1. Granting temporary access to GCP Storage with signed URLs

    TypeScript

    To grant temporary access to objects in a Google Cloud Storage (GCS) bucket via signed URLs, you need to perform the following steps:

    1. Ensure you have the appropriate permissions to generate signed URLs.
    2. Use a service account with the necessary IAM permissions.
    3. Generate a signed URL that provides time-limited access to a specific GCS object.

    In this Pulumi program, I will show you how to set up a Google Cloud Storage Bucket, upload an object, and then generate a signed URL for that object. The signed URL will grant temporary access to the object, which is useful for scenarios where you'd like to share files with users without giving them direct access to your GCP infrastructure.

    Here is a TypeScript program that creates a GCS bucket, uploads an object to the bucket, and generates a signed URL for that object:

    import * as pulumi from '@pulumi/pulumi'; import * as gcp from '@pulumi/gcp'; // Step 1: Create a GCS bucket const bucket = new gcp.storage.Bucket('my-bucket', { location: 'US', }); // Step 2: Upload an object to the GCS bucket const bucketObject = new gcp.storage.BucketObject('my-object', { bucket: bucket.name, source: new pulumi.asset.FileAsset('path/to/your/file'), // Path to the file you want to upload contentType: 'application/octet-stream', // Make sure to set the appropriate content type }); // Since Pulumi doesn't currently support generating signed URLs directly, // we will provide a guide on how you can do it using the Google Cloud SDK in Node.js. // Output the bucket name and object name, which are required for generating a signed URL export const bucketName = bucket.name; export const objectName = bucketObject.name;

    In the program above, FileAsset is used to upload a file to the GCS bucket. You need to replace 'path/to/your/file' with the actual file path you want to upload.

    Now, let's see how to generate a signed URL in Node.js using the Google Cloud SDK:

    Before running the following script, ensure you have @google-cloud/storage library installed in your Node.js project (npm install @google-cloud/storage) and have authenticated GCP SDK with a service account that has access to the bucket.

    import { Storage } from '@google-cloud/storage'; // Initialize the Google Cloud Storage client with your GCP project ID const storage = new Storage({ projectId: 'your-project-id' }); // Replace 'bucketName' and 'objectName' with actual values from the Pulumi outputs const bucketName = 'your-bucket-name'; const objectName = 'your-object-name'; async function generateSignedUrl() { // Define the URL expiration time, e.g., 15 minutes from now const expiration = new Date(); expiration.setMinutes(expiration.getMinutes() + 15); // Generate the signed URL for the object const [url] = await storage .bucket(bucketName) .file(objectName) .getSignedUrl({ version: 'v4', action: 'read', expires: expiration, }); console.log('Generated signed URL:', url); return url; } generateSignedUrl().then((url) => { // Use the signed URL for granting temporary access to the object // You can share this URL with users who need temporary access to the file });

    In the script above, replace 'your-project-id', 'your-bucket-name', and 'your-object-name' with the actual project ID, bucket name, and object name you used or obtained from the Pulumi stack outputs.

    By running this script, it will print out a signed URL that you can share with users to give them temporary read access to the object in your bucket. This URL will expire in 15 minutes from the time it was generated. Adjust the expiration time and permissions as needed for your use case.

    Remember to always keep your service account credentials secure and use least privilege IAM policies to minimize the risk of unauthorized access.