Signed URLs & Signed Policy Documents

Signed URLs and signed policy documents provide a way to grant temporary, scoped access to Cloud Storage objects without requiring the user to have a Google Cloud account or IAM permissions. They are essential for applications that need to serve private content to end users or allow file uploads without exposing service account credentials.

---

Signed URLs

A signed URL is a URL that includes authentication information in its query string parameters. Anyone with the URL can perform the specified operation (GET, PUT, DELETE) on the specified object for a limited time.

How Signed URLs Work

1. Your application server generates a signed URL using a service account's private key
2. The URL is sent to the client (browser, mobile app, partner system)
3. The client uses the URL to access the object directly — no IAM credentials needed
4. The URL expires after the specified duration

Creating Signed URLs

# Generate a signed download URL (valid for 1 hour)
gsutil signurl -d 1h service-account-key.json gs://my-bucket/private-report.pdf

# Using gcloud storage (does not require a key file)
gcloud storage sign-url gs://my-bucket/private-report.pdf \
  --duration=1h \
  --private-key-file=service-account-key.json