Google Cloud Storage uses scopes to determine what permissions an identity has on a specified resource. Google scopes are formatted as urls. There are three basic types: read-only, read-write and full-control.
read-only
Only allows access to read data, including listing buckets.
https://www.googleapis.com/auth/devstorage.read_only
read-write
Allows access to read and change data, but not metadata like IAM policies.
https://www.googleapis.com/auth/devstorage.read_write
full-control
Allows full control over data, including the ability to modify IAM policies.
https://www.googleapis.com/auth/devstorage.full_control
For example, if you wanted to create a presigned url for a file download in C#:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
using System; using System.Net.Http; using System.IO; using Google.Cloud.Storage.V1; using Google.Apis.Auth.OAuth2; ServiceAccountCredential cred; var scopes = new string[] { "https://www.googleapis.com/auth/devstorage.read_only" }; cred = GoogleCredential .GetApplicationDefault(). .CreateScoped(scopes) .UnderlyingCredential as ServiceAccountCredential; UrlSigner urlSigner = UrlSigner.FromServiceAccountCredential(cred); var bucketName = "mybucket"; var objectName = "myfile.txt"; string url = urlSigner.Sign( bucketName, objectName, TimeSpan.FromHours(1), HttpMethod.Get); Console.WriteLine(url); |
Documentation for Scopes
Documentation for UrlSigner
I design software for enterprise-class systems and data centers. My background is 30+ years in storage (SCSI, FC, iSCSI, disk arrays, imaging) virtualization. 20+ years in identity, security, and forensics.
For the past 14+ years, I have been working in the cloud (AWS, Azure, Google, Alibaba, IBM, Oracle) designing hybrid and multi-cloud software solutions. I am an MVP/GDE with several.
April 12, 2021 at 9:47 AM
Hi John, Many thanks for sharing the code. One remark though : there is a typo in this part “.GetApplicationDefault().” as the last dot is not necessary.
I am trying to use this approach in a GCP Cloud Function (C#) in order to generate a signed url for a bucket object, and my problem is exactly with “GoogleCredential.GetApplicationDefault()” as I am not sure if this call will succeed without providing ServiceAccount json key. On the other hand, this is “cloud side” as my Cloud Function runs onder this SA in the cloud environment.
So my question is if it is really necessary to provide ServiceAccount json key when using ServiceAccountCredential in GCP Cloud Function associated with the same SA, or GetApplicationDefault() will find anyway the credentials in this environment.
Can you comment on this if possible ?
BR