This page describes how to use gsutil to create signed URLs, which are a mechanism for query string authentication for buckets and objects. Signed URLs are one way to control access to buckets and objects. A signed URL is associated with a bucket or object and gives time-limited read or write access to that specific resource. Anyone in possession of the URL has the access granted by the URL, regardless of whether they have a Google account.
Creating a signed URL with gsutil
gsutil signurl command
is the easiest way to create a signed URL, since it automates nearly all of
the steps required to generate one. This approach enables you to quickly generate a
signed URL for a resource.
To create a signed URL with gsutil:
Generate a new private key, or use an existing private key for a service account. The key can be in either JSON or PKCS12 format.
For more information on private keys and service accounts, see Service Accounts.
gsutil signurlcommand, passing in the path to the private key (stored on your computer) and the URL of the bucket or object you want to generate a signed URL for.
For example, using a key stored in the folder
Desktop, the following command generates a signed URL for users to view the object
cat.jpegfor 10 minutes.
gsutil signurl -d 10m Desktop/private-key.json gs://example-bucket/cat.jpeg
For more information on the
gsutil signurlcommand, including flag options such as
-d, and how to specify different HTTP methods, see the
gsutil signurlpage, or display help with
gsutil signurl --help.
If successful, your response should look like:
URL HTTP Method Expiration Signed URL gs://example-bucket/cat.jpeg GET 2016-03-17 11:17:10 https://storage.googleapis. com/example-bucket/cat.jpeg?GoogleAccessIdemail@example.com ccount.com&Expires=1458238630&Signature=VVUgfqviDCov%2B%2BKnmVOkwBR2olSbId51kSib uQeiH8ucGFyOfAVbH5J%2B5V0gDYIioO2dDGH9Fsj6YdwxWv65HE71VEOEsVPuS8CVb%2BVeeIzmEe8z 7X7o1d%2BcWbPEo4exILQbj3ROM3T2OrkNBU9sbHq0mLbDMhiiQZ3xCaiCQdsrMEdYVvAFggPuPq%2FE QyQZmyJK3ty%2Bmr7kAFW16I9pD11jfBSD1XXjKTJzgd%2FMGSde4Va4J1RtHoX7r5i7YR7Mvf%2Fb17 zlAuGlzVUf%2FzmhLPqtfKinVrcqdlmamMcmLoW8eLG%2B1yYW%2F7tlS2hvqSfCW8eMUUjiHiSWgZLE VIG4Lw%3D%3D
The signed URL is the string beginning with
and will likely extend for several lines. This URL can be used by any person
to access the associated resource (in this case
cat.jpeg) for the
designated time frame (in this case, 10 minutes).