Skip to content

googleStorageObjectSignedUrl

The Google Cloud storage signed URL data source generates a signed URL for a given storage object. Signed URLs provide a way to give time-limited read or write access to anyone in possession of the URL, regardless of whether they have a Google account.

For more info about signed URL's is available here.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
const dataGoogleStorageObjectSignedUrlArtifact =
  new google.dataGoogleStorageObjectSignedUrl.DataGoogleStorageObjectSignedUrl(
    this,
    "artifact",
    {
      bucket: "install_binaries",
      path: "path/to/install_file.bin",
    }
  );
new google.computeInstance.ComputeInstance(this, "vm", {
  name: "vm",
  provisioner: [
    {
      "remote-exec": [
        {
          inline: [
            `wget '\${${dataGoogleStorageObjectSignedUrlArtifact.signedUrl}}' -O install_file.bin`,
            "chmod +x install_file.bin",
            "./install_file.bin",
          ],
        },
      ],
    },
  ],
});

Full Example

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.dataGoogleStorageObjectSignedUrl.DataGoogleStorageObjectSignedUrl(
  this,
  "get_url",
  {
    bucket: "fried_chicken",
    content_md5: "pRviqwS4c4OTJRTe03FD1w==",
    content_type: "text/plain",
    credentials: '${file("path/to/credentials.json")}',
    duration: "2d",
    extension_headers: [
      {
        "x-goog-if-generation-match": 1,
      },
    ],
    path: "path/to/file",
  }
);

Argument Reference

The following arguments are supported:

  • bucket - (Required) The name of the bucket to read the object from

  • path - (Required) The full path to the object inside the bucket

  • httpMethod - (Optional) What HTTP Method will the signed URL allow (defaults to get)

  • duration - (Optional) For how long shall the signed URL be valid (defaults to 1 hour - i.e. 1H). See here for info on valid duration formats.

  • credentials - (Optional) What Google service account credentials json should be used to sign the URL. This data source checks the following locations for credentials, in order of preference: data source credentials attribute, provider credentials attribute and finally the GOOGLE_APPLICATION_CREDENTIALS environment variable.

    NOTE the default google credentials configured by gcloud sdk or the service account associated with a compute instance cannot be used, because these do not include the private key required to sign the URL. A valid json service account credentials key file must be used, as generated via Google cloud console.

  • contentType - (Optional) If you specify this in the datasource, the client must provide the contentType HTTP header with the same value in its request.

  • contentMd5 - (Optional) The MD5 digest value in Base64. Typically retrieved from googleStorageBucketObjectObjectMd5Hash attribute. If you provide this in the datasource, the client (e.g. browser, curl) must provide the contentMd5 HTTP header with this same value in its request.

  • extensionHeaders - (Optional) As needed. The server checks to make sure that the client provides matching values in requests using the signed URL. Any header starting with xGoog is accepted but see the Google Docs for list of headers that are supported by Google.

Attributes Reference

The following attributes are exported:

  • signedUrl - The signed URL that can be used to access the storage object without authentication.