Google Cloud Storage uses scopes to determine what permissions an identity has on a specified resource. Google scopes are formatted as urls. There are three basic types: read-only, read-write and full-control.
read-only
Only allows access to read data, including listing buckets.
https://www.googleapis.com/auth/devstorage.read_only
read-write
Allows access to read and change data, but not metadata like IAM policies.
https://www.googleapis.com/auth/devstorage.read_write
full-control
Allows full control over data, including the ability to modify IAM policies.
https://www.googleapis.com/auth/devstorage.full_control
For example, if you wanted to create a presigned url for a file download in C#:
using System;
using System.Net.Http;
using System.IO;
using Google.Cloud.Storage.V1;
using Google.Apis.Auth.OAuth2;
ServiceAccountCredential cred;
var scopes = new string[] { "https://www.googleapis.com/auth/devstorage.read_only" };
cred = GoogleCredential
.GetApplicationDefault().
.CreateScoped(scopes)
.UnderlyingCredential as ServiceAccountCredential;
UrlSigner urlSigner = UrlSigner.FromServiceAccountCredential(cred);
var bucketName = "mybucket";
var objectName = "myfile.txt";
string url = urlSigner.Sign(
bucketName,
objectName,
TimeSpan.FromHours(1),
HttpMethod.Get);
Console.WriteLine(url);
Documentation for Scopes
Documentation for UrlSigner
I design software for enterprise-class systems and data centers. My background is 30+ years in storage (SCSI, FC, iSCSI, disk arrays, imaging) virtualization. 20+ years in identity, security, and forensics.
For the past 14+ years, I have been working in the cloud (AWS, Azure, Google, Alibaba, IBM, Oracle) designing hybrid and multi-cloud software solutions. I am an MVP/GDE with several.
Leave a Reply