Generating Signed URLs with gsutil

This page describes how to use gsutil to easily generate signed URLs. Signed URLs give time-limited read or write access to a specific Cloud Storage resource. Anyone in possession of the signed URL can use it while it's active, regardless of whether they have a Google account. To learn more about signed URLs, see the Overview of Signed URLs. To learn how to create signed URLs on your own, see Generating Signed URLs with Your Own Program.

To create a signed URL:


  1. Generate a new private key, or use an existing private key for a service account. The key can be in either JSON or PKCS12 format.

    For more information on private keys and service accounts, see Service Accounts.

  2. Use the gsutil signurl command, passing in the path to the private key from the previous step and the name of the bucket or object you want to generate a signed URL for.

    For example, using a key stored in the folder Desktop, the following command generates a signed URL for users to view the object cat.jpeg for 10 minutes.

    gsutil signurl -d 10m Desktop/private-key.json gs://example-bucket/cat.jpeg

If successful, your response should look like:

URL    HTTP Method    Expiration    Signed URL
gs://example-bucket/cat.jpeg GET 2018-10-26 15:19:52 https://storage.googleapis.

The signed URL is the string beginning with and will likely extend for several lines. This URL can be used by any person to access the associated resource (in this case cat.jpeg) for the designated time frame (in this case, 10 minutes).

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Storage
Need help? Visit our support page.