项目作者: lrakai

项目描述 :
Lab to demonstrate how to create presigned URLs for secure access to objects in Cloud Storage
高级语言: HTML
项目地址: git://github.com/lrakai/google-cloud-storage-signed-urls.git
创建时间: 2018-10-26T14:12:48Z
项目社区:https://github.com/lrakai/google-cloud-storage-signed-urls

开源协议:MIT License

下载


google-cloud-storage-signed-urls

Lab to demonstrate how to create signed URLs for granting anyone with the URL access to objects in Cloud Storage.

Final Environment

Getting Started

  1. Ensure the Following APIs are enabled (enable with gcloud services enable [service]):

    • iam.googleapis.com
    • storage-component.googleapis.com
  2. Ensure the default Google APIs service account (used by deployment manager) has permission to create roles:

    1. gcloud projects add-iam-policy-binding [PROJECT_ID] \
    2. --member serviceAccount:[PROJECT_NUMBER]@cloudservices.gserviceaccount.com \
    3. --role roles/iam.roleAdmin

    You can use gcloud list projects to get the project ID and number.

  3. Deploy the deployment manager config in the infrastructure directory:

    1. gcloud deployment-manager deployments create lab --config infrastructure/deployment.yaml
  4. Bind the Lab role to the student user or group

    • In macOS/Linux:

      1. member="[GROUP_OR_USER]"
      2. project_id=$(gcloud config list --format 'value(core.project)')
      3. role=$(gcloud iam roles list --project $project_id \
      4. --filter "name:projects/$project_id/roles/studentrole*" \
      5. --format "value(name)")
      6. gcloud projects add-iam-policy-binding $project_id \
      7. --member $member \
      8. --role $role
    • In Windows (PowerShell):

      1. $member = "[GROUP_OR_USER]"
      2. $project_id = gcloud config list --format 'value(core.project)'
      3. $role = gcloud iam roles list --project $project_id `
      4. --filter "name:projects/$project_id/roles/studentrole*" `
      5. --format "value(name)"
      6. gcloud projects add-iam-policy-binding $project_id `
      7. --member $member `
      8. --role $role

      An example of [GROUP_OR_USER] is user:student@gmail.com.

Following Along

  1. Start a Google Cloud Shell session.

  2. Create a key for the pre-created storage account:

    1. sa_email=$(gcloud iam service-accounts list --format='value(email)' | grep storage-signer) # service account email (ID)
    2. gcloud iam service-accounts keys create --iam-account $sa_email key.json
  3. Upload a file to the pre-created bucket:

    1. curl -L https://github.com/cloudacademy/gcp-lab-artifacts/raw/master/gcs/ca.png -o ca.png
    2. bucket=$(gsutil ls -b | sed 's/\/$//') # bucket with trailing slash removed
    3. gsutil cp ca.png $bucket
  4. Install the Python OpenSSL library (required for signing URLs):

    1. pip install pyopenssl --user
  5. Grant the service account read access to the object:

    1. gsutil acl ch -u $sa_email:READ $bucket/ca.png
  6. Create a signed URL to access the object for five minutes:

    1. gsutil signurl -d 5m key.json $bucket/ca.png

Tearing Down

When finished, remove the GCP resources with:

  • In macOS/Linux:

    1. bucket=$(gsutil ls -b gs://ca-lab-bucket-*)
    2. gsutil rm -r $bucket
    3. gcloud projects remove-iam-policy-binding $project_id \
    4. --member $member \
    5. --role $role
    6. gcloud deployment-manager deployments delete -q lab
  • In Windows (PowerShell):

    1. $bucket = gsutil ls -b gs://ca-lab-bucket-*
    2. gsutil rm -r $bucket
    3. gcloud projects remove-iam-policy-binding $project_id `
    4. --member $member `
    5. --role $role
    6. gcloud deployment-manager deployments delete -q lab