I have a project where I want to store docs in a Google Cloud Bucket. These docs should not be publicly accessible. Right now, I am able to place documents in the bucket, but I can't seem to figure out how to retrieve them while keeping the bucket secure. *If I open up access to "allUsers", the docs load fine. However, I want these docs to only be accessible if they are using the system.
I'm sure I'm not the first person to want to do this, but I can't seem to come up with an answer on Google.
I have hit dead ends for days now, so please help! *To be clear, I do not have any code to show. Thanks
The answer of #DanielOcando is right if "they are using the system" means that they are accessing directly GCP. For this answer, I'm assuming that "your system" is an application that you are developing or something similar.
For this approach, the safest method is to use signed URL's This will let your users access your documents without the need to have a Google account, you can also set an expire time for this URL's to control how much time the user can be using the documents.
Related
I'm currently researching on how to use facebook API and collect its data thru streamsets and store it to S3. But facebook requires developer to create an app and verify it which somehow not applicable to what I'm doing right now. Is there other way to do this? like different process to access the Facebook API without creating an App?
While I'm happy to stand to be corrected, I do not believe this can be done.
It's not like you have to actually MAKE an app with your "app" - the app is simply an API key that has some associated data with it like titles and URLs and such. This also helps them track your usage and make sure you're following the rules, and block your key if you don't.
While ago I've uploaded an image to the Google Cloud Platform bucket and made it public. Direct link, from GCP looks like this:
But this link, when put as Avatar URL to the Hangouts Chat API is not working (showing default avatar on hangouts chat, instead of mine).
I also found a way to create an url, its: https://storage.googleapis.com/[bucket]/[file] and this one is working, no idea why.
And my question is, why "official" link is not working, while the second one is working? What's the difference between them, difference between storage.cloud.google.com vs storage.googleapis.com?
This should help you understand better what's the difference between the two links.
Access to public objects
All requests to the storage.cloud.google.com URI require authentication. This applies even when allUsers have permission to access an object. If you want users to download anonymously accessible objects without authenticating, use the storage.googleapis.com URI documented in Direct API requests. For details and examples, see Accessing Public Data.
Here you have more information on the topic.
Hope this helps :)
I have a bunch of videos and all of them are uploaded on Wistia. On Wistia, I have set up access for my domain, so they will play only when the videos are fetched from my domain.
If someone uses View Source and copies the video URL and pastes it in a separate browser window, they get an "access denied' message.
I'm thinking about moving my videos to Google Cloud Storage. So, my questions are:
Does Google cloud provide a similar domain restriction feature?
How can I set this up? For now, I've created a temporary bucket and uploaded a video and granted it public access. Then I copied the public link of the MP4 file and added to my website, and it obviously plays, but then any paid member can use View Source, copy the MP4 link and upload it to other streaming services for everyone to see.
EDIT
Is there a way to do this programmatically - like my website is in PHP - so something along the lines like - keep the bucket as restricted access and then through PHP - pass some key and retrieve the video file. Not sure if something like this is possible.
Thanks
I do not believe that there is an access control mechanism in Google Cloud Storage equivalent to the one you are using in Wistia.
There are several methods to restrict object access (see https://cloud.google.com/storage/docs/access-control) in GCS, but none of them are based upon where the request came from. The only one that kind of addresses your issue is to use Signed URLs. Basically, a user would go to your site, but instead of giving them the "real" URL of the object they are going to be using, your application retrieves a special URL that is time-limited. You can set the length of time it is valid for.
But if what you are worried about is people copying your video, presumably they could still see the URL someplace and copy the data from there if they did it immediately, so I don't think that really solves your problem.
Sorry I can't be more helpful.
I have been trying to find an answer to this question for a couple of hours now, but have not managed to come up with a conclusive answer. I am hoping someone here will be able to shed some light on my question. Consider the following Example AWS S3 URL:
https://some-bucket.s3-eu-west-2.amazonaws.com/uploads/images/some_image.jpg?X-Amz-Expires=600&X-Amz-Date=20170920T124015Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAI6CJYFYSSWMXXXXX/20170920/eu-west-2/s3/aws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=0481296b70633de9efb2fce6e20751df2f55fd79b5ff9570c02ff8f587dce825
In my specific example, the above URL is a request to view an image on S3 which I am exposing directly in a HTML img tag, and the user in Amz-Credential has both read and write permissions. The URL is also set to expire in 10 minutes.
Is is safe to link to the image directly via this URL, or is there any possibility that within these 10 minutes, the signature from this URL could be used in a maliciously crafted REST request to delete or modify the image instead of viewing it?
I do suspect a different action will have a different signature to make this impossible, but given my very limited understanding of AWS auth, I thought it better to ask just in case.
I know I could create a read-only user (extra complexity) or hide the S3 URL behind a controller action on my own web app (requires 2 total requests to load each image, making it inefficient), but I would rather learn whether my current approach is safe or not before resorting to either of these.
Thank you kindly for your time. :)
If your pre-signed url has PUT or DELETE permission someone could try to get the Signature + AccessKeyId to overwrite or delete your object.
Just make sure that you are signing the url with a read-only permission and I guess you're good.
I am pulling list of docs in coldfusion via google docs API. I want users to click on the link and get signed in automatically in google docs, with my username and password. Google should not ask user name and password from them.
I tried out this example http://cfgoogle.riaforge.org/
Till now I am able to pull up list of documents I have on my google docs account.
But I want anyone to click those link and get automatically signed in as me. And able to access my documents. Is it possible?
I would guess that accessing the documents as you is not possible via the end-user's browser. Google will set a cookie on your computer identifying your session. This allows you access to documents, mail, etc. whatever is linked in your account. For them to be able to access the documents using your account, they would have to be logged in as you. You can't do that directly from your application, because you can only write cookies for your domain (oversimplification, but basically....)
There may, however, be a workaround.
One option would be to use the API to automatically share the document with the user. That is, they provide their Google ID (not password) and you share with their account. This is probably what I would try.
Alternately, you could proxy requests for documents, although this opens up a whole 'nother can of worms.