top of page
Search

Creating Signed URLs the secure way

  • Writer: Emanuel Burgess
    Emanuel Burgess
  • Oct 6, 2023
  • 2 min read



Cloud Storage is a service within Google Cloud used for object storage. You can store unstructured data of any file format using it. This makes it a great service to integrate with applications that need object storage. You may want to host a simple static website or you want to create an application to deliver and store content like videos, movies, or music. If this is the case Cloud Storage is a great choice.



What is a Signed URL?


A Signed URL is a mechanism that gives temporary access to a Google Cloud Storage. Because Signed URLs contain authentication information in their request they allow a user to access a Cloud Storage resource without credentials.


Interacting the Cloud Storage service


There are multiple ways you can interact with the Cloud Storage service. Google Cloud CLI allows you to interact with the service via your terminal. The console allows you to interact through your web browser. Rest APIs let you interact with the service in a JSON or XML format. Client libraries allow you to tap into the service using a language of your choice. Let’s take a look at using the Cloud Storage client library to create Signed URLs securely.


Secure integration


What is the best way to integrate Signed URLs into your application? You could use service account keys, however, the use of these keys can cause a security risk if they fall into the wrong hands. The best way to integrate Signed URLs into your application is by using the V4 signing process. V4 signing is a process you can use to generate signatures for authentication in Cloud Storage XML API requests.


The best method for generating Signed URLs is to use Google Cloud IAM to sign the request for you. The IAM role Service Account Token Creator role will generate a token and sign the string for you. This role must be attached to your service account.


import datetime

Import timedelta

from google import auth

from google.cloud import storage


credentials, project = auth.default()

credentials.refresh(auth.transport.requests.Request())



#set vars

client = storage.Client(credentials=credentials)

bucket = storage_client.get_bucket("Nameofbucket")

blob = bucket.get_blob("blobName")


#create signed URL

signed_url = blob.generate_signed_url(

expiration=datetime.now() + timedelta(seconds=900),

service_account_email=credentials.service_account_email,

access_token=credentials.token

)




There are a couple of things you need to set this up:


  1. Use application default credentials (ADC) to authenticate to the client library.

  2. A service account with a Service Account Token Creator role and Cloud Storage permissions.



Conclusion


Signed URLs give temporary access to Google Cloud Storage. The most secure way to create Signed URLs when using client libraries is to create a service account with the Service Account Token Creator role and the needed Cloud Storage permissions to generate your Signed URL.




 
 
 

Recent Posts

See All
Making your APIs highly available

Making your APIs highly available Creating great APIs require planning and consideration with the customer in mind. When creating API...

 
 
 
APIs are products too

Often times when we think of software products we think of traditional software applications or digital platforms that a customer will...

 
 
 

Comments

bottom of page