While ago I've uploaded an image to the Google Cloud Platform bucket and made it public. Direct link, from GCP looks like this:
But this link, when put as Avatar URL to the Hangouts Chat API is not working (showing default avatar on hangouts chat, instead of mine).
I also found a way to create an url, its: https://storage.googleapis.com/[bucket]/[file] and this one is working, no idea why.
And my question is, why "official" link is not working, while the second one is working? What's the difference between them, difference between storage.cloud.google.com vs storage.googleapis.com?
This should help you understand better what's the difference between the two links.
Access to public objects
All requests to the storage.cloud.google.com URI require authentication. This applies even when allUsers have permission to access an object. If you want users to download anonymously accessible objects without authenticating, use the storage.googleapis.com URI documented in Direct API requests. For details and examples, see Accessing Public Data.
Here you have more information on the topic.
Hope this helps :)
Related
The question is pretty vague but here's the entire problem statement. I am using Django REST APIs, and I'm generating invocies for my clients. Using wkhtmltopdf, I'm able to generate a PDF file which gets automatically backed up to S3. Now, we need to retreive the said invoice once our client clicks on a link.
We're using pre-signed URLs right now, which last for 12 hours, right? Once that link expires, the entire backend fails.
I mean, even if we go for permanent pre-signed links, would there not be a security issue?
I could really use some guidance on this.
Now, we need to retreive the said invoice once our client clicks on a link.
We're using pre-signed URLs right now [...]
Only generate the pre-signed URL for a given S3 URI when the authenticated client clicks on the link. You can then give it a very short expiry.
I have a project where I want to store docs in a Google Cloud Bucket. These docs should not be publicly accessible. Right now, I am able to place documents in the bucket, but I can't seem to figure out how to retrieve them while keeping the bucket secure. *If I open up access to "allUsers", the docs load fine. However, I want these docs to only be accessible if they are using the system.
I'm sure I'm not the first person to want to do this, but I can't seem to come up with an answer on Google.
I have hit dead ends for days now, so please help! *To be clear, I do not have any code to show. Thanks
The answer of #DanielOcando is right if "they are using the system" means that they are accessing directly GCP. For this answer, I'm assuming that "your system" is an application that you are developing or something similar.
For this approach, the safest method is to use signed URL's This will let your users access your documents without the need to have a Google account, you can also set an expire time for this URL's to control how much time the user can be using the documents.
I'm new to GCP - have created a bucket that I want to use as a CDN to serve images and videos to my website. The problem I'm having is that when I'm logged in to Google my videos and images are displaying no problem, however when not logged They do not show.
I have added an allUsers member and assigned "storage object viewer" role - the bucket is tagged as public but still the content wont display
Am I missing something totally obvious?
Any guidance would be very much appreciated
Matt
Have a look at the documentation Making all objects in a bucket publicly readable and Making individual objects publicly readable and check if your images available through directly links. I've tried and in works for me from different devices. If you have no problems with direct access though provided at Cloud UI links you should check configuration CMS system of your site. I found this example for WordPress that could be useful.
Then, I've tried to disable public access for test purposes and got an error:
<Error>
<Code>AccessDenied</Code>
<Message>Access denied.</Message>
<Details>
Anonymous caller does not have storage.objects.get access to test-public-bucket-1/test-public-image-1.jpg.
</Details>
</Error>
Do you have any error messages when you're trying to reach your images and videos through directly links and via your website? If you have errors only while trying to view images and videos at website, you should check logs of web server that serve your website.
EDIT Have a look at the screenshots:
and
publicly accessible link you can get by clicking on the link icon after word Public as you can find in the documentation:
Once shared publicly, a link icon appears for each object in the
public access column. You can click on this icon to get the URL for
the object.
use it instead of Link URL that I noticed in your answer.
Meanwhile you use correct role Storage Object Viewer at the screenshot for allUsers and this role has permission storage.objects.get as you can see in the documentation. So, no research needed.
Did you mistype Storage Object Viewer role as Storage Object Reader in your answer?
sorry I did this wrong first time (new here). The problem was with the WordPress CDN side as suggested in the solution offered above ...
I was trying to access the images and video’s without first uploading them through the WordPress media library - this meant the correct linking structure was not in place for WordPress to be able to resolve
Thank you for your time - and s as polities again for s as my confusion caused
Matt
I have a bunch of videos and all of them are uploaded on Wistia. On Wistia, I have set up access for my domain, so they will play only when the videos are fetched from my domain.
If someone uses View Source and copies the video URL and pastes it in a separate browser window, they get an "access denied' message.
I'm thinking about moving my videos to Google Cloud Storage. So, my questions are:
Does Google cloud provide a similar domain restriction feature?
How can I set this up? For now, I've created a temporary bucket and uploaded a video and granted it public access. Then I copied the public link of the MP4 file and added to my website, and it obviously plays, but then any paid member can use View Source, copy the MP4 link and upload it to other streaming services for everyone to see.
EDIT
Is there a way to do this programmatically - like my website is in PHP - so something along the lines like - keep the bucket as restricted access and then through PHP - pass some key and retrieve the video file. Not sure if something like this is possible.
Thanks
I do not believe that there is an access control mechanism in Google Cloud Storage equivalent to the one you are using in Wistia.
There are several methods to restrict object access (see https://cloud.google.com/storage/docs/access-control) in GCS, but none of them are based upon where the request came from. The only one that kind of addresses your issue is to use Signed URLs. Basically, a user would go to your site, but instead of giving them the "real" URL of the object they are going to be using, your application retrieves a special URL that is time-limited. You can set the length of time it is valid for.
But if what you are worried about is people copying your video, presumably they could still see the URL someplace and copy the data from there if they did it immediately, so I don't think that really solves your problem.
Sorry I can't be more helpful.
I have been trying to find an answer to this question for a couple of hours now, but have not managed to come up with a conclusive answer. I am hoping someone here will be able to shed some light on my question. Consider the following Example AWS S3 URL:
https://some-bucket.s3-eu-west-2.amazonaws.com/uploads/images/some_image.jpg?X-Amz-Expires=600&X-Amz-Date=20170920T124015Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAI6CJYFYSSWMXXXXX/20170920/eu-west-2/s3/aws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=0481296b70633de9efb2fce6e20751df2f55fd79b5ff9570c02ff8f587dce825
In my specific example, the above URL is a request to view an image on S3 which I am exposing directly in a HTML img tag, and the user in Amz-Credential has both read and write permissions. The URL is also set to expire in 10 minutes.
Is is safe to link to the image directly via this URL, or is there any possibility that within these 10 minutes, the signature from this URL could be used in a maliciously crafted REST request to delete or modify the image instead of viewing it?
I do suspect a different action will have a different signature to make this impossible, but given my very limited understanding of AWS auth, I thought it better to ask just in case.
I know I could create a read-only user (extra complexity) or hide the S3 URL behind a controller action on my own web app (requires 2 total requests to load each image, making it inefficient), but I would rather learn whether my current approach is safe or not before resorting to either of these.
Thank you kindly for your time. :)
If your pre-signed url has PUT or DELETE permission someone could try to get the Signature + AccessKeyId to overwrite or delete your object.
Just make sure that you are signing the url with a read-only permission and I guess you're good.