Grant Access to Objects (csv files) in GCP bucket

0
votes

I am working on application where I let end user upload csv files to a bucket through UI. Once user uploads the data, I want to let the user download the data which they have uploaded (through UI) and they should not be able to view/download data which other users have uploaded..

In GCP Cloud Storage Bucket, I am uploading all users files into a single bucket. so this bucket will have files from all the users. But when they want to download/view the files, they should see only the files they have uploaded and not other users. All this access has to be done automatically. Could you please guide me how should I set such permissions automatically?

I looked at some of the resources https://cloud.google.com/storage/docs/collaboration#browser https://cloud.google.com/storage/docs/access-control/iam-json and lot more..didnt find the solution.. Could you please guide me!

2
google-cloud-platformgoogle-cloud-storagebucketgoogle-iamgoogle-cloud-iam

2 Answers

0
votes

If the user isn't authenticated, you will have to implement Anonymous sign-in to differentiate one user from another. From there, you generate signed access URL with getSignedURL() - you can also reinforce security by using a storage path that has the user UID as the source within your Security Rules, this allows only that specific user to read from that directory.

The key difference is that an access token is a permanent and sharable token allowing anyone to download it if they have this token. a Signed URL is a short-lived access token which you can manage with more detail.

By using storageReference.getSignedUrl() will return a limited download URL that suites your needs.

Reference:

0
votes

I completely agree with @DIGI Byte’s solution of Signed URL as it is the most typical way to address this use case which gives the user read, write, or delete access to that resource for a limited time. Anyone who knows the URL can access the resource until the expiration time for the URL is reached or the key used to sign the URL is rotated.

I want to suggest another solution to this problem that is using a Customer-Supplied Encryption Key, with Cloud Storage:

  • You have to generate your own encryption key using this step. You can use C++,C#, Go,Java,Node.js,PHP,Python,Ruby for creating the Base64-encoded AES-256 encryption key.

  • Upload the object with the encryption key created with this step.

  • Download an object in the bucket that is already encrypted with this step. This process helps as only the user that uploaded the object has the key access to download it.

  • Rotate the encryption keys, by creating another encryption key and use them as and when needed with this step.