Creating Signed URLs with gsutil

This page describes how to use gsutil to create signed URLs, which are a mechanism for query string authentication for buckets and objects. Signed URLs are one way to control access to buckets and objects. A signed URL is associated with a bucket or object and gives time-limited read or write access to that specific resource. Anyone in possession of the URL has the access granted by the URL, regardless of whether they have a Google account.

To learn more about Signed URLs, read the Overview of Signed URLs. To learn how to create signed URLs using a program, read Creating Signed URLs with a program.

Creating a signed URL with gsutil

The gsutil signurl command is the easiest way to create a signed URL, since it automates nearly all of the steps required to generate one. This approach enables you to quickly generate a signed URL for a resource.

To create a signed URL with gsutil:

  1. Generate a new private key, or use an existing private key for a service account. The key can be in either JSON or PKCS12 format.

    For more information on private keys and service accounts, see Service Accounts.

  2. Use the gsutil signurl command, passing in the path to the private key (stored on your computer) and the URL of the bucket or object you want to generate a signed URL for.

    For example, using a key stored in the folder Desktop, the following command generates a signed URL for users to view the object cat.jpeg for 10 minutes.

    gsutil signurl -d 10m Desktop/private-key.json gs://example-bucket/cat.jpeg

    For more information on the gsutil signurl command, including flag options such as -d, and how to specify different HTTP methods, see the gsutil signurl page, or display help with gsutil signurl --help.

If successful, your response should look like:

URL    HTTP Method    Expiration    Signed URL
gs://example-bucket/cat.jpeg GET 2016-03-17 11:17:10 https://storage.googleapis.

The signed URL is the string beginning with and will likely extend for several lines. This URL can be used by any person to access the associated resource (in this case cat.jpeg) for the designated time frame (in this case, 10 minutes).

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Storage
Need help? Visit our support page.