I want to host files that my users upload to my web application in google cloud buckets…the problem there is that I need to have the permissions open to the public because I also need to retrieve the files when they go to certain pages.
This is obviously a big security risk, because even if I name the files with a uid in the file path (ie…"attachments/user_id/some_other_id/individual_file_uid/NameOfFile"), an attacker could just navigate to https://www.googleapis.com/storage/v1/b/my_bucket/o/attachments and it would list out all the directories and files I have in that publicly accessible bucket. But in order to include these files in my web app via <img/> tags, I don't know another way of restricting access to those files without getting in the way of the img src.
The only thing I could come up with is restricting the GETting of these files by individual domain name. Ie…if my web applications is hosted at application.example.com, I would restrict the files to be accessible only by application.example.com. I found some stuff here: https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains but I think it isn't talking about restricting access by domain name, but by organizational domain.
So I guess my question is really two fold:
- Am I looking at this wrong? Is there a better way to store these images securely while also being accessible by my web application?
- How can I restrict the access of these files by domain name?
Best Answer
Yes, you are looking at this wrong in respect to the document link you provided.
You cannot restrict or grant access to Cloud Storage by DNS domain name. You can either make a Cloud Storage bucket public, use Signed-URLs to permit access, use the Cloud SDK APIs or use Identity Based Access Control.
Signed URLs
You cannot. This feature is not part of Cloud Storage. See my previous comments for more information.
Your only option (considering security) is to use Signed-URLs.