Create a GET-signed URL for an object using Cloud Storage libraries (V4)

  namespace 
  
 gcs 
  
 = 
  
 :: 
 google 
 :: 
 cloud 
 :: 
 storage 
 ; 
 using 
  
 :: 
 google 
 :: 
 cloud 
 :: 
 StatusOr 
 ; 
 []( 
 gcs 
 :: 
 Client 
  
 client 
 , 
  
 std 
 :: 
 string 
  
 const 
&  
 bucket_name 
 , 
  
 std 
 :: 
 string 
  
 const 
&  
 object_name 
 , 
  
 std 
 :: 
 string 
  
 const 
&  
 signing_account 
 ) 
  
 { 
  
 StatusOr<std 
 :: 
 string 
>  
 signed_url 
  
 = 
  
 client 
 . 
 CreateV4SignedUrl 
 ( 
  
 "GET" 
 , 
  
 bucket_name 
 , 
  
 object_name 
 , 
  
 gcs 
 :: 
 SignedUrlDuration 
 ( 
 std 
 :: 
 chrono 
 :: 
 minutes 
 ( 
 15 
 )), 
  
 gcs 
 :: 
 SigningAccount 
 ( 
 signing_account 
 )); 
  
 if 
  
 ( 
 ! 
 signed_url 
 ) 
  
 throw 
  
 std 
 :: 
 move 
 ( 
 signed_url 
 ). 
 status 
 (); 
  
 std 
 :: 
 cout 
 << 
 "The signed url is: " 
 << 
 * 
 signed_url 
 << 
 " 
 \n\n 
 " 
 << 
 "You can use this URL with any user agent, for example: 
 \n 
 " 
 << 
 "curl '" 
 << 
 * 
 signed_url 
 << 
 "' 
 \n 
 " 
 ; 
 } 
 

  using 
  
  Google.Apis.Auth.OAuth2 
 
 ; 
 using 
  
  Google.Cloud.Storage.V1 
 
 ; 
 using 
  
 System 
 ; 
 using 
  
 System.Net.Http 
 ; 
 public 
  
 class 
  
 GenerateV4SignedReadUrlSample 
 { 
  
 public 
  
 string 
  
 GenerateV4SignedReadUrl 
 ( 
  
 string 
  
 bucketName 
  
 = 
  
 "your-unique-bucket-name" 
 , 
  
 string 
  
 objectName 
  
 = 
  
 "your-object-name" 
 ) 
  
 { 
  
  UrlSigner 
 
  
 urlSigner 
  
 = 
  
  UrlSigner 
 
 . 
  FromCredential 
 
 ( 
  GoogleCredential 
 
 . 
  GetApplicationDefault 
 
 ()); 
  
 // V4 is the default signing version. 
  
 string 
  
 url 
  
 = 
  
 urlSigner 
 . 
  Sign 
 
 ( 
 bucketName 
 , 
  
 objectName 
 , 
  
 TimeSpan 
 . 
 FromHours 
 ( 
 1 
 ), 
  
  HttpMethod 
 
 . 
 Get 
 ); 
  
 Console 
 . 
 WriteLine 
 ( 
 "Generated GET signed URL:" 
 ); 
  
 Console 
 . 
 WriteLine 
 ( 
 url 
 ); 
  
 Console 
 . 
 WriteLine 
 ( 
 "You can use this URL with any user agent, for example:" 
 ); 
  
 Console 
 . 
 WriteLine 
 ( 
 $"curl '{url}'" 
 ); 
  
 return 
  
 url 
 ; 
  
 } 
 } 
 

  import 
  
 ( 
  
 "context" 
  
 "fmt" 
  
 "io" 
  
 "time" 
  
 "cloud.google.com/go/storage" 
 ) 
 // generateV4GetObjectSignedURL generates object signed URL with GET method. 
 func 
  
 generateV4GetObjectSignedURL 
 ( 
 w 
  
 io 
 . 
  Writer 
 
 , 
  
 bucket 
 , 
  
 object 
  
 string 
 ) 
  
