How to access Google Cloud Storage file with key

Question

I have a project running on Google Cloud Platform, and I currently have some images saved on GCP Storage. These have an "Authenticated" URL that I can access if I run it on my browser where I am logged in to my google account.

However, I want to make this accessible to others (not public though) so I can call it without having to be logged in, maybe just using an "key" instead. Is this possible in GCP? If so how can I do it?

I tried passing a bearer token but that didn't do anything. I would like to be able to pass a key in the header.

Answer 1

I want to make this accessible to others (not public though) so I can call it without having to be logged in, maybe just using an "key" instead. Is this possible in GCP?

No, Cloud Storage on its own doesn't provide this. You can set buckets and objects to be readable by everyone, but you shouldn't consider this "secure" by any means.

The closest alternative is to use Firebase on top of Cloud Storage to generate download URLs for objects in a bucket. These download URLs have data embedded in them that allow HTTP access to the object. If anyone has the URL, they can gain access to the object, so it's also not really "secure". You have to make sure that you only share these URLs with those who should have access to the object.

Answer 2

You would need to generate signed URLS, see https://cloud.google.com/storage/docs/access-control/signed-urls#types

There are 2 methods, either using a service account with the gcloud command talked about here https://cloud.google.com/storage/docs/access-control/signing-urls-with-helpers#command-line

gcloud storage sign-url gs://BUCKET_NAME/OBJECT_NAME --private-key-file=KEY_FILE --duration=10m

Or using one of the Google Datastore code libraries.

The 2nd option is to sign using an HMAC secret if your bucket is in S3 compatible mode. See https://cloud.google.com/storage/docs/authentication/signatures#signing-process