1

my goals:

  • storage bucket with static index.html (that is not public to "allUsers")
  • global external load balancer (classic) with backend bucket + cloud armor edge policy allowing only certain ip ranges
  • url mapping etc....

question:

is it possible to achive this scenario WITHOUT making the storage bucket public? so a request for /test/index.html is routed to the (private) storage backend bucket?

all tutorials i can find always make the storage bucket public to "allUsers". in this case even having a load balancer with edge security policy one can access the file directly when hitting the storage bucket public url.

we want to publish frontend parts that should only be reachable to a proxy service that is hosted in aws (with fixed nat ips) managed by another team. so i want to be able to put these frontent parts into a storage bucket that gets services via an external load balancer (classic) but it should not be public as every request should be routed through the lb where the backend bucket has an cloud armor edge security bucket attached only allowing access via certain ip ranges (the aws nat ips from the other team)

is that possible?

niesfisch
  • 63
  • 6
  • Do you want to reach the not public Cloud Storage file with your browser or with API calls? – guillaume blaquiere Jul 01 '22 at 20:11
  • @guillaumeblaquiere i want to reach it via browser. browser -> glb -> bucket -> index.html – niesfisch Jul 03 '22 at 16:55
  • If your browser (Website) is able to generate Access Token and add it in the authorization header, yes it's possible. It also means that you have to first serve statics file without permission to load the website, and then use the website to authenticate the users and access to the files. But it also requires that all your users are granted with IAM role (or users belong to the same Google Group), and, therefore, that all the users has a Google account for that. – guillaume blaquiere Jul 03 '22 at 18:57
  • @guillaumeblaquiere the users will be coming from fixed ip ranges (NAT). my hope was that i can secure the backend buckt via cloud armor edge ip based policy. e.g. browser (fixed ip) -> glb -> armor edge policy -> backend bucket. – niesfisch Jul 04 '22 at 06:29
  • This might help: https://codelabs.developers.google.com/codelabs/edgesecuritypolicy-ca#0 – John Hanley Jul 04 '22 at 06:55
  • However, IIRC IP-based restrictions are not yet supported for Cloud Storage. https://cloud.google.com/armor/docs/security-policy-overview#restrictions – John Hanley Jul 04 '22 at 06:56
  • @JohnHanley thanks for the links ... but the tutorial also only shows the "public" version of the gcs bucket .... i don't get the point of using edge security but making a gcs bucket public ... any idea why this is the case? – niesfisch Jul 04 '22 at 11:47
  • Try this article which details how to use a non-public bucket: https://medium.com/@reisfeld/google-cloud-cdn-best-practice-ed643558120e – John Hanley Jul 04 '22 at 17:32

0 Answers0