Signed URLs & Signed Policy Documents

Signed URLs and signed policy documents provide a way to grant temporary, scoped access to Cloud Storage objects without requiring the user to have a Google Cloud account or IAM permissions. They are essential for applications that need to serve private content to end users or allow file uploads without exposing service account credentials.

---

Signed URLs

A signed URL is a URL that includes authentication information in its query string parameters. Anyone with the URL can perform the specified operation (GET, PUT, DELETE) on the specified object for a limited time.

How Signed URLs Work

1. Your application server generates a signed URL using a service account's private key
2. The URL is sent to the client (browser, mobile app, partner system)
3. The client uses the URL to access the object directly — no IAM credentials needed
4. The URL expires after the specified duration

Creating Signed URLs

# Generate a signed download URL (valid for 1 hour)
gsutil signurl -d 1h service-account-key.json gs://my-bucket/private-report.pdf

# Using gcloud storage (does not require a key file)
gcloud storage sign-url gs://my-bucket/private-report.pdf \
  --duration=1h \
  --private-key-file=service-account-key.json

# Or with impersonated service account (no key file needed)
gcloud storage sign-url gs://my-bucket/private-report.pdf \
  --duration=1h

Signed URL Parameters

Parameter	Description
Expiration	When the URL stops working (max 7 days for V4)
HTTP Method	GET (download), PUT (upload), DELETE, or HEAD
Bucket/Object	Which resource the URL grants access to
Content-Type	Required content type for PUT uploads
Headers	Additional required request headers

V4 Signing (Recommended)

V4 is the current recommended signing process:

from google.cloud import storage
import datetime

def generate_signed_url(bucket_name, blob_name):
    client = storage.Client()
    bucket = client.bucket(bucket_name)
    blob = bucket.blob(blob_name)

    url = blob.generate_signed_url(
        version="v4",
        expiration=datetime.timedelta(hours=1),
        method="GET",
    )
    return url

Signed Upload URLs

You can create signed URLs that allow clients to upload files:

url = blob.generate_signed_url(
    version="v4",
    expiration=datetime.timedelta(hours=1),
    method="PUT",
    content_type="application/pdf",
)
# Client uses: curl -X PUT -H "Content-Type: application/pdf" --data-binary @file.pdf "URL"

---

Signed Policy Documents

Signed policy documents are JSON documents that control what a client can upload via an HTML form POST. They are more powerful than signed URLs for upload scenarios because they can enforce multiple constraints simultaneously.

What Policy Documents Control