0

I want to perform the following:

  1. Create a signed URL using gsutil signurl. (https://cloud.google.com/storage/docs/access-control/create-signed-urls-gsutil)
  2. On a separate machine, issue the gsutil rsync command without authenticating the gsutil tool by using the secure URL generated in step 1.

Is such a thing possible?

I know that I could programatically download files as described in the answer to Google cloud storage signed url chunked download In python?, but I am wondering if it is possible to use gsutil in an un-authenticated manner using the created secure URL.

kbrose
  • 1,562
  • 1
  • 12
  • 12

1 Answers1

2

No. The main problem with this approach is that a signed URL is only good for one operation, and rsync involves many operations (listing objects, uploading objects, downloading objects). You'd either need to create a custom rsync implementation with a remote server that vends signed URLs, or authenticate on the separate machine.

Alternatively, if you can't allow the separate machine to access your credentials, you could have it rsync to some dedicated bucket for which it has its own credentials and then have a second machine that you do trust with credentials to sync those two buckets.

Brandon Yarbrough
  • 37,021
  • 23
  • 116
  • 145
  • Thanks for responding! If I was only interested in using rsync to download from the bucket to the local computer, would that only use GET requests (for listing and downloading)? I admit I'm not super familiar with this kind of stuff. – kbrose Feb 20 '18 at 23:17
  • Also, some context: I am working with a client who does not want to have to authenticate via a google account for "security reasons". Ignoring whether or not that is reasonable, this is why I am trying to allow them to use rsync without authenticating with a google account. – kbrose Feb 20 '18 at 23:19
  • It would only use GET requests, but each individual request needs to be signed, which makes them not very useful for gsutil. Gsutil's designed to be used with some sort of credential or in cases where anonymous reading is fine. – Brandon Yarbrough Feb 21 '18 at 07:00