Lab to demonstrate how to create presigned URLs for secure access to objects in Cloud Storage
Lab to demonstrate how to create signed URLs for granting anyone with the URL access to objects in Cloud Storage.
Ensure the Following APIs are enabled (enable with gcloud services enable [service]):
gcloud projects add-iam-policy-binding [PROJECT_ID] \
--member serviceAccount:[PROJECT_NUMBER]@cloudservices.gserviceaccount.com \
--role roles/iam.roleAdmin
You can use gcloud list projects
to get the project ID and number.
Deploy the deployment manager config in the infrastructure
directory:
gcloud deployment-manager deployments create lab --config infrastructure/deployment.yaml
Bind the Lab role to the student user or group
In macOS/Linux:
member="[GROUP_OR_USER]"
project_id=$(gcloud config list --format 'value(core.project)')
role=$(gcloud iam roles list --project $project_id \
--filter "name:projects/$project_id/roles/studentrole*" \
--format "value(name)")
gcloud projects add-iam-policy-binding $project_id \
--member $member \
--role $role
In Windows (PowerShell):
$member = "[GROUP_OR_USER]"
$project_id = gcloud config list --format 'value(core.project)'
$role = gcloud iam roles list --project $project_id `
--filter "name:projects/$project_id/roles/studentrole*" `
--format "value(name)"
gcloud projects add-iam-policy-binding $project_id `
--member $member `
--role $role
An example of [GROUP_OR_USER]
is user:student@gmail.com
.
Start a Google Cloud Shell session.
Create a key for the pre-created storage account:
sa_email=$(gcloud iam service-accounts list --format='value(email)' | grep storage-signer) # service account email (ID)
gcloud iam service-accounts keys create --iam-account $sa_email key.json
Upload a file to the pre-created bucket:
curl -L https://github.com/cloudacademy/gcp-lab-artifacts/raw/master/gcs/ca.png -o ca.png
bucket=$(gsutil ls -b | sed 's/\/$//') # bucket with trailing slash removed
gsutil cp ca.png $bucket
Install the Python OpenSSL library (required for signing URLs):
pip install pyopenssl --user
Grant the service account read access to the object:
gsutil acl ch -u $sa_email:READ $bucket/ca.png
Create a signed URL to access the object for five minutes:
gsutil signurl -d 5m key.json $bucket/ca.png
When finished, remove the GCP resources with:
In macOS/Linux:
bucket=$(gsutil ls -b gs://ca-lab-bucket-*)
gsutil rm -r $bucket
gcloud projects remove-iam-policy-binding $project_id \
--member $member \
--role $role
gcloud deployment-manager deployments delete -q lab
In Windows (PowerShell):
$bucket = gsutil ls -b gs://ca-lab-bucket-*
gsutil rm -r $bucket
gcloud projects remove-iam-policy-binding $project_id `
--member $member `
--role $role
gcloud deployment-manager deployments delete -q lab