 ( 
 string 
 , 
  
 error 
 ) 
  
 { 
  
 // bucket := "bucket-name" 
  
 // object := "object-name" 
  
 ctx 
  
 := 
  
 context 
 . 
 Background 
 () 
  
 client 
 , 
  
 err 
  
 := 
  
 storage 
 . 
 NewClient 
 ( 
 ctx 
 ) 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 "" 
 , 
  
 fmt 
 . 
 Errorf 
 ( 
 "storage.NewClient: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 defer 
  
 client 
 . 
 Close 
 () 
  
 // Signing a URL requires credentials authorized to sign a URL. You can pass 
  
 // these in through SignedURLOptions with one of the following options: 
  
 //    a. a Google service account private key, obtainable from the Google Developers Console 
  
 //    b. a Google Access ID with iam.serviceAccounts.signBlob permissions 
  
 //    c. a SignBytes function implementing custom signing. 
  
 // In this example, none of these options are used, which means the SignedURL 
  
 // function attempts to use the same authentication that was used to instantiate 
  
 // the Storage client. This authentication must include a private key or have 
  
 // iam.serviceAccounts.signBlob permissions. 
  
 opts 
  
 := 
  
& storage 
 . 
  SignedURLOptions 
 
 { 
  
 Scheme 
 : 
  
 storage 
 . 
  SigningSchemeV4 
 
 , 
  
 Method 
 : 
  
 "GET" 
 , 
  
 Expires 
 : 
  
 time 
 . 
 Now 
 (). 
  Add 
 
 ( 
 15 
  
 * 
  
 time 
 . 
 Minute 
 ), 
  
 } 
  
 u 
 , 
  
 err 
  
 := 
  
 client 
 . 
  Bucket 
 
 ( 
 bucket 
 ). 
 SignedURL 
 ( 
 object 
 , 
  
 opts 
 ) 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 "" 
 , 
  
 fmt 
 . 
 Errorf 
 ( 
 "Bucket(%q).SignedURL: %w" 
 , 
  
 bucket 
 , 
  
 err 
 ) 
  
 } 
  
 fmt 
 . 
 Fprintln 
 ( 
 w 
 , 
  
 "Generated GET signed URL:" 
 ) 
  
 fmt 
 . 
 Fprintf 
 ( 
 w 
 , 
  
 "%q\n" 
 , 
  
 u 
 ) 
  
 fmt 
 . 
 Fprintln 
 ( 
 w 
 , 
  
 "You can use this URL with any user agent, for example:" 
 ) 
  
 fmt 
 . 
 Fprintf 
 ( 
 w 
 , 
  
 "curl %q\n" 
 , 
  
 u 
 ) 
  
 return 
  
 u 
 , 
  
 nil 
 } 
 

  import 
  
 com.google.cloud.storage. BlobId 
 
 ; 
 import 
  
 com.google.cloud.storage. BlobInfo 
 
 ; 
 import 
  
 com.google.cloud.storage. Storage 
 
 ; 
 import 
  
 com.google.cloud.storage. StorageException 
 
 ; 
 import 
  
 com.google.cloud.storage. StorageOptions 
 
 ; 
 import 
  
 java.net.URL 
 ; 
 import 
  
 java.util.concurrent.TimeUnit 
 ; 
 public 
  
 class 
 GenerateV4GetObjectSignedUrl 
  
 { 
  
 /** 
 * Signing a URL requires Credentials which implement ServiceAccountSigner. These can be set 
 * explicitly using the Storage.SignUrlOption.signWith(ServiceAccountSigner) option. If you don't, 
 * you could also pass a service account signer to StorageOptions, i.e. 
 * StorageOptions().newBuilder().setCredentials(ServiceAccountSignerCredentials). In this example, 
 * neither of these options are used, which means the following code only works when the 
 * credentials are defined via the environment variable GOOGLE_APPLICATION_CREDENTIALS, and those 
 * credentials are authorized to sign a URL. See the documentation for Storage.signUrl for more 
 * details. 
 */ 
  
 public 
  
 static 
  
 void 
  
 generateV4GetObjectSignedUrl 
 ( 
  
 String 
  
 projectId 
 , 
  
 String 
  
 bucketName 
 , 
  
 String 
  
 objectName 
 ) 
  
 throws 
  
  StorageException 
 
  
 { 
  
 // String projectId = "my-project-id"; 
  
