How do I make an object in Google Cloud Storage accessible via a link but require a key or some other form of verification to access it?

huangapple go评论53阅读模式
英文:

How do I make an object in Google Cloud Storage accessible via a link but require a key or some other form of verification to access it?

问题

我正在创建一个需要从Google Cloud Storage存储桶检索文件的应用程序。目前,我已将文件的公共访问权限设置为true,以便通过URL访问它。

是否仍然可以通过URL访问文件,但需要某种形式的身份验证,例如密钥等?

我已经查看了IAM权限的工作原理;但是,我还不自信能够熟练使用这些工具。

英文:

I am creating an application that requires a file to be retrived from a Google Cloud Storage bucket. Right now, I have the file's public access set to true so I can access it via URL.

Is it possible to still access the file via URL, but require some sort of authentication in the form of a key etc.?

I have looked through how IAM permissions work; however, I am not confident in my ability to use such tools proficiently yet.

答案1

得分: 0

你不能在Cloud Storage上为单个对象设置权限。正确的方式是拥有一个服务,检查用户的权限以及访问对象的权利。

如果用户可以访问它并且想要下载它,你可以生成一个签名URL并发送给用户。使用这个URL,用户可以以安全的方式下载文件(存储桶不是公开的,只有签名URL可以在有限的时间内访问文件)。

英文:

You can't set a permission on a single object on Cloud Storage. The correct way to achieve that is to have a service, that check the permission of the user and the right to access the object.

If the user can access it and want to download it, you can generate a signed URL and send it to the user. With this URL, the user can download the file in a secure way (the bucket is not public and only the Signed URL can access the file, for a limited period of time)

答案2

得分: 0

这不是当前可用的。

一个可能的解决方法是编写您自己的小型服务,该服务接受您喜欢的自定义授权或密钥,然后提供一个短暂签名的重定向URL。因此,用户将发送GET请求到https://yourservice.com/download?magicKey=12345,然后您的服务将评估它,可能会回复一个304到https://storage.googleapis.com/yourbucket/yourobject?elaborateSignedUrl,签名URL的有效期仅为一到两分钟。这将解决您的问题,但需要编写和维护URL提供服务。

英文:

That's not currently available.

One possible workaround would be to write your own small service that accepts whatever custom authorization or keys you like and then vends a short-lived signed URL as a redirection. So the user would send GET to https://yourservice.com/download?magicKey=12345, and then your service would evaluate it and maybe reply with a 304 to https://storage.googleapis.com/yourbucket/yourobject?elaborateSignedUrl, with the signed URL limited to just a minute or two of validity. This would solve your problem but would require writing and maintaining the URL vending service.

huangapple
  • 本文由 发表于 2023年4月13日 14:58:55
  • 转载请务必保留本文链接:https://go.coder-hub.com/76002501.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定