Using versioning with signed urls in google cloud storage

1
votes

I'm having difficulty signing GET requests for Google Cloud Storage (GCS) when specifying a 'generation' (version number) on a the object. Signing the URL without the generation works like a charm and GET requests work fine. However, when I prepend #generation to the path, the GCS server always returns "access denied" when attempting to GET the signed URL.

For example, signing this URL path works fine:

https://storage.googleapis.com/BUCKET/OBJECT

signing this URL path gives me access denied:

https://storage.googleapis.com/BUCKET/OBJECT#1360887697105000

Note that for brevity and privacy, I've omitted what the actual signed URL with Signature, Expires, GoogleAccessId parameters. Also note, that I have also verified the bucket, object, and generation are correct using gsutil.

Does GCS allow for Signed URL access to specific object versions by 'generation' number? Is the URL signing procedure different when accessing a specific version?

1
pythongoogle-cloud-storagegsutil
It looks like the URL you're using is gsutil-compatible, but the XML API requires that you denote generation with a query parameter (which would look like storage.googleapis.com/BUCKET/OBJECT?generation=1360887697105000). Can you confirm it fails using this syntax? Documentation is here for reference: developers.google.com/storage/docs/reference-headers#generation - Travis Hobrla
That works! Thank you very much!! I'm not sure where I can mark this as answered, but that completely fixed the problem.. - Nick G.
Used a comment initially in case there was another underlying issue related to the problem. I've added it as an answer now. - Travis Hobrla

1 Answers

1
votes

The URL you're using is gsutil-compatible, but the XML API requires that you denote generation with a query parameter (which would look like storage.googleapis.com/BUCKET/OBJECT?generation=1360887697105000).

Documentation is here for reference: developers.google.com/storage/docs/reference-headers#generation