Google Cloud Storage uses scopes to determine what permissions an identity has on a specified resource. Google scopes are formatted as urls. There are three basic types: read-only, read-write and full-control.
read-only
Only allows access to read data, including listing buckets.
https://www.googleapis.com/auth/devstorage.read_only
read-write
Allows access to read and change data, but not metadata like IAM policies.
https://www.googleapis.com/auth/devstorage.read_write
full-control
Allows full control over data, including the ability to modify IAM policies.
https://www.googleapis.com/auth/devstorage.full_control
For example, if you wanted to create a presigned url for a file download in C#:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
using System; using System.Net.Http; using System.IO; using Google.Cloud.Storage.V1; using Google.Apis.Auth.OAuth2; ServiceAccountCredential cred; var scopes = new string[] { "https://www.googleapis.com/auth/devstorage.read_only" }; cred = GoogleCredential .GetApplicationDefault(). .CreateScoped(scopes) .UnderlyingCredential as ServiceAccountCredential; UrlSigner urlSigner = UrlSigner.FromServiceAccountCredential(cred); var bucketName = "mybucket"; var objectName = "myfile.txt"; string url = urlSigner.Sign( bucketName, objectName, TimeSpan.FromHours(1), HttpMethod.Get); Console.WriteLine(url); |
Documentation for Scopes
Documentation for UrlSigner
I design software for enterprise-class systems and data centers. My background is 30+ years in storage (SCSI, FC, iSCSI, disk arrays, imaging) virtualization. 20+ years in identity, security, and forensics.
For the past 14+ years, I have been working in the cloud (AWS, Azure, Google, Alibaba, IBM, Oracle) designing hybrid and multi-cloud software solutions. I am an MVP/GDE with several.
Leave a Reply