Traffine I/O

English

2022-07-08

Presigned URL in GCS

Google Cloud
Google Cloud
Cloud Storage
Cloud Storage

Presigned URLs in Google Cloud Storage

In Google Cloud Storage (GCS), presigned URLs grant temporary access to a specific object stored within a bucket. This feature is especially helpful when you need to share an object with users who do not have direct access to GCS.

A presigned URL is generated using the credentials of a user who has appropriate permissions to access the target object. Once the URL is generated, it can be shared with any user. When this URL is used, GCS interprets the request as if it were made by the user who originally generated the URL.

The real strength of presigned URLs in GCS lies in their flexibility and control. They can be configured to allow specific operations such as READ (GET), WRITE (PUT), or DELETE. Furthermore, these URLs are temporary, with a set expiration time after which they can no longer be used.

One key point to note is that the security and access control lists (ACLs) of the object are not checked when a presigned URL is used. This is because the URL itself certifies that the user is authenticated and authorized to access the object.

Use Cases of Presigned URLs in GCS

Presigned URLs in GCS are versatile and can be used in a variety of scenarios. Here are a few common use cases:

  • Sharing Private Objects with Users who do not have GCP accounts
    Suppose you have data or files in GCS that you want to share with someone, but the other person does not have a Google Cloud Platform (GCP) account. Instead of making the data public or requiring them to create a GCP account, you can simply create a presigned URL and share it with them.

  • Allowing Temporary Access to an Object
    In cases where you need to grant someone temporary access to an object in your GCS bucket, presigned URLs are a perfect solution. You can specify an expiration time for the URL, after which it can no longer be used.

  • Uploading or Downloading Large Files to/from a Web or Mobile Application
    Presigned URLs can be used in web or mobile applications to directly upload or download large files to/from GCS. This offloads the burden of handling file transfers from your application server and can provide a better user experience, as users don't have to wait for the file to be uploaded to the server before it is transferred to GCS.

  • Distributing Content to Users in Different Geographical Locations
    If your application needs to distribute content to users in different geographical locations, you can use presigned URLs to allow users to download the content directly from GCS, which can provide faster download speeds due to GCS's global network.

Generating a Presigned URL in GCS

Generating a presigned URL in GCS involves several steps, and it requires you to have the appropriate permissions on the GCS bucket and object.

Before you can generate a presigned URL, you'll need to ensure that you have the appropriate permissions. This typically means having the roles/storage.objectAdmin or roles/storage.objectViewer Identity and Access Management (IAM) roles. If you don't have these permissions, you'll need to ask the owner of the bucket or a project owner to grant them to you.

You'll also need a service account with the necessary permissions, and you'll need to download a private key JSON file for that service account. This file will be used to generate the presigned URL.

Once you have the necessary permissions and the service account key file, you can generate the presigned URL. This can be done using the gsutil signurl command or the GCS client libraries in a programming language such as Python, Node.js, or Java.

Here's an example using gsutil:

bash
$ gsutil signurl -d 10m /path/to/service-account-key.json gs://your-bucket/your-object

This command will generate a presigned URL that is valid for 10 minutes (-d 10m) for the specified object (gs://your-bucket/your-object). The -d option specifies the duration that the URL will be valid.

Once you have generated a presigned URL, you can give it to a user or use it in your application. When a user receives the presigned URL, they can use it to download or upload a file directly to/from the GCS bucket.

The URL includes the bucket and object name, the access ID of the signing entity, and a signature that authenticates the request. It's important to note that the URL will only work for the specified time period and for the specified operation (GET, PUT, etc.).

Here's an example of how a user might use a presigned URL to download a file:

bash
$ curl 'https://storage.googleapis.com/your-bucket/your-object?GoogleAccessId=your-service-account-email&Expires=expiration-timestamp&Signature=signature'

In this command, curl is used to send a GET request to the presigned URL. The response is the contents of the specified object.

