google-cloud-storage-signed-urls

Lab to demonstrate how to create signed URLs for granting anyone with the URL access to objects in Cloud Storage.

Getting Started

Ensure the Following APIs are enabled (enable with gcloud services enable [service]):
- iam.googleapis.com
- storage-component.googleapis.com
Ensure the default Google APIs service account (used by deployment manager) has permission to create roles:
```
gcloud projects add-iam-policy-binding [PROJECT_ID] \
--member serviceAccount:[PROJECT_NUMBER]@cloudservices.gserviceaccount.com  \
--role roles/iam.roleAdmin
```
You can use gcloud list projects to get the project ID and number.

Deploy the deployment manager config in the infrastructure directory:

gcloud deployment-manager deployments create lab --config infrastructure/deployment.yaml

Bind the Lab role to the student user or group

In macOS/Linux:

member="[GROUP_OR_USER]"
project_id=$(gcloud config list --format 'value(core.project)')
role=$(gcloud iam roles list --project $project_id \
                             --filter "name:projects/$project_id/roles/studentrole*" \
                             --format "value(name)")
gcloud projects add-iam-policy-binding $project_id \
--member $member  \
--role $role

In Windows (PowerShell):

$member = "[GROUP_OR_USER]"
$project_id = gcloud config list --format 'value(core.project)'
$role = gcloud iam roles list --project $project_id `
                              --filter "name:projects/$project_id/roles/studentrole*" `
                              --format "value(name)"
gcloud projects add-iam-policy-binding $project_id `
--member $member  `
--role $role

An example of [GROUP_OR_USER] is user:student@gmail.com.

Following Along

Start a Google Cloud Shell session.

Create a key for the pre-created storage account:

sa_email=$(gcloud iam service-accounts list --format='value(email)' | grep storage-signer) # service account email (ID)
gcloud iam service-accounts keys create --iam-account $sa_email key.json

Upload a file to the pre-created bucket:

curl -L https://github.com/cloudacademy/gcp-lab-artifacts/raw/master/gcs/ca.png -o ca.png
bucket=$(gsutil ls -b | sed 's/\/$//') # bucket with trailing slash removed
gsutil cp ca.png $bucket

Install the Python OpenSSL library (required for signing URLs):
```
pip install pyopenssl --user
```
Grant the service account read access to the object:
```
gsutil acl ch -u $sa_email:READ $bucket/ca.png
```
Create a signed URL to access the object for five minutes:
```
gsutil signurl -d 5m key.json $bucket/ca.png
```

Tearing Down

When finished, remove the GCP resources with:

In macOS/Linux:

bucket=$(gsutil ls -b gs://ca-lab-bucket-*)
gsutil rm -r $bucket
gcloud projects remove-iam-policy-binding $project_id \
    --member $member  \
    --role $role
gcloud deployment-manager deployments delete -q lab

In Windows (PowerShell):

$bucket = gsutil ls -b gs://ca-lab-bucket-*
gsutil rm -r $bucket
gcloud projects remove-iam-policy-binding $project_id `
    --member $member  `
    --role $role
gcloud deployment-manager deployments delete -q lab

Name		Name	Last commit message	Last commit date
Latest commit History 11 Commits
infrastructure		infrastructure
LICENSE		LICENSE
README.md		README.md

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

google-cloud-storage-signed-urls

Getting Started

Following Along

Tearing Down

About

Releases

Packages

Languages

License

lrakai/google-cloud-storage-signed-urls

Folders and files

Latest commit

History

Repository files navigation

google-cloud-storage-signed-urls

Getting Started

Following Along

Tearing Down

About

Topics

Resources

License

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages