How to encrypt/hide google cloud bucket name in signed URL

0
votes

I would like to upload a image on a google storage bucket, for that I generated signed URL which would be passed to client for upload. I observed that google cloud bucket name is exposed in the signed URL.

https://storage.googleapis.com/myproject-images/test.PNG?X-Goog-Algorithm=GOOG4-RSA-SHA256&X-Goog-Credential=3242342308700-compute%40developer.gserviceaccount.com%2F20200430%2Fauto%2Fstorage%2Fgoog4_request&X-Goog-Date=20200430T044803Z&X-Goog-Expires=900&X-Goog-SignedHeaders=host&X-Goog-Signature=*********************

My question: Is it possible to encrypt/map or hide the google cloud bucket in signed URL. I do not want to expose my bucket name to end user

1
google-cloud-platformgoogle-cloud-storage
Doug's answer is correct. Is there a reason that you want to hide the bucket name? Bucket names are a global resource and the name is not a secret.John Hanley
I want to abstract the implementation details (that I am using GCP storage) to store client files. Sometime I feel as a security risk as well, exposing the information that GCP storage is being used and more importantly bucket name is also exposed, it opens services for known CVE. In my option end user should not have any idea what underneath technology is used.Atul Sureka
1/2) You have two problems. 1) You are storing data on Google Cloud Storage. You cannot hide that secret. Bad actors will scan for any/all buckets. 2) You want to implement another layer on top of Google Cloud Storage to hide that fact. Are you able to develop a more secure solution than Google?John Hanley
2/2) You are trying to use obfuscation to hide the fact that data is stored on Google Cloud Storage. For every hacker that uses your obfuscated URLs, there will be a much larger number that are directly hitting the backend storage. Your strategy sounds good on paper, but in reality you are just adding complexity which decreases your total security and expands the number of points that must be protected and managed.John Hanley

1 Answers

2
votes

It's not possible, if you want the client to directly access that data. You could obfuscate it by using a URL shortener, but all that would do is hide it from view temporarily.

Once you choose to allow clients to access your project directly, your project id is no longer private information. That ID is absolutely required in order to identify resources within your project (and not just Cloud Storage). The same is true for all Firebase-related client access that goes directly to Google Cloud and Firebase products.

If you don't want anyone to see the name of your project, you will either:

  1. Disallow all direct client access
  2. Route all requests through some middleware service identified by another DNS name that hides all the implementation details of the interaction with Google Cloud products.