I just set up a simple JS photo uploader on my site. It uploads photos directly to a Google Cloud Storage bucket.
I used the code from their official JavaScript library
But if you look at that code, you'll see that it requires authentication. I'm authenticated and able to upload photos, but I want everyone to be able to just upload their files without signing in to their Google Accounts.
Is that possible?
You could use a POST policy doc: https://cloud.google.com/storage/docs/xml-api/post-object#policydocument
This will let you build a signed request with various constraints built in (content-length, content-size, etc.), allowing unauthenticated users to upload to your bucket with the given constraints.
Related
I am building a simple static website selling a single pdf file using the Stripe checkout api.
I would like to be able to generate an expiring download link after the customer successfully purchased the pdf.
I am really not sure about how to do this, but I was thinking about using firebase to store the file in a bucket and somehow use a cloud function to generate a temporary download link that expires after some time, but I am not sure how to go about this (or if this is even the best solution).
Can anyone give me some help about which direction to go here?
Firebase'd download URLs don't expire, although you can revoke the from the Firebase console.
But a better fit for your use-case might be to use Cloud Storage's signed URLs, which have a built-in expiration attribute. You can generate these with the Cloud Storage SDKs or Firebase's Admin SDKs, all of which should only be run in trusted environments - such as your development machine, a server you control, or Cloud Functions.
Also see:
A guide to Firebase Storage download URLs and tokens.
Get Download URL from file uploaded with Cloud Functions for Firebase
Firebase hosting my website. Website has a <iframe> element, it will load aaa.html from bucket in google cloud storage.
<iframe src="https://storage.googleapis.com/bucket/aaa.html" />
And aaa.html will also load other files (js files or img files) stored in the same bucket.
When I use gsutil iam ch allUsers:objectViewer gs://bucket to set bucket public and all files public, website works perfectly. But I do not want that users could link aaa.html without my website. Set bucket public is seems to be incorrect.
So, is there a way to make bucket public to a specific website?
Ok. You mentioned you don't want to make your bucket public. Singed URLs are not for you.
I think you can achieve your goal by doing the following:
Define a service account with the roles and permissions you need to get the stored objects in your bucket. This service account will be used by your application.
Use the GCS API to get into the stored files in your bucket. Here is how to Use a service account to call an API in your code
Hope this is helpful :D
I want to make a server in Node.js that allows users to upload files to AWS S3.
For each file uploaded there is a global unique url by default as shown below:
https://s3.amazonaws.com/aws-website-test-psjjm/about.html
What are the different strategies to setup access control for these files uploaded to S3, using Node.js?
Take a look at the s3 access overview:
https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-overview.html
There are two types of access control, bucket policy and ACL. Which you use will depend on what you are trying to achieve. You'll need to go through each and decide which works best for you. These can control both account level access and external access to your bucket.
ACL docs
IAM policies docs
Once you know what you want to achieve you can apply those policies to the bucket with a number of methods such as directly on the console, cloudformation, cli.
You can find examples here
I have a webpage through which my users, using a mobile phone, can take pictures and upload them (hopefully) to the Google Cloud (I've got a JSON file, a platform project and an associated storage bucket, as well as all the login details).
However, I'm pretty new to all this and need to know how I'd get the file (coming from a standard <input file="" name="fileupload"/> ) to the Google Cloud space, and also to retrieve the URI of the file. Given that it's an asp.net webpage, I have access to Javascript and C#.
Thanks!
I have a couple of suggestions for you. We have other customers that have solutions which are similar to this architecture and so your proposed solution is good.
Google Cloud Storage (GCS) has a feature called Signed URLs. This allows you to generate a secure URL to an object in a GCS bucket. My colleague wrote the C# sample for this:
https://cloud.google.com/storage/docs/access-control#signing-code-csharp
There's a method in here that you can reuse GetSigningURL.
Each time a user requests the web page, you should generate a Signed URL and use this as the destination URL for the file upload location in your HTML.
If your HTML is generated by ASP.NET (MVC, Web Forms, Web Page), then you can make the call to GetSigningURL when the page is generated server-side. If not, you should wrap the C# code in a Web API and then you could use, e.g. jQuery ($.ajax), to call it from your client.
You may run your ASP.NET code on Google Cloud Platform using either Windows on Google Compute Engine or using Custom Runtimes on Google App Engine.
Full disclosure: I'm a Googler working in cloud as a Strategic Customer Engineer.
I am new to google api. I am able to do this file upload from app script and any file which is uploaded through that script get stored to my drive only.
But how to do this using javascript.
Example on google : https://developers.google.com/drive/web/quickstart/quickstart-js
shows how to do this but file gets uploaded to the same user's drive who is authorizing the app. How to restrict it to my drive only.
Thanks
Simple answer is you cant with JavaScript. The reason being is that JavaScript works with OAuth2 this requires that you ask the user permission to access your data.
If you want to have it access your drive account you would have to save the refreshtoken some place and then send that when ever the script was loaded. JavaScript is client sided so anyone that checked the code on the page would then have all the information they needed to do what ever they wanted with your drive account. Security wise that's a bad idea.
I recommend you look into using a server sided scripting language like PHP. You might want to consider a service account. Note: everything will be owned by the service account so you will either have to give the Service account access to your Google Drive files or you will need to move your drive files to the Service account.
If you don't want the service account to have the files you could go with normal Oauth2 save the refresh token and then store it in the server sided code there wont be as much of security risk there.