1

I'm setting up a Coldline bucket for unstructured data backup.

The bucket level public access setting for my Coldline storage bucket is set at "Per Object" and the object level public access setting is at "Not Public".

But whenever I generate an access link to my private storage objects, I'm able to use the generated access links without any credentials (say incognito).

Does this mean if someone is able to generate (highly unlikely) or able to snoop my GET requests (highly likely) they get view access to my private stored objects?

SanthoshKumar
  • 93
  • 3

1 Answers1

2

I think you are referring to the usage of Signed URLs that can be implemented to give time-limited read or write access for GCP buckets and objects. Keep in mind that this method will give access to anyone in possession of the URL, regardless of whether they have a Google account, as you well mentioned.

In case you want to implement a user authenticated methods, it is recommended to use IAM and ACLs permissions. You can take a look on the Access Control Options document to know more about the available alternatives to control who has access to your Cloud Storage.

Armin_SC
  • 2,130
  • 11
  • 15
  • The object level "Public Access" shows "Not Public" and the permissions only have my id set as the owner with no other reader/owner permissions. This is a fresh deployment and I haven't enabled any of the time expiration access setting. Its just that even when I haven't set a Signed URL, whenever I simply open a private object on my browser, the HTTPS URL that is generated stays accessible even without my GCP cookies. – SanthoshKumar Oct 03 '18 at 16:06
  • 1
    This is an expected behaviour. You can open the file when using this **HTTPS URL** since it has been already authenticated through the right permission (it was opened with your account credentials); therefore, unless the person who has access to the object explicitly share the link with others, I think you shouldn't have unauthorized access issues. Additionally, the HTTPS protocol is implemented in order to encrypt the request and the URL content, you can take a look [here](https://stackoverflow.com/questions/4143196/is-get-data-also-encrypted-in-https) to know more about this matter. – Armin_SC Oct 03 '18 at 19:24
  • Exactly. I would like to say that this behavior doesn't happen in Azure storage since every access to a private object's URL requires authentication using my cookies. – SanthoshKumar Oct 04 '18 at 10:57
  • I think this is considered as an expected behavior in GCP; however, in case you want to suggest some change on this functionality, you can use the **Send Feedback** button located at the lower left and upper right corners of the [service public documentation](https://cloud.google.com/storage/docs/), as well as take a look the [Issue Tracker](https://cloud.google.com/support/docs/issue-trackers#feature_requests) tool to raise a [GCS feature request](https://issuetracker.google.com/issues/new?component=187243&template=1009628) in order to notify to Google about this desired behaviour. – Armin_SC Oct 04 '18 at 12:38