'Google Cloud Storage Signed URL for Entire Bucket?

I have user owned objects in a Google Cloud Storage bucket which I'm controlling access to through a webapp backend. Currently, the webapp backend authenticates the user and then generates signed read URLs for the object. This works great, but can result in high volume of URLs being generated in response to a bulk action. The failure rate of these signed URLs is very low, but when enough of them are generated some fail and a timeout or connection reset is noticeable to users.

Is there any way to give this kind of controlled, time limited access to users at the bucket level, or in bulk in another way, without creating GCP accounts for users?

google-cloud-platformgoogle-cloud-storage


Solution 1:[1]

You are correct, all these the methods require a service account. After further investigation, there is no way to provide access without a GCP account.

At the bucket level, there is uniform bucket-level access, Identity and Access Management (IAM) and Access Control List (ACL). If you want to avoid creating GCP accounts for the users, then try Access Control List (ACL).

In this access control you can also determine who the reader, writer and owners will be. But this access control lets you use grant access to anyone who has external email addresses. This will save you the time of creating GCP accounts for the users, here are the scope of who can grant access:

enter image description here

And here it's what each scope covers:

Google account email address:

Every user who has a Google account must have a unique email address associated with that account. You can specify a scope by using any email address that is associated with a Google account, such as a gmail.com address.

Cloud Storage remembers email addresses as they are provided in ACLs until the entries are removed or replaced. If a user changes email addresses, you should update ACL entries to reflect these changes.

Google group email address:

Every Google group has a unique email address that is associated with the group. For example, the Cloud Storage Announce group has the following email address: [email protected]. You can find the email address that is associated with a Google group by clicking About on the homepage of every Google group.

Like Google account email addresses, Cloud Storage remembers group email addresses as they are provided in ACLs until the entries are removed. You do not need to worry about updating Google Group email addresses, because Google Group email addresses are permanent and unlikely to change.

Convenience values for projects:

Convenience values allow you to grant bulk access to your project's viewers, editors, and owners. Convenience values combine a project role and an associated project number. For example, in project 867489160491, editors are identified as editors-867489160491. You can find your project number on the homepage of the Google Cloud Console.

You should generally avoid using convenience values in production environments, because they require granting basic roles, a practice which is discouraged in production environments.

G Suite or Cloud Identity:

G Suite and Cloud Identity customers can associate their email accounts with an Internet domain name. When you do this, each email account takes the form USERNAME@YOUR_DOMAIN.com. You can specify a scope by using any Internet domain name that is associated with G Suite or Cloud Identity.

Special identifier for all Google account holders: This special scope identifier represents anyone who is authenticated with a Google account. The special scope identifier for all Google account holders is allAuthenticatedUsers. Note that while this identifier is a User entity type, when using the Cloud Console it's labeled as a Public entity type.

Special identifier for all users:

This special scope identifier represents anyone who is on the Internet, with or without a Google account. The special scope identifier for all users is allUsers. Note that while this identifier is a User entity type, when using the Cloud Console it's labeled as a Public entity type.

You have full control of the access you want the users to have. You can learn about the access and what each does with the following link 1, Link 2.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1

Related Questions

How to use use Firestore document field's HashMap key value and populate recyclerview?

how to keep GKE cluster nodes in different regions?

Google Cloud TTS API for M1 Mac

Is it possible to render a video from AfterEffects in a Google Collaboratory notebook?

Allow-IAP Firewall Rule created in default VPC in GCP getting reflected in other VPC as well

Attribute Error when importing SpeechClient from google.cloud.speech

GCP Cost billing data

What is the difference between gcloud and gsutil?

Volume not persistent in Google Cloud

Permission Denied when trying to write on a TPU VM foler

Google Cloud Free Tier will start charging for static or ephemeral IP Address?

How to create a empty folder in google storage(bucket) using gsutil command?

How can size of the root disk in Google Compute Engine be increased?

Cannot switch Firestore from Datastore to native mode on GCP

action console simulator is not working and I cannot release my project