TechQA.

Signed url for gcp bucket object fails with access denied

1.9k views Asked by At

As I generate a signed download url with a service account for an object within a storage gcp bucket, I expect it to be usable by anyone without authentication. However, I keep getting "Anonymous caller does not have storage.objects.get access to the Google Cloud Storage object". What am I doing wrong?

url, err := gcs.SignedURL(bktName, so.Name(), &gcs.SignedURLOptions{
    GoogleAccessID: serviceAccountName,
    Method:         "GET",
    Expires:        time.Now().Add(duration),
    ContentType:    md.RenditionMetadata[0].ContentType,
    Headers:        []string{fmt.Sprintf("x-goog-meta-filename: %s", md.RenditionMetadata[0].FileName)},
    SignBytes: func(b []byte) ([]byte, error) {
        signedBlob, err := iam.SignBlob(s.GoogleIamService(), serviceAccountName, b)
        if err != nil {
            return nil, err
        }
        return []byte(signedBlob), err
    },
})

The service account I'm using has Storage Object Creator and Storage Object Viewer roles ...

google-cloud-platform storage bucket signed-url
Original Q&A
2

There are 2 answers

0
Gellaboina Ashish On

Follow the guide for Creating a signed URL to download an object: https://cloud.google.com/storage/docs/samples/storage-generate-signed-url-v4

Alternatively, you can make use of gsutil commands to create signed URl: https://cloud.google.com/storage/docs/gsutil/commands/signurl

0
Raf Van Durm On

if you specify headers when creating a signed url, you must include them when 'curling' the generated url ;-)

Related Questions in GOOGLE-CLOUD-PLATFORM

Related Questions in STORAGE

Related Questions in BUCKET

Related Questions in SIGNED-URL

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions