mirror of
https://github.com/imjasonh/gcloud-help
synced 2026-07-08 02:25:19 +00:00
111 lines
4.7 KiB
Text
111 lines
4.7 KiB
Text
NAME
|
|
gcloud storage sign-url - generate a URL with embedded authentication that
|
|
can be used by anyone
|
|
|
|
SYNOPSIS
|
|
gcloud storage sign-url URL [URL ...] --private-key-file=PRIVATE_KEY_FILE
|
|
[--duration=DURATION, -d DURATION; default=3600]
|
|
[--headers=[KEY=VALUE,...]]
|
|
[--http-verb=HTTP_VERB, -m HTTP_VERB; default="GET"]
|
|
[--private-key-password=PRIVATE_KEY_PASSWORD, -p PRIVATE_KEY_PASSWORD]
|
|
[--query-params=[KEY=VALUE,...]] [--region=REGION, -r REGION]
|
|
[GCLOUD_WIDE_FLAG ...]
|
|
|
|
DESCRIPTION
|
|
gcloud storage sign-url will generate a signed URL that embeds
|
|
authentication data so the URL can be used by someone who does not have a
|
|
Google account. Please see the Signed URLs documentation
|
|
(https://cloud.google.com/storage/docs/access-control/signed-urls) for
|
|
background about signed URLs.
|
|
|
|
Note, gcloud storage sign-url does not support operations on
|
|
sub-directories. For example, unless you have an object named
|
|
some-directory/ stored inside the bucket some-bucket, the following command
|
|
returns an error: gcloud storage sign-url gs://some-bucket/some-directory/.
|
|
|
|
EXAMPLES
|
|
To create a signed url for downloading an object valid for 10 minutes:
|
|
|
|
$ gcloud storage sign-url gs://my-bucket/file.txt --duration=10m \
|
|
--private-key-file=key.json
|
|
|
|
To create a signed url that will bill to my-billing-project:
|
|
|
|
$ gcloud storage sign-url gs://my-bucket/file.txt \
|
|
--query-params=userProject=my-billing-project \
|
|
--private-key-file=key.json
|
|
|
|
To create a signed url, valid for one hour, for uploading a plain text file
|
|
via HTTP PUT:
|
|
|
|
$ gcloud storage sign-url gs://my-bucket/file.txt --http-verb=PUT \
|
|
--duration=1h --headers=content-type=text/plain \
|
|
--private-key-file=key.json
|
|
|
|
To create a signed URL that initiates a resumable upload for a plain text
|
|
file:
|
|
|
|
$ gcloud storage sign-url gs://my-bucket/file.txt --http-verb=POST \
|
|
--headers=x-goog-resumable=start,content-type=text/plain \
|
|
--private-key-file=key.json
|
|
|
|
POSITIONAL ARGUMENTS
|
|
URL [URL ...]
|
|
The URLs to be signed. May contain wildcards.
|
|
|
|
REQUIRED FLAGS
|
|
--private-key-file=PRIVATE_KEY_FILE
|
|
The service account private key used to generate the cryptographic
|
|
signature for the generated URL. Must be in PKCS12 or JSON format. If
|
|
encrypted, will prompt for the passphrase used to protect the private
|
|
key file (default notasecret).
|
|
|
|
OPTIONAL FLAGS
|
|
--duration=DURATION, -d DURATION; default=3600
|
|
Specifies the duration that the signed url should be valid for, default
|
|
duration is 1 hour. For example 10s for 10 seconds. See $ gcloud topic
|
|
datetimes for information on duration formats.
|
|
|
|
The max duration allowed is 7 days when PRIVATE_KEY_FILE is used.
|
|
|
|
--headers=[KEY=VALUE,...]
|
|
Specifies the headers to be used in the signed request. Possible
|
|
headers are listed in the XML API's documentation:
|
|
https://cloud.google.com/storage/docs/xml-api/reference-headers#headers
|
|
|
|
--http-verb=HTTP_VERB, -m HTTP_VERB; default="GET"
|
|
Specifies the HTTP verb to be authorized for use with the signed URL,
|
|
default is GET. When using a signed URL to start a resumable upload
|
|
session, you will need to specify the x-goog-resumable:start header in
|
|
the request or else signature validation will fail.
|
|
|
|
--private-key-password=PRIVATE_KEY_PASSWORD, -p PRIVATE_KEY_PASSWORD
|
|
Specifies the private key password instead of prompting.
|
|
|
|
--query-params=[KEY=VALUE,...]
|
|
Specifies the query parameters to be used in the signed request.
|
|
Possible query parameters are listed in the XML API's documentation:
|
|
https://cloud.google.com/storage/docs/xml-api/reference-headers#query
|
|
|
|
--region=REGION, -r REGION
|
|
Specifies the region in which the resources for which you are creating
|
|
signed URLs are stored.
|
|
|
|
Default value is auto which will cause gcloud storage sign-url to fetch
|
|
the region for the resource. When auto-detecting the region, the
|
|
current user's credentials, not the credentials from PRIVATE_KEY_FILE,
|
|
are used to fetch the bucket's metadata.
|
|
|
|
GCLOUD WIDE FLAGS
|
|
These flags are available to all commands: --access-token-file, --account,
|
|
--billing-project, --configuration, --flags-file, --flatten, --format,
|
|
--help, --impersonate-service-account, --log-http, --project, --quiet,
|
|
--trace-token, --user-output-enabled, --verbosity.
|
|
|
|
Run $ gcloud help for details.
|
|
|
|
NOTES
|
|
This variant is also available:
|
|
|
|
$ gcloud alpha storage sign-url
|
|
|