 // String bucketName = "my-bucket"; 
  
 // String objectName = "my-object"; 
  
  Storage 
 
  
 storage 
  
 = 
  
  StorageOptions 
 
 . 
 newBuilder 
 (). 
 setProjectId 
 ( 
 projectId 
 ). 
 build 
 (). 
  getService 
 
 (); 
  
 // Define resource 
  
  BlobInfo 
 
  
 blobInfo 
  
 = 
  
  BlobInfo 
 
 . 
 newBuilder 
 ( 
  BlobId 
 
 . 
 of 
 ( 
 bucketName 
 , 
  
 objectName 
 )). 
 build 
 (); 
  
 URL 
  
 url 
  
 = 
  
 storage 
 . 
  signUrl 
 
 ( 
 blobInfo 
 , 
  
 15 
 , 
  
 TimeUnit 
 . 
 MINUTES 
 , 
  
 Storage 
 . 
 SignUrlOption 
 . 
 withV4Signature 
 ()); 
  
 System 
 . 
 out 
 . 
 println 
 ( 
 "Generated GET signed URL:" 
 ); 
  
 System 
 . 
 out 
 . 
 println 
 ( 
 url 
 ); 
  
 System 
 . 
 out 
 . 
 println 
 ( 
 "You can use this URL with any user agent, for example:" 
 ); 
  
 System 
 . 
 out 
 . 
 println 
 ( 
 "curl '" 
  
 + 
  
 url 
  
 + 
  
 "'" 
 ); 
  
 } 
 } 
 

  /** 
 * TODO(developer): Uncomment the following lines before running the sample. 
 * Note: when creating a signed URL, unless running in a GCP environment, 
 * a service account must be used for authorization. 
 */ 
 // The ID of your GCS bucket 
 // const bucketName = 'your-unique-bucket-name'; 
 // The full path of your file inside the GCS bucket, e.g. 'yourFile.jpg' or 'folder1/folder2/yourFile.jpg' 
 // const fileName = 'your-file-name'; 
 // Imports the Google Cloud client library 
 const 
  
 { 
 Storage 
 } 
  
 = 
  
 require 
 ( 
 ' @google-cloud/storage 
' 
 ); 
 // Creates a client 
 const 
  
 storage 
  
 = 
  
 new 
  
 Storage 
 (); 
 async 
  
 function 
  
 generateV4ReadSignedUrl 
 () 
  
 { 
  
 // These options will allow temporary read access to the file 
  
 const 
  
 options 
  
 = 
  
 { 
  
 version 
 : 
  
 'v4' 
 , 
  
 action 
 : 
  
 'read' 
 , 
  
 expires 
 : 
  
 Date 
 . 
 now 
 () 
  
 + 
  
 15 
  
 * 
  
 60 
  
 * 
  
 1000 
 , 
  
 // 15 minutes 
  
 }; 
  
 // Get a v4 signed URL for reading the file 
  
 const 
  
 [ 
 url 
 ] 
  
 = 
  
 await 
  
 storage 
  
 . 
 bucket 
 ( 
 bucketName 
 ) 
  
 . 
 file 
 ( 
 fileName 
 ) 
  
