Lab to demonstrate how to create signed URLs for granting anyone with the URL access to objects in Cloud Storage.
-
Ensure the Following APIs are enabled (enable with gcloud services enable [service]):
- iam.googleapis.com
- storage-component.googleapis.com
-
gcloud projects add-iam-policy-binding [PROJECT_ID] \ --member serviceAccount:[PROJECT_NUMBER]@cloudservices.gserviceaccount.com \ --role roles/iam.roleAdmin
You can use
gcloud list projects
to get the project ID and number. -
Deploy the deployment manager config in the
infrastructure
directory:gcloud deployment-manager deployments create lab --config infrastructure/deployment.yaml
-
Bind the Lab role to the student user or group
-
In macOS/Linux:
member="[GROUP_OR_USER]" project_id=$(gcloud config list --format 'value(core.project)') role=$(gcloud iam roles list --project $project_id \ --filter "name:projects/$project_id/roles/studentrole*" \ --format "value(name)") gcloud projects add-iam-policy-binding $project_id \ --member $member \ --role $role
-
In Windows (PowerShell):
$member = "[GROUP_OR_USER]" $project_id = gcloud config list --format 'value(core.project)' $role = gcloud iam roles list --project $project_id ` --filter "name:projects/$project_id/roles/studentrole*" ` --format "value(name)" gcloud projects add-iam-policy-binding $project_id ` --member $member ` --role $role
An example of
[GROUP_OR_USER]
isuser:student@gmail.com
. -
-
Start a Google Cloud Shell session.
-
Create a key for the pre-created storage account:
sa_email=$(gcloud iam service-accounts list --format='value(email)' | grep storage-signer) # service account email (ID) gcloud iam service-accounts keys create --iam-account $sa_email key.json
-
Upload a file to the pre-created bucket:
curl -L https://github.com/cloudacademy/gcp-lab-artifacts/raw/master/gcs/ca.png -o ca.png bucket=$(gsutil ls -b | sed 's/\/$//') # bucket with trailing slash removed gsutil cp ca.png $bucket
-
Install the Python OpenSSL library (required for signing URLs):
pip install pyopenssl --user
-
Grant the service account read access to the object:
gsutil acl ch -u $sa_email:READ $bucket/ca.png
-
Create a signed URL to access the object for five minutes:
gsutil signurl -d 5m key.json $bucket/ca.png
When finished, remove the GCP resources with:
-
In macOS/Linux:
bucket=$(gsutil ls -b gs://ca-lab-bucket-*) gsutil rm -r $bucket gcloud projects remove-iam-policy-binding $project_id \ --member $member \ --role $role gcloud deployment-manager deployments delete -q lab
-
In Windows (PowerShell):
$bucket = gsutil ls -b gs://ca-lab-bucket-* gsutil rm -r $bucket gcloud projects remove-iam-policy-binding $project_id ` --member $member ` --role $role gcloud deployment-manager deployments delete -q lab