2

I'm configuring Google Cloud CDN with Google Cloud Storage following article : https://cloud.google.com/cdn/docs/setting-up-cdn-with-bucket#make_your_bucket_public

In my experience for AWS, S3 Bucket can allow read permission only for its CDN (Cloudfront)

I wonder if GCP also has a similar feature,

Above article, I make 'allUsers' read the bucket, but I don't want to give the read permission for all users but only for Cloud CDN.

I've checked IAM documents but couldn't find.

Please help me

Cloud Storage Bucket allow the read permission only for Cloud CDN, not all users. I don't want to make my bucket public.

Jaehyun Baek
  • 35
  • 4

2 Answers2

1

The reason I ask if you consider accessing with IP address because Ive checked this link wherein you can limit an access by using the IP address.

Another link that I can share is signed URL, however based from the link “signed URLs give time-limited resource access to anyone in possession of the URL” and “signed URL is a URL that provides limited permission and time to make a request” I believed this one is time limited.

One thing that I can also think of is to use IAM with buckets wherein you can set permission you want to a certain user. For more information and configuration of this feature you also visit this site

Yvan G.
  • 753
  • 1
  • 8
  • As I understand, in order to use GCS as CDN's backend, the bucket should be public : https://cloud.google.com/cdn/docs/setting-up-cdn-with-bucket#make_your_bucket_public And you know, public bucket makes the link with "https://storage.googleapis.com/~~" and CDN makes the link with its own link. I only want to activate the CDN address and deactivate the bucket address, but the bucket address has to be activated to connect the bucket to the CDN. And important thing : Accessing the bucket address is more expensive than accessing CDN address. that's why I want to block the bucket access.. – Jaehyun Baek Oct 28 '22 at 09:18
  • 1
    I see, I found this link that might help you with this concern, but be aware that the [link](https://medium.com/@reisfeld/google-cloud-cdn-best-practice-ed643558120e) that I am going to share is a non google documentation. – Yvan G. Oct 31 '22 at 08:29
1

Google recently release in public beta the v4 token signing process to support private origins. In this case, you can use the new v4 token signing process to access a private GCS bucket. One of my colleagues wrote a blog post with directions on how to do this: https://medium.com/@thetechbytes/private-gcs-bucket-access-through-google-cloud-cdn-430d940ebad9

Dave
  • 434
  • 5