Please note that the contents of this offline web site may be out of date. To access the most recent documentation visit the online version .
Note that links that point to online resources are green in color and will open in a new window.
We would love it if you could give us feedback about this material by filling this form (You have to be online to fill it)



signurl - Create a signed url

  1. signurl - Create a signed url
    1. Synopsis
    2. Description
    3. Options
    4. Usage

signurl - Create a signed url

Synopsis

gsutil signurl pkcs12-file url...

Description

The signurl command will generate signed urls that can be used to access the specified objects without authentication for a specific period of time.

Please see the Signed URLs documentation https://developers.google.com/storage/docs/accesscontrol#Signed-URLs for background about signed URLs.

Multiple gs:// urls may be provided and may contain wildcards. A signed url will be produced for each provided url, authorized for the specified HTTP method and valid for the given duration.

Note: Unlike the gsutil ls command, the signurl command does not support operations on sub-directories. For example, if you run the command: 

gsutil signurl <private-key-file> gs://some-bucket/some-object/

The signurl command uses the private key for a service account (the ‘<private-key-file>’ argument) to generate the cryptographic signature for the generated URL. The private key file must be in PKCS12 format. The signurl command will prompt for the passphrase used to protect the private key file (default ‘notasecret’). For more information regarding generating a private key for use with the signurl command please see the Authentication documentation. https://developers.google.com/storage/docs/authentication#generating-a-private-key

gsutil will look up information about the object “some-object/” (with a trailing slash) inside bucket “some-bucket”, as opposed to operating on objects nested under gs://some-bucket/some-object. Unless you actually have an object with that name, the operation will fail.

Options

-m Specifies the HTTP method to be authorized for use with the signed url, default is GET.
-d

Specifies the duration that the signed url should be valid for, default duration is 1 hour.

Times may be specified with no suffix (default hours), or with s = seconds, m = minutes, h = hours, d = days.

This option may be specified multiple times, in which case the duration the link remains valid is the sum of all the duration options.

-c Specifies the content type for which the signed url is valid for.
-p Specify the keystore password instead of prompting.

Usage

Create a signed url for downloading an object valid for 10 minutes: 

gsutil signurl <private-key-file> -d 10m gs://<bucket>/<object>

Create a signed url for uploading a plain text file via HTTP PUT: 

gsutil signurl <private-key-file> -m PUT -d 1h gs://<bucket>/<object>

To construct a signed URL that allows anyone in possession of the URL to PUT to the specified bucket for one day, creating any object of Content-Type image/jpg, run: 

gsutil signurl <private-key-file> -m PUT -d 1d -c image/jpg gs://<bucket>/<obj>

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 3.0 License , and code samples are licensed under the Apache 2.0 License . For details, see our Site Policies .

Authentication required

You need to be signed in with Google+ to do that.

Signing you in...

Google Developers needs your permission to do that.