V4 signing process with Cloud Storage tools

This page describes how to use gsutil and Cloud Storage Client Libraries to easily generate signed URLs. Signed URLs give time-limited read or write access to a specific Cloud Storage resource. Anyone in possession of the signed URL can use it while it's active, regardless of whether they have a Google account. To learn more about signed URLs, see the Overview of Signed URLs. To create signed URLs on your own, see V4 Signing Process With Your Own Program.

To generate a signed URL:


  1. Generate a new private key, or use an existing private key for a service account. The key can be in either JSON or PKCS12 format.

    For more information on private keys and service accounts, see Service Accounts.

  2. Use the gsutil signurl command, passing in the path to the private key from the previous step and the name of the bucket or object you want to generate a signed URL for.

    For example, using a key stored in the folder Desktop, the following command generates a signed URL for users to view the object cat.jpeg for 10 minutes.

    gsutil signurl -d 10m Desktop/private-key.json gs://example-bucket/cat.jpeg

If successful, your response should look like:

URL    HTTP Method    Expiration    Signed URL
gs://example-bucket/cat.jpeg GET 2018-10-26 15:19:52 https://storage.googleapis.

The signed URL is the string beginning with https://storage.googleapis.com and will likely extend for several lines. This URL can be used by any person to access the associated resource (in this case cat.jpeg) for the designated time frame (in this case, 10 minutes).

Code samples

The following samples show specifically how to create a signed URL that can get an object from Cloud Storage.


For more information, see the Cloud Storage C++ API reference documentation .

namespace gcs = google::cloud::storage;
using ::google::cloud::StatusOr;
[](gcs::Client client, std::string bucket_name, std::string object_name) {
  StatusOr<std::string> signed_url = client.CreateV4SignedUrl(
      "GET", std::move(bucket_name), std::move(object_name),

  if (!signed_url) {
    throw std::runtime_error(signed_url.status().message());

  std::cout << "The signed url is: " << *signed_url << "\n\n"
            << "You can use this URL with any user agent, for example:\n"
            << "curl '" << *signed_url << "'\n";


For more information, see the Cloud Storage C# API reference documentation .

private void GenerateV4SignedGetUrl(string bucketName, string objectName)
    UrlSigner urlSigner = UrlSigner
    string url = urlSigner.Sign(bucketName, objectName, TimeSpan.FromHours(1), HttpMethod.Get);
    Console.WriteLine("Generated GET signed URL:");
    Console.WriteLine("You can use this URL with any user agent, for example:");
    Console.WriteLine($"curl '{url}'");


For more information, see the Cloud Storage Go API reference documentation .

jsonKey, err := ioutil.ReadFile(serviceAccount)
if err != nil {
	return "", fmt.Errorf("cannot read the JSON key file, err: %v", err)

conf, err := google.JWTConfigFromJSON(jsonKey)
if err != nil {
	return "", fmt.Errorf("google.JWTConfigFromJSON: %v", err)

opts := &storage.SignedURLOptions{
	Scheme:         storage.SigningSchemeV4,
	Method:         "GET",
	GoogleAccessID: conf.Email,
	PrivateKey:     conf.PrivateKey,
	Expires:        time.Now().Add(15 * time.Minute),

u, err := storage.SignedURL(bucketName, objectName, opts)
if err != nil {
	return "", fmt.Errorf("Unable to generate a signed URL: %v", err)

fmt.Fprintln(w, "Generated GET signed URL:")
fmt.Fprintf(w, "%q\n", u)
fmt.Fprintln(w, "You can use this URL with any user agent, for example:")
fmt.Fprintf(w, "curl %q\n", u)


For more information, see the Cloud Storage Java API reference documentation .

// Instantiate a Google Cloud Storage client
Storage storage = StorageOptions.getDefaultInstance().getService();

// The name of a bucket, e.g. "my-bucket"
// String bucketName = "my-bucket";

// The name of an object, e.g. "my-object"
// String objectName = "my-object";

// Define resource
BlobInfo blobinfo = BlobInfo.newBuilder(BlobId.of(bucketName, objectName)).build();

// Generate Signed URL
URL url =
    storage.signUrl(blobinfo, 15, TimeUnit.MINUTES, Storage.SignUrlOption.withV4Signature());

System.out.println("Generated GET signed URL:");
System.out.println("You can use this URL with any user agent, for example:");
System.out.println("curl '" + url + "'");


For more information, see the Cloud Storage Node.js API reference documentation .

// Imports the Google Cloud client library
const {Storage} = require('@google-cloud/storage');

// Creates a client
const storage = new Storage();

 * TODO(developer): Uncomment the following lines before running the sample.
// const bucketName = 'Name of a bucket, e.g. my-bucket';
// const filename = 'File to access, e.g. file.txt';

// These options will allow temporary read access to the file
const options = {
  version: 'v4',
  action: 'read',
  expires: Date.now() + 15 * 60 * 1000, // 15 minutes

// Get a v4 signed URL for reading the file
const [url] = await storage

console.log('Generated GET signed URL:');
console.log('You can use this URL with any user agent, for example:');
console.log(`curl '${url}'`);


For more information, see the Cloud Storage PHP API reference documentation .

use Google\Cloud\Storage\StorageClient;

 * Generate a v4 signed URL for downloading an object.
 * @param string $bucketName the name of your Google Cloud bucket.
 * @param string $objectName the name of your Google Cloud object.
 * @return void
function get_object_v4_signed_url($bucketName, $objectName)
    $storage = new StorageClient();
    $bucket = $storage->bucket($bucketName);
    $object = $bucket->object($objectName);
    $url = $object->signedUrl(
        # This URL is valid for 15 minutes
        new \DateTime('15 min'),
            'version' => 'v4',

    print('Generated GET signed URL:' . PHP_EOL);
    print($url . PHP_EOL);
    print('You can use this URL with any user agent, for example:' . PHP_EOL);
    print('curl ' . $url . PHP_EOL);


For more information, see the Cloud Storage Python API reference documentation .

def generate_download_signed_url_v4(bucket_name, blob_name):
    """Generates a v4 signed URL for downloading a blob.

    Note that this method requires a service account key file. You can not use
    this if you are using Application Default Credentials from Google Compute
    Engine or from the Google Cloud SDK.
    storage_client = storage.Client()
    bucket = storage_client.get_bucket(bucket_name)
    blob = bucket.blob(blob_name)

    url = blob.generate_signed_url(
        # This URL is valid for 15 minutes
        # Allow GET requests using this URL.

    print('Generated GET signed URL:')
    print('You can use this URL with any user agent, for example:')
    print('curl \'{}\''.format(url))
    return url

Oliko tästä sivusta apua? Kerro mielipiteesi

Palautteen aihe:

Tämä sivu
Cloud Storage
Tarvitsetko apua? Siirry tukisivullemme.