0

  • I have a google cloud storage bucket and I want to access it only using Cloud CDN.

  • I have created load balancer, created signing key and added service account to it almost all permissions like Storage Admin, Storage Bucket Admin, Storage Legacy Bucket Owner etc.

  • Now I'm trying to access bucket content using SignedUrl with Php. it generates the signedURL but it gives

    403. That’s an error.
    Your client does not have permission to get URL

I have even tried it through gcloud compute sign-url. it does generate a signed url but it also gives same error.

Reprocuction steps:

gcloud sign-url from cmd:

gcloud compute sign-url URL --expires-in=1566561600 --key-file=KEY_FILE --key-name=SIGNING_KEY

where URL is generated IP from load balancer, expire time is of course future timestamp, key--file is generated json key file from service account, --key-name is signing key from origin details details

Same thing I've applied to php code where I'm generating signed url, I've taken reference from https://github.com/GoogleCloudPlatform/php-docs-samples

Service account seems to works perfectly when I'm not using CDN, If I access bucket without CDN it works as expected

Is there something wrong with the process I've followed?

Community
  • 1
  • 1
Nikhil Radadiya
  • 1,995
  • 2
  • 20
  • 43
  • You mentioned that you would like to access cloud storage bucket only using Cloud CDN. Also, you created load balancer, created signing key and added service account. To clarify could you share the steps to reproduce the issue. – Mohibul Mahmud Aug 20 '19 at 20:38
  • @MohibulMahmud added reproduction steps in questions – Nikhil Radadiya Aug 21 '19 at 05:12
  • What IAM roles are assigned to the service account? This is where your problem is at. https://cloud.google.com/storage/docs/access-control/iam-roles – John Hanley Aug 21 '19 at 05:56
  • @JohnHanley As mentioned in questions, I've tried almost every role like `Storage Admin`, `Storage Bucket Admin`, `Storage Object Admin` etc – Nikhil Radadiya Aug 21 '19 at 06:27
  • The account that you are using to sign the URL does not have read permission to Cloud Storage. Make sure you are granting roles to the correct account. – John Hanley Aug 21 '19 at 06:29
  • @JohnHanley isn't `Storage Object Admin` have full control over it? Also I've given `Storage Object Viewer`, `Storage Legacy Object Reader ` – Nikhil Radadiya Aug 21 '19 at 06:32
  • Yes, but only if you grant it to the correct account. The error message is clear, the account does not have permission. Double-check your work. – John Hanley Aug 21 '19 at 06:34
  • @JohnHanley Thanks, I've only 2 accounts and I've tried giving all available permissions to both accounts, It should work after that, Right? – Nikhil Radadiya Aug 21 '19 at 06:36
  • Since you say you have granted permission and the command says you have not, which one is right? – John Hanley Aug 21 '19 at 06:41
  • @JohnHanley If I try to generate signedUrl through cmd it generates succeesfully, but when I access it in browser it gives above error – Nikhil Radadiya Aug 21 '19 at 06:44
  • @JohnHanley Error message should be right – Nikhil Radadiya Aug 21 '19 at 06:45
  • How do you know which account you are using to sign? There are User Accounts and Service Accounts. You have more than two accounts in GCP. There are several default service accounts. You might be using an account that you do not realize. Execute `gcloud auth list` to see the default account that the CLI is using. – John Hanley Aug 21 '19 at 06:52
  • @JohnHanley I'm using a json file while creating a service account and keys I'm using it to signin which consist, `type`,`project_id`,`private_key_id`,`private_key`,`client_email` etc details. I can confirm from there which account I'm using – Nikhil Radadiya Aug 21 '19 at 06:56
  • @JohnHanley there is a strange thing, 403 error only appears when I'm trying to use it using CDN, If I try to access bucket without CDN it works perfectly – Nikhil Radadiya Aug 21 '19 at 06:57
  • You need to make sure you follow all of the steps here, including giving the Cloud CDN service account (read) access to your bucket: https://cloud.google.com/cdn/docs/using-signed-urls - if access directly (via unsigned URLs) works to GCS, then also make sure you are signing your URLs correctly. – elithrar Aug 24 '19 at 14:39

1 Answers1

-1

Cloud Storage has a built-in CDN, so using Cloud Storage signed URL for your use case should suffice. In regards to using signed URLs, internally they work approximately the same, and generate the URL almost the same way.

Germán A.
  • 193
  • 4
  • Cloud Storage has a caching layer, but it is not a truly distributed CDN. Useful for improving performance on regularly accessed objects, but Cloud CDN will be cheaper (per GB transferred) & has other CDN-centric features over GCS. – elithrar Aug 24 '19 at 14:37