0

I'm trying to read a private bucket file with a CDN applied via a signed URL.

I created two private buckets.

a-bucket
b-bucket

And to apply CDN to these buckets, I created a load balancer and added two backends to this load balancer.

a-backend
b-backend

And added host, path, backend.

a.example.com, /*, a-backend
b.example.com, /*, b-backend

I also added a sign key to each CDN backend.

a-sign-key
b-sign-key

And I added two domains in the hosting service to access the two buckets by domain. The destination ip is the same.

a.example.com
b.example.com

Finally, I created a signed URL using the KeyName and Key in NestJS.

The problem is that I was able to read a-bucket through a.example.com, but I couldn't read b-bucket through b.example.com.

AccessDenied

Anything I'm missing?

Hyeonjun Jeong
  • 79
  • 1
  • 7

2 Answers2

0

I solved the problem. I had to grant permission for Cloud CDN to access the bucket. The problem was that I gave permission to a-bucket, but not to b-bucket.

gsutil iam ch \
  serviceAccount:service-PROJECTNUMBER@cloud-cdn-fill.iam.gserviceaccount.com:objectViewer \
  gs://BUCKETNAME
Hyeonjun Jeong
  • 79
  • 1
  • 7
0

Another option to consider is to use the new Cloud CDN v4 signing functionality + GCS via S3 compatibility mode and not have to sign requests anymore with an ephemerial token.

Directions here: https://medium.com/@thetechbytes/private-gcs-bucket-access-through-google-cloud-cdn-430d940ebad9

Dave
  • 434
  • 5