects)storage.objects.delete
(not required if you don't need to overwrite objects when uploading)iam.serviceAccounts.signBlob
(not required if you plan on providing a service account key locally to create the signature, which doesn't require calling thesignBlob
method)
You might also be able to get these permissions with custom roles or other predefined roles. To see which roles are associated with which permissions, refer to IAM roles for Cloud Storage.
For instructions on granting roles on projects, see Manage access to projects.
Create a signed URL to download an object
To create a signed URL that can get an object from a bucket, complete the following steps:
Command line
Generate a new private key, or use an existing private key for a service account. The key should be in JSON format.
For more information on private keys and service accounts, see Service Accounts.
Use the
gcloud storage sign-url
command. For example, the following command creates a signed URL that allows users to download an object for 10 minutes:gcloud storage sign-url gs://BUCKET_NAME/OBJECT_NAME --private-key-file=KEY_FILE --duration=10m
Where:
BUCKET_NAME
is the name of the bucket where the object is located. For example,example-bucket
.OBJECT_NAME
is the name of the object to download. For example,cat.jpeg
.KEY_FILE
is the path to the file containing your service account's private key. For example,Desktop/private-key.json
.
If successful, your response should look like:
--- expiration: '2023-07-14 23:19:35' http_verb: GET resource: gs://example-bucket/cat.jpeg signed_url: https://storage.googleapis.com/example-bucket/cat.jpeg? x-goog-signature=11ae9c61ca84dd0bec319f7d52a38029e5873caa2eeced0568 ef96076258cfc1a925a9683cc907d210036b61af9e06a13bf4a15b15fab3916669b e2f4c9f66ea6be822bec5858af519a6da705415b5768721197be213103fa09b8a18 8a143be77a24351517ff208a2c62cfebb78040daf1f953907080bd98f9462739d11 1355b1d9bcf54705b862f37392c031fde0d52add1a4d3bbb98a22e8b7023f6a1623 2e0a2dd56e524d410624d28663e557fafaf4ba0a04290a1066f894713857b429258 d14f056066c7622baf114c124e645688e19b4df3c4a7925f580693c93fa9c1dae7f dff0edff7259c72f3f0eadc5a9f9f556c83c9c8dc02ee3af8d20ab634bad&x-goog -algorithm=GOOG4-RSA-SHA256&x-goog-credential=example%40example-pro ject.iam.gserviceaccount.com%2F20230714%2Fus%2Fstorage%2Fgoog4_requ est&x-goog-date=20230714T221935Z&x-goog-expires=600&x-goog-signedhe aders=host
This URL can be used by any person to access the associated resource (in this case
cat.jpeg
) for the designated length of time (in this case, 10 minutes).
Client libraries
For more information, see the
Cloud Storage C++ API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage C# API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage Go API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage Java API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage Node.js API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage PHP API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage Python API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage Ruby API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
C++
C#
Go
Java
Node.js
PHP
Python
Ruby
Create a signed URL to upload an object
To create a signed URL that can upload an object to a bucket, complete the following steps:
Command line
Generate a new private key, or use an existing private key for a service account. The key can be in either JSON or PKCS12 format.
For more information on private keys and service accounts, see Service Accounts.
Use the
gcloud storage sign-url
command. For example, the following command creates a signed URL that allows users to upload a file for one hour:gcloud storage sign-url gs://BUCKET_NAME/OBJECT_NAME --private-key-file=KEY_FILE --http-verb=PUT --duration=1h --headers=Content-Type=CONTENT_TYPE
BUCKET_NAME
is the name of the bucket where the object is being uploaded. For example,example-bucket
.OBJECT_NAME
is the name to assign to the uploaded object. For example,cat.png
.KEY_FILE
is the path to the file containing your service account's private key. For example,Desktop/private-key.json
.CONTENT_TYPE
is the uploaded object's content type. For example,image/png
.
If successful, your response should look like:
--- expiration: '2023-07-14 23:35:47' http_verb: PUT resource: gs://example-bucket/cat.png signed_url: https://storage.googleapis.com/example-bucket/cat.png? x-goog-signature=2f670a686102963e0574f3c1a3b4d29ee4aa406c1528d42d2 30195d17fef73834b254314de7d7990afd48538a84b66f20010e7ecd90a900490e 6119b7e56a912f71c8d64285c40e86f31b8fec51cf8c7a61ded81de3cedac9c1ca b92474b7371740fdac20b2d8d092b15396f79443bbde954a4174ed11aef6c2cf5f a4d72a84ff60fd6003ed0a505b0e40b6207ddbaec2a15778f715c3ec7537a1b14f b6661b2abaa5736f1670a412ca7e2555c830591f0595c01ff95af7f2206abe2e27 41948c16d4bd4c7cbb25f41277ece59236c06e00ca6c63ae2eb3efc22c216bb24c e1b8b3801d07fd3a7ed3f2df3db6e59c6fc3cc76a002335dd936efd0237cf584e3 6&x-goog-algorithm=GOOG4-RSA-SHA256&x-goog-credential=example%40ex ample-project.iam.gserviceaccount.com%2F20230714%2Fus%2Fstorage%2F goog4_request&x-goog-date=20230714T223547Z&x-goog-expires=3600&x-g oog-signedheaders=Content-Type%3Bhost
This URL can be used by any person to upload a resource (in this case
cat.png
) to the specified Cloud Storage bucket for the designated length of time (in this case, 1 hour).
Client libraries
For more information, see the
Cloud Storage C++ API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage C# API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage Go API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage Java API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage Node.js API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage PHP API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage Python API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage Ruby API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
C++
C#
Go
Java
Node.js
PHP
Python
Ruby
What's next
- Learn how to sign URLs with your own program.
- Learn more about signed URLs.
- Learn about uploading an object with the XML API.
- Learn about uploading objects.