Granting Access to Google Cloud Storage Objects with Signed URLs

Signed URLs are URLs with query string authentication parameters that grant access to buckets and objects stored in Google Cloud Storage. Signed URLs grant access to Cloud Storage for a given amount of time. Anyone with the signed URL can access the objects until the signed URL expires. This is particularly useful for granting access to individuals outside of your organization.

In this lab, you will learn the mechanics of creating signed URLs using the gcloud CLI. You will also fully understand the capabilities and limitations of signed URLs.

Lab Objectives

Upon completion of this lab, you will be able to:

• Explain when signed URLs are the right choice among the alternatives for granting access to a Google Cloud Storage object
• Understand the requirements for generating signed URLs
• Use signed URLs to grant access to Google Cloud Storage objects for a limited time
• Revoke access to Google Cloud Storage objects accessed via a signed URL
• Debug common issues related to creating signed URLs

Lab Prerequisites

You should be familiar with:

• Working at the command line in Linux
• Managing Google Cloud Storage resources with gsutil

The following labs are recommended for satisfying the prerequisites:

• Linux Command Line Byte Session
• Working with Google Cloud Storage from the Command Line

Updates

May 14th, 2025 - Updated lab environment, screenshots, and commands

June 11th, 2024 - Resolved pyOpenSSL installation issue

September 9th, 2021 - Update the VM's Debian host version

September 9th, 2019 - Lab content updated to reflect the latest gsutil experience