Similarly, a user can use a presigned URL to upload a file with a PUT request:

bash
$ curl -X PUT -H 'Content-Type: your-content-type' -d @/path/to/your-file 'presigned-url'

In this command, -X PUT specifies a PUT request, -H 'Content-Type: your-content-type' specifies the content type of the file being uploaded, and -d @/path/to/your-file specifies the file to upload. The presigned-url is the presigned URL you generated earlier.

References

https://cloud.google.com/storage/docs/access-control/signed-urls

Cloud Storage API

AlloyDB

AlloyDB
AlloyDB
Amazon Cognito
Amazon Cognito
Amazon EC2
Amazon EC2
Amazon ECS
Amazon ECS
Amazon QuickSight
Amazon QuickSight
Amazon RDS
Amazon RDS
Amazon Redshift
Amazon Redshift
Amazon S3
Amazon S3
API
API
Autonomous Vehicle
Autonomous Vehicle
AWS
AWS
AWS API Gateway
AWS API Gateway
AWS Chalice
AWS Chalice
AWS Control Tower
AWS Control Tower
AWS IAM
AWS IAM
AWS Lambda
AWS Lambda
AWS VPC
AWS VPC
BERT
BERT
BigQuery
BigQuery
Causal Inference
Causal Inference
ChatGPT
ChatGPT
Chrome Extension
Chrome Extension
CircleCI
CircleCI
Classification
Classification
Cloud Functions
Cloud Functions
Cloud IAM
Cloud IAM
Cloud Run
Cloud Run
Cloud Storage
Cloud Storage
Clustering
Clustering
CSS
CSS
Data Engineering
Data Engineering
Data Modeling
Data Modeling
Database
Database
dbt
dbt
Decision Tree
Decision Tree
Deep Learning
Deep Learning
Descriptive Statistics
Descriptive Statistics
Differential Equation
Differential Equation
Dimensionality Reduction
Dimensionality Reduction
Discrete Choice Model
Discrete Choice Model
Docker
Docker
Economics
Economics
FastAPI
FastAPI
Firebase
Firebase
GIS
GIS
git
git
GitHub
GitHub
GitHub Actions
GitHub Actions
Google
Google
Google Cloud
Google Cloud
Google Search Console
Google Search Console
Hugging Face
Hugging Face
Hypothesis Testing
Hypothesis Testing
Inferential Statistics
Inferential Statistics
Interval Estimation
Interval Estimation
JavaScript
JavaScript
Jinja
Jinja
Kedro
Kedro
Kubernetes
Kubernetes
LightGBM
LightGBM
Linux
Linux
LLM
LLM
Mac
Mac
Machine Learning
Machine Learning
Macroeconomics
Macroeconomics
Marketing
Marketing
Mathematical Model
Mathematical Model
Meltano
Meltano
MLflow
MLflow
MLOps
MLOps
MySQL
MySQL
NextJS
NextJS
NLP
NLP
Nodejs
Nodejs
NoSQL
NoSQL
ONNX
ONNX
OpenAI
OpenAI
Optimization Problem
Optimization Problem
Optuna
Optuna
Pandas
Pandas
Pinecone
Pinecone
PostGIS
PostGIS
PostgreSQL
PostgreSQL
Probability Distribution
Probability Distribution
Product
Product
Project
Project
Psychology
Psychology
Python
Python
PyTorch
PyTorch
QGIS
QGIS
R
R
ReactJS
ReactJS
Regression
Regression
Rideshare
Rideshare
SEO
SEO
Singer
Singer
sklearn
sklearn
Slack
Slack
Snowflake
Snowflake
Software Development
Software Development
SQL
SQL
Statistical Model
Statistical Model
Statistics
Statistics
Streamlit
Streamlit
Tabular
Tabular
Tailwind CSS
Tailwind CSS
TensorFlow
TensorFlow
Terraform
Terraform
Transportation
Transportation
TypeScript
TypeScript
Urban Planning
Urban Planning
Vector Database
Vector Database
Vertex AI
Vertex AI
VSCode
VSCode
XGBoost
XGBoost

Ryusei Kakujo

researchgatelinkedingithub

Focusing on data science for mobility

Bench Press 100kg!