5

I'm serving a static page on google cloud storage. It works perfectly well, as long as it is public. Now i setted up acl so that only users of one group can read the storage and unauthenticated users get redirected to google authentication. The Problem is now, that the static content of the website, like javascript and css can't be found anymore and i get 404 Errors there. The static content is as well in the storage bucket and it works fine with public urls. When using authenticated urls, it does not work anymore.

Is my attempt of serving an access controlled page right? I guess so, because it works, except for the static content. So do you have any ideas what i am missing here?

jo87casi
  • 411
  • 5
  • 15
  • Can you share how the users are authenticated? What is their identity provider? – guillaume blaquiere Nov 14 '20 at 20:19
  • They are identified by the cookies in their browsers. If not the google sign in opens. The authentication is not the Problem. The Problem is Googles redirect, after opening the authenticated url. Therefore the relative paths of the static content of my index.html do not match the available paths in the bucket anymore. For instance https://storage.cloud.google.com/my-bucket/develop/index.html gets redirected to https://00f74ba44bd1084ee9a92e238338e39aa18f98e6ba-apidata.googleusercontent.com/download/storage/v1/b/my-bucket/o/develop%2Findex.html?$parameters – jo87casi Nov 15 '20 at 11:06
  • The authentication isn't a problem, but, because you use Google accounts, my answer is simpler! – guillaume blaquiere Nov 15 '20 at 12:59

2 Answers2

4

Try to deploy on App Engine you file. For this

  1. In the same root directory of your static file, create a app.yaml file with this content
runtime: nodejs10
env: standard
instance_class: F1
handlers:
  - url: /
    static_files: index.html
    require_matching_file: false
    upload: index.html
  - url: /(.*)
    static_files: /\1
    require_matching_file: false
    upload: /.*
  - url: .*
    script: auto
  1. Deploy on App Engine gcloud app deploy
  2. Check if it works on the provided URL.

If so:

  1. Go to Security -> Identity Aware Proxy (IAP)
  2. Activate IAP for App Engine; It's possible that the OAuth consent screen have to be configured at this step is you don't do it before
  3. Select the checkbox on the left of your root service, and go the the info panel on the right of the page enter image description here
  4. Add members, groups or domain with the role IAP-secured Web app user

Test and enjoy!

guillaume blaquiere
  • 66,369
  • 2
  • 47
  • 76
  • Yes, sure it works if you're serving the files with node. But my initial plan was to stick with gcs. Thanks anyway – jo87casi Nov 19 '20 at 21:06
  • 1
    Use the runtime that you want!! Node, Python, Java, Go, (...) it's not used because only static files are served! – guillaume blaquiere Nov 19 '20 at 21:13
  • @jo87casi did you tried this workaround? in my case works perfect to serve a static website now with restricted access unfortunately GCS lack if this kind of controls. – Jan Hernandez Nov 23 '20 at 16:19
2

You can use the following workaround to add user authentication to your GCS static pages based on buckets.

First you need to create a public file called redirect.html this file will be the entry point of your static webpage, and you need to add the following content

<html>
  <head>
    <meta http-equiv="Refresh" content="0; url=https://storage.cloud.google.com/[yourbucketname]/index.html">
  </head>
  Redirecting to your site..

index.html and other files must be private files with read permissions granted to selected users

The magic behind this is that your browser will prompt to choose a google account, in case that your browser doesn't have any active google account.

And only the users with Reader permission (or with other roles with read access) will access to your static website.

Just a friendly reminder, this will take the main Google account in the browser if your browser have more than 1 Google account this can cause authentication issues, if this happens use an incognito window.

you can find more information on this Medium article

Extra step

If you have enabled Data access logs this workaround will thrown some authentication issues, you need to add exceptions to the users that will use the authenticated site

To do this, in Cloud Console, navigate to IAM & Admin > Audit Logs. Look through the list or filter for Google Cloud Storage. Click on the row.

In the info panel on the right side, on the Exempted Users tab, click Add Exempted User.

Jan Hernandez
  • 4,414
  • 2
  • 12
  • 18