Suppose I have this scenario where I created a signed URL to GCP object using the private key of the service account using the following command.
$ gsutil signurl -d 10m <private-key> gs://<bucket>/<obj>
Due to some reasons, I don't want to give this signurl ie., I want to revoke access.
I tried this, by limiting the duration to 0s. But the issue is for every time we run the gsutil signurl command new URL will be generated. Therefore the former one will still be accessible, in my case.
$ gsutil signurl -d 0s <private-key> gs://<bucket>/<obj>
Solutions that I can think of is,
- Remove the role of "Storage Object Viewer" to the service account (OR)
- Regenerate the JSON private key (OR)
- Delete this particular service account.
Kindly assist me if there are any better ways using gsutil to revoke the signed url and correct me if my solutions are apt in this scenario.
You would need to delete the service account key which could have a several minute delay and would also invalidate other signed URLs.
Validation of signed URLs is via the public key and timestamp. If the timestamp has not expired, all that is left is to delete the public key which requires deleting the service account's private key.
In the event that the Signed URL was generated by the Google Managed service account key, then you must delete the service account.