This page describes an algorithm for implementing the V4 signing process so that you can create Cloud Storage RSA key signed URLs in your own workflow, using a programming language of your choice.
Before you begin
Before creating a program that implements the V4 signing process, you must complete the following steps:
Create a service account. If you already have a service account, you can skip this step. For more information about service accounts, see Service accounts overview.
Give the service account sufficient permission such that it could perform the request that the signed URL will make.
For example, if your signed URL will allow a user to read object data, the service account must itself have permission to read the object data.
If the signing algorithm you intend to use is not built into Google Cloud, generate a new private key, or have an existing private key for the service account. The key can be in either JSON or PKCS12 format.
Algorithm for signing URLs
Your program should include the following steps:
Construct the canonical request as a string. The canonical request defines elements that users must include in their request when they use your signed URL.
See Canonical Requests for details about the parts and format required.
Construct the string-to-sign. The string-to-sign is the basis for creating a signature and includes within it the hex-encoded hash value of the canonical request.
See Signatures for details about the format of the string-to-sign.
Sign the string-to-sign using an RSA signature with SHA-256. The result of this signing is your request signature. There are several options for signing:
You can use the IAM
signBlob
method provided by Google Cloud. To use this method, you must enable the Service Account Credentials API.You can use a programming language that has a library for performing RSA signatures.
Construct the signed URL by using the following concatenation:
HOSTNAME + PATH_TO_RESOURCE + "?" + CANONICAL_QUERY_STRING + "&X-Goog-Signature=" + REQUEST_SIGNATURE
The signed URL has the following components:
HOSTNAME: This should be
https://storage.googleapis.com
.PATH_TO_RESOURCE: This should match the value you used in constructing the canonical request.
CANONICAL_QUERY_STRING: This should match the values you used in constructing the canonical request.
REQUEST_SIGNATURE: This is the output from using an RSA signature in the previous step.
Here is a sample completed URL:
https://storage.googleapis.com/example-bucket/cat.jpeg?X-Goog-Algorithm=GOOG4- RSA-SHA256&X-Goog-Credential=example%40example-project.iam.gserviceaccount.com %2F20181026%2Fus%2Fstorage%2Fgoog4_request&X-Goog-Date=20181026T211942Z&X-Goog -expires=3600&X-Goog-Signedheaders=host&X-Goog-Signature=2d2a6f5055eb004b8690b 9479883292ae7450cdc15f17d7f99bc49b916f9e7429106ed7e5858ae6b4ab0bbbdb1a8ccc364d ad3a0da2caebd30887a70c5b2569d089ceb8afbde3eed4dff5086f0db5483998c175980991fe89 9fbd2cd8cb813b00165e8d56e0a8aa7b3d7a12ee1baa8400611040f05b50a1a8eab5ba223fe137 5747748de950ec7a4dc50f8382a6ffd4994ac42498d7daa703d9a414d4475154d0e7edaa92d4f2 507d92c1f7e8efa7cab64df68b5df48575b9259d8d0bdb5dc752bdf07bd162d98ff2924f2e4a26 fa6b3cede73ad5333c47d146a21c2ab2d97115986a12c68ff37346d6c2ca83e56b8ec8ad956327 10b489b75c35697d781c38e
Python sample program
You can use the Cloud Storage client libraries to create signed URLs for many common programming languages. See V4 signing process with Cloud Storage tools for examples.
The following sample shows an implementation of the algorithm for signing URLs that does not use the Cloud Storage client libraries. The sample uses the Python programming language but can be adapted to the language of your choice.
What's next
- Learn how to sign URLs with Cloud Storage tools such as client libraries or the Google Cloud CLI.
- Learn more about signed URLs.
- Learn about canonical requests, which underpin signed URLs.