Revoke the signed URL of the object that was created in GCP Cloud storage

Question

Suppose I have this scenario where I created a signed URL to GCP object using the private key of the service account using the following command.

$ gsutil signurl -d 10m <private-key> gs://<bucket>/<obj> 

Due to some reasons, I don't want to give this signurl ie., I want to revoke access.

I tried this, by limiting the duration to 0s. But the issue is for every time we run the gsutil signurl command new URL will be generated. Therefore the former one will still be accessible, in my case.

$ gsutil signurl -d 0s <private-key> gs://<bucket>/<obj>

Solutions that I can think of is,

1. Remove the role of "Storage Object Viewer" to the service account (OR)
2. Regenerate the JSON private key (OR)
3. Delete this particular service account.

Kindly assist me if there are any better ways using gsutil to revoke the signed url and correct me if my solutions are apt in this scenario.

Answer 1

You would need to delete the service account key which could have a several minute delay and would also invalidate other signed URLs.

Validation of signed URLs is via the public key and timestamp. If the timestamp has not expired, all that is left is to delete the public key which requires deleting the service account's private key.

In the event that the Signed URL was generated by the Google Managed service account key, then you must delete the service account.

Answer 2

According to GCStorage docs, you have to wait for expiration time or renewing service account. (https://cloud.google.com/storage/docs/access-control/signed-urls#should-you-use)

But those does not meet my requirement. So my workaround is just rename the object. After renaming, the old signed url will immediately not work anymore.

(be aware of performance of rename operation. GCS docs states that it needs to copy then delete which is slow when processing large file. But in practice, looks like GCS just edits the file metadata to rename files in same bucket. I tried rename/move large file (1GB) in same bucket and it's immediate.

Another issue is loosing original filename. I can think of some solutions such as storing original filename in cloud storage file's metadata or you can have a separate database (such as mysql) for mapping original filename to corresponding storage filename. )