Uploads objects by using HTML forms. For tips on uploading to Cloud Storage, see best practices.
Unless you need to use HTML forms (usually through a web browser) to upload
objects, we strongly recommend using PUT
object instead of POST
.
Query string parameters
This request does not include query string parameters.
Form fields
Field | Description | Required |
---|---|---|
acl |
The predefined ACL that you want to apply to the object that is being uploaded.
If you do not specify this field the bucket's default ACL is applied. |
No |
bucket |
The name of the bucket that you want to upload to. Alternatively, you can include the bucket name in the key field or in the URI (for example, storage.googleapis.com/<bucket>). |
No |
Cache-Control |
The cache control for the object. You can only set cache control for an object that is accessible to all users. For instance, an object's ACL must be public-read or public-read-write to be able to set the cache-control. |
No |
Content-Disposition |
Specifies how the object data should be transmitted. For example, a Content-Disposition value of inline means that the object should be displayed immediately. |
No |
Content-Encoding |
The compression algorithm for the object, such as gzip . |
No |
Content-Length |
Specifies that uploaded files can only be between a certain size range in bytes. You can specify this condition using the following syntax: ["content-length-range", <min_range>, <max_range>]. | No |
Content-Type |
The MIME type of the file you are uploading via the form. If you do not specify a content type, the Cloud Storage system defaults to [`application/octet-stream`](https://tools.ietf.org/html/rfc2046#section-4.5.1) when it serves the content. | No |
Expires |
An ISO8601 timestamp that specifies the date and time before an object is considered stale by the browser. | No |
file |
The file you are uploading. Must be the last field in the form. You can upload only one object per request. | Yes |
GoogleAccessId |
The Cloud Storage email form of the client ID, as described in the section on Signed URLs. | Only if you specify a policy |
key |
The name of the object that you are uploading. If you specify the object name without the bucket name, you must append the bucket name to the URI (for example, storage.googleapis.com/<bucket>). If you specify the bucket name and object name (for example, bucket/object), you must specify only the URI (for example, storage.googleapis.com). You can also use the ${filename} variable if a user is providing a file name. Also, if you are using a bucket name that is a CNAME redirect, be sure that the bucket name is specified only once in your request. |
Yes |
policy |
The security policy that describes what can and cannot be uploaded in the form. The policy document must be Base64 encoded. See the policy document section for more information. *If you do not provide a security policy, requests are considered to be anonymous and will only work with buckets that have granted |
No* |
signature |
The signature of the Base64-encoded policy document you are including in the request. Your signature must be signed with the secret key associated with the GoogleAccessID you specified. (This is the email form of the client ID, as described in the section on Signed URLs). |
Only if you specify a policy |
success_action_redirect |
A URL that users are redirected to when an upload is successful. If you do not provide a URL, Cloud Storage responds with the status code that you specified in success_action_status . |
No |
success_action_status |
The status code that you want Cloud Storage to respond with when an upload is successful. The default is 204, but you can change this to 200 or 201. If you choose 200 or 204, Cloud Storage returns an empty document with those status codes. If you choose 201, Cloud Storage returns an XML document with the elements that are described in Response Body Elements. Note: The Adobe Flash player might not handle responses with an empty document body. You should use status code 201 if this is the case. | No |
x-goog-meta-* |
A field for custom metadata. You can use this to specify any additional metadata that is not provided by the other form fields. For example, x-goog-meta-reviewer: jane or x-goog-meta-project-manager: john is custom metadata. |
No |
Response body elements
The following response body elements are returned in an XML document only if
you set success_action_redirect
to 201.
Element | Description |
---|---|
Bucket |
Bucket in which the object was stored. |
ETag |
HTTP 1.1 entity tag for the object. |
Key |
The object's name. |
Location |
The URI for the object. |
Usage and examples
The form must be UTF-8 encoded. You can specify form encoding in the form's HTML head
tag or by using the Content-Type
request header.
Your form
tag must specify the following three items:
- An action.
The
action
attribute specifies the bucket that you want the form to upload an object to. - A method.
The
method
attribute specifies the method that you are using to submit the form. It must bepost
. - An enclosure type.
The
enctype
attribute specifies the enclosure type you are using and must always bemultipart/form-data
.
Policy Document
A policy document defines what a user (with or without a Google account) can upload with a form
POST, and provides authorization to ensure that the form can upload files into the target bucket.
You can use policy documents to allow visitors to a website to upload files to Cloud Storage.
You do not need to include a policy document in a form if your form uploads files to a bucket that
grants anonymous users WRITE
permission. For more information about
configuring access to buckets and objects in Cloud Storage, see
Access Control.
A policy document is constructed in JavaScript Object Notation (JSON) and contains the following sections:
Entry | Description |
---|---|
expiration |
The expiration time of the policy document. An expired policy document will cause the HTML form to break. This must be in ISO8601 format. |
conditions |
An array of conditions that every upload must satisfy. |
The conditions
section must include a condition statement for
every field in your HTML form except the GoogleAccessId
(the email
form of the client ID, as described in the section on Signed URLs),
signature
, file
, and policy
fields. It
is possible to express three types of conditions in your
conditions
section:
- Exact Matching
Performs exact matching for a field. The value of the input field's value must match the specified expected value. You can specify this condition using either of the following syntax styles:
{"<field>" : "<value>"} ["eq", "$<field>", "<value>"]
All valid policy document fields specified in the table below can use exact matching.
- Starts With
If a value of a field must start with a certain value, you can use the
starts-with
condition. You can specify this condition using the following syntax:["starts-with", "$<field>", "<value>"]
All valid policy document fields specified in the table below can use the
starts-with
condition. - Content Length Range
Specifies that uploaded files can only be between a certain size range in bytes. You can specify this condition using the following syntax:
["content-length-range", <min_range>, <max_range>]
You can express the following fields in the conditions
section,
using exact matching, content-length-range
or starts-
with
conditions:
Element | Description |
---|---|
acl |
ACL values for the object from possible predefined ACLs. |
bucket |
The bucket that will hold the object. |
cache-control |
Cache-control for the object. |
content-disposition |
Specifies how the object data should be transmitted. |
content-encoding |
The compression algorithm for the object. |
content-length
| The byte length of the request body. |
content-type
| The MIME type of the file that is being uploaded. |
expires |
An ISO8601 timestamp that specifies the data and time before an object is considered stale by the browser. |
key |
The name of the object you are uploading. |
success_action_redirect |
The URL the user's client is redirected to when the upload is successful. |
success_action_status |
The status code that you want Cloud Storage to respond with when an upload is successful. |
x-goog-meta-* |
An extension header that can be used to store additional metadata that is not provided by the other fields. |
The following is an example of a typical policy document:
{"expiration": "2010-06-16T11:11:11Z", "conditions": [ ["starts-with", "$key", "" ], {"acl": "bucket-owner-read" }, {"bucket": "travel-maps"}, {"success_action_redirect": "http://www.example.com/success_notification.html" }, ["eq", "$Content-Type", "image/jpeg" ], ["content-length-range", 0, 1000000] ] }
The previous policy document defines the following conditions:
- The form expires on June 16, 2010 at 11:11:11 UTC.
- The file name can start with any valid character. To specify this, you use the
starts-with
condition modifier and the empty string (""). - The
bucket-owner-read
ACL is applied to the file. - If the upload is successful, the user is redirected to
http://www.example.com/success_notification.html
. - The form allows only images to be uploaded.
- A user cannot upload a file larger than 1 MB.
If you are including a policy document in your form, you must include a
signature in the signature
form field. The following procedure
shows you how to create the signature:
- Create a policy document for your form and make sure it is UTF-8 encoded.
- Encode the policy document as a Base64 representation.
- Sign your policy document using RSA with SHA-256 using the secret key provided to you in the Google Cloud Console. If you are using interoperable access keys, sign instead using SHA-1.
- Encode the message digest as a Base64 representation.
The following pseudocode combines the steps above to create your signature:
Policy = Base-64-Encoding-Of(PolicyDocument) MessageDigest = SHA256withRSA(SecretKey, Policy) Signature = Base64-Encoding-Of(MessageDigest)
Below is the Python implementation of the code to create your signature.
Note that because the M2Crypto library only supports PKCS1 (PEM) formatting,
key.pem
is your service account PKCS12 key converted into the PKCS1 format.
from base64 import b64encode from M2Crypto import EVP def Sign(pem_key, message): assert pem_key key = EVP.load_key_string(pem_key) key.reset_context(md='sha256') key.sign_init() key.sign_update(str(message)) return key.sign_final() SecretKey = open('key.pem', 'r').read() Policy = b64encode(open('policy.txt', 'r').read()) Signature = b64encode(Sign(SecretKey, Policy)) print Policy print print Signature
The following is an example HTML using the policy document above:
<form action="http://travel-maps.storage.googleapis.com" method="post" enctype="multipart/form-data"> <input type="text" name="key" value=""> <input type="hidden" name="bucket" value="travel-maps"> <input type="hidden" name="Content-Type" value="image/jpeg"> <input type="hidden" name="GoogleAccessId" value="1234567890123@developer.gserviceaccount.com"> <input type="hidden" name="acl" value="bucket-owner-read"> <input type="hidden" name="success_action_redirect" value="http://www.example.com/success_notification.html"> <input type="hidden" name="policy" value="eyJleHBpcmF0aW9uIjogIjIwMTAtMDYtMTZUMTE6MTE6MTFaIiwNCiAiY29uZGl0aW9ucyI6IFsNCiAgWyJzdGFydHMtd2l0aCIsICJrZXkiLCAiIiBdLA0KICB7ImFjbCI6ICJidWNrZXQtb3duZXItcmVhZCIgfSwNCiAgeyJidWNrZXQiOiAidHJhdmVsLW1hcHMifSwNCiAgeyJzdWNjZXNzX2FjdGlvbl9yZWRpcmVjdCI6ICJodHRwOi8vd3d3LmV4YW1wbGUuY29tL3N1Y2Nlc3Nfbm90aWZpY2F0aW9uLmh0bWwiIH0sDQogIFsiZXEiLCAiQ29udGVudC1UeXBlIiwgImltYWdlL2pwZWciIF0sDQogIFsiY29udGVudC1sZW5ndGgtcmFuZ2UiLCAwLCAxMDAwMDAwXQ0KICBdDQp9"> <input type="hidden" name="signature" value="BSAMPLEaASAMPLE6SAMPLE+SAMPPLEqSAMPLEPSAMPLE+SAMPLEgSAMPLEzCPlgWREeF7oPGowkeKk7J4WApzkzxERdOQmAdrvshKSzUHg8Jqp1lw9tbiJfE2ExdOOIoJVmGLoDeAGnfzCd4fTsWcLbal9sFpqXsQI8IQi1493mw="> <input name="file" type="file"> <input type="submit" value="Upload"> </form>
As a best practice you should use the Expect: 100-continue
header
with POST requests. This allows you to verify that the server will handle the
request before you send the object. If you receive a status code 100 Continue
you should proceed with the request. If you receive a status code 417
Expectation Failed then you should not send the object.