 . 
 getSignedUrl 
 ( 
 options 
 ); 
  
 console 
 . 
 log 
 ( 
 'Generated GET signed URL:' 
 ); 
  
 console 
 . 
 log 
 ( 
 url 
 ); 
  
 console 
 . 
 log 
 ( 
 'You can use this URL with any user agent, for example:' 
 ); 
  
 console 
 . 
 log 
 ( 
 `curl ' 
 ${ 
 url 
 } 
 '` 
 ); 
 } 
 generateV4ReadSignedUrl 
 (). 
 catch 
 ( 
 console 
 . 
 error 
 ); 
 

  use Google\Cloud\Storage\StorageClient; 
 /** 
 * Generate a v4 signed URL for downloading an object. 
 * 
 * @param string $bucketName The name of your Cloud Storage bucket. 
 *        (e.g. 'my-bucket') 
 * @param string $objectName The name of your Cloud Storage object. 
 *        (e.g. 'my-object') 
 */ 
 function get_object_v4_signed_url(string $bucketName, string $objectName): void 
 { 
 $storage = new StorageClient(); 
 $bucket = $storage->bucket($bucketName); 
 $object = $bucket->object($objectName); 
 $url = $object->signedUrl( 
 # This URL is valid for 15 minutes 
 new \DateTime('15 min'), 
 [ 
 'version' => 'v4', 
 ] 
 ); 
 print('Generated GET signed URL:' . PHP_EOL); 
 print($url . PHP_EOL); 
 print('You can use this URL with any user agent, for example:' . PHP_EOL); 
 print('curl ' . $url . PHP_EOL); 
 } 
 

  import 
  
 datetime 
 from 
  
 google.cloud 
  
 import 
  storage 
 
 def 
  
 generate_download_signed_url_v4 
 ( 
 bucket_name 
 , 
 blob_name 
 ): 
  
 """Generates a v4 signed URL for downloading a blob. 
 Note that this method requires a service account key file. 
 """ 
 # bucket_name = 'your-bucket-name' 
 # blob_name = 'your-object-name' 
 storage_client 
 = 
  storage 
 
 . 
  Client 
 
 () 
 bucket 
 = 
 storage_client 
 . 
  bucket 
 
 ( 
 bucket_name 
 ) 
 blob 
 = 
 bucket 
 . 
 blob 
 ( 
 blob_name 
 ) 
 url 
 = 
 blob 
 . 
 generate_signed_url 
 ( 
 version 
 = 
 "v4" 
 , 
 # This URL is valid for 15 minutes 
 expiration 
 = 
 datetime 
 . 
 timedelta 
 ( 
 minutes 
 = 
 15 
 ), 
 # Allow GET requests using this URL. 
 method 
 = 
 "GET" 
 , 
 ) 
 print 
 ( 
 "Generated GET signed URL:" 
 ) 
 print 
 ( 
 url 
 ) 
 print 
 ( 
 "You can use this URL with any user agent, for example:" 
 ) 
 print 
 ( 
 f 
 "curl ' 
 { 
 url 
 } 
 '" 
 ) 
 return 
 url 
 

  def 
  
 generate_signed_url_v4 
  
 bucket_name 
 :, 
  
 file_name 
 : 
  
 # The ID of your GCS bucket 
  
 # bucket_name = "your-unique-bucket-name" 
  
 # The ID of your GCS object 
  
 # file_name = "your-file-name" 
  
 require 
  
 "google/cloud/storage" 
  
 storage 
  
 = 
  
 Google 
 :: 
 Cloud 
 :: 
  Storage 
 
 . 
  new 
 
  
 storage_expiry_time 
  
 = 
  
 5 
  
 * 
  
 60 
  
 # 5 minutes 
  
 url 
  
 = 
  
 storage 
 . 
 signed_url 
  
 bucket_name 
 , 
  
 file_name 
 , 
  
 method 
 : 
  
 "GET" 
 , 
  
 expires 
 : 
  
 storage_expiry_time 
 , 
  
 version 
 : 
  
 :v4 
  
 puts 
  
 "Generated GET signed url:" 
  
 puts 
  
 url 
  
 puts 
  
 "You can use this URL with any user agent, for example:" 
  
 puts 
  
 "curl 
 #{ 
 url 
 } 
 " 
 end