-1

This is driving me crazy…

I want to store images into Google Cloud Storage and the images to be only accessible from our app, because the uploaded image may contain privacy sensitive content.

I kept googling last couple of hours and haven’t got a clue, and feeling dumb of myself…

ChatGPT suggested to create a signed URL, which makes sense, but do we need to go that far, to satisfy this seemingly common requirement?

My first intuition was that I could use IAM and Service Account, but… it didn’t lead anywhere for me.

If Google doesn’t offer this capability but AWS does, I want to hear that too.

barley
  • 4,403
  • 25
  • 28
  • What's the size of the biggest image? In addition, is the content shareable among all the users, or each user must access to only a subset of images? – guillaume blaquiere Dec 08 '22 at 11:46
  • @guillaumeblaquiere Probably no more than couple of hundred kb (does it matter? ). It is okay that other users can see the images as long as from within the app. – barley Dec 08 '22 at 12:53
  • It's recommended to have a direct access to the image (with signed URL) instead of streaming the content through a service. With your current condition, the Chris solution is good: create a backend that serve your images. This backend also check the user origin/authentication and use its own service account to access the bucket. – guillaume blaquiere Dec 08 '22 at 13:00
  • 1
    I see. That’s a whole lot than I thought… But at least I can see the path to work. But if I have to create an endpoint to stream image content, i am also one step away from creating a signed URL as well, which would benefit from caching at least for couple of hours? Hmm… Anyway thanks for detailed explanations, really appreciate it!! – barley Dec 08 '22 at 13:40

1 Answers1

1

You are right, there is not out of the box solution for this. Google Cloud's storage security is mainly based in IAM roles and permissions. Using signed URL's could be a feasible solution to provide temporary access to the final user to a single object, but in your case as you want to use the bucket to store and access objects from your app you should just set a service account for your app and set the right permissions according to your business needs.

Chris32
  • 4,716
  • 2
  • 18
  • 30