Google Cloud CDN with SignedUrl with gcloud compute sign-url gives 403

0
votes

  • I have a google cloud storage bucket and I want to access it only using Cloud CDN.

  • I have created load balancer, created signing key and added service account to it almost all permissions like Storage Admin, Storage Bucket Admin, Storage Legacy Bucket Owner etc.

  • Now I'm trying to access bucket content using SignedUrl with Php. it generates the signedURL but it gives

    403. That’s an error.
    Your client does not have permission to get URL

I have even tried it through gcloud compute sign-url. it does generate a signed url but it also gives same error.

Reprocuction steps:

gcloud sign-url from cmd:

gcloud compute sign-url URL --expires-in=1566561600 --key-file=KEY_FILE --key-name=SIGNING_KEY

where URL is generated IP from load balancer, expire time is of course future timestamp, key--file is generated json key file from service account, --key-name is signing key from origin details details

Same thing I've applied to php code where I'm generating signed url, I've taken reference from https://github.com/GoogleCloudPlatform/php-docs-samples

Service account seems to works perfectly when I'm not using CDN, If I access bucket without CDN it works as expected

Is there something wrong with the process I've followed?

1
phpgoogle-cloud-platformgoogle-cloud-storagegoogle-cloud-sdkgoogle-cloud-cdn
You mentioned that you would like to access cloud storage bucket only using Cloud CDN. Also, you created load balancer, created signing key and added service account. To clarify could you share the steps to reproduce the issue.Mohibul Mahmud
@MohibulMahmud added reproduction steps in questionsNikhil Radadiya
What IAM roles are assigned to the service account? This is where your problem is at. cloud.google.com/storage/docs/access-control/iam-rolesJohn Hanley
@JohnHanley As mentioned in questions, I've tried almost every role like Storage Admin, Storage Bucket Admin, Storage Object Admin etcNikhil Radadiya
The account that you are using to sign the URL does not have read permission to Cloud Storage. Make sure you are granting roles to the correct account.John Hanley

1 Answers

-1
votes

Cloud Storage has a built-in CDN, so using Cloud Storage signed URL for your use case should suffice. In regards to using signed URLs, internally they work approximately the same, and generate the URL almost the same way.