This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Accessing a restricted bucket from a frontend app

Posted on 03-08-2023 01:59 PM
nmnbd
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I have an frontend application (k8s) that requires the users to have a Google account in order to access it, and a google bucket that grants access only to allAuthenticatedUsers.

When I try to access the contents of the bucket I'm getting a permissions error back.

Does the bucket need to have the same domain as the frontend that its calling it?

What is the recommended way get access to a restricted bucket from a frontend?

0 2 698
Topic Labels
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
christianpaula
Staff
Reply posted on --/--/---- --:-- AM

Hi @nmnbd,

Welcome to Google Cloud Community!

It is not necessary for the bucket to have the same domain as the frontend application. However, you will need to configure your Google Cloud Storage bucket to allow access to your authenticated users, as well as configure your frontend application to authenticate with Google using OAuth2.0.

To allow access to authenticated users, you can use IAM roles and permissions to grant access to specific Google accounts, service accounts, or groups. You can also use signed URLs or signed cookies to grant temporary access to objects in the bucket.

To configure your frontend application to authenticate with Google using OAuth2.0, you can use the Google Sign-In API or the Google OAuth2.0 API. Once your users have authenticated, you can use their access token to authorize access to your Google Cloud Storage bucket.

It's important to note that granting access to allAuthenticatedUsers is not recommended for production environments, as it allows anyone with a Google account to access your bucket. It's generally better to grant access to specific users or groups, or use signed URLs or cookies for temporary access.

Thanks.

0 Likes

Posted on --/--/---- --:-- AM
nmnbd
Bronze 1
Bronze 1
In response to christianpaula
Reply posted on --/--/---- --:-- AM

do you now if any of the proposed solutions can be implemented on a frontend?

If I understand correctly on how OAuth2.0 works I will have to create an endpoint (cloud function or a k8s API) to avoid exposing secrets on the frontend?

Do you know if the same thing applies for the sign-in API?

edit: It seems that the sign-in API is going to be deprecated? https://developers.google.com/identity/sign-in/web/sign-in

0 Likes
Top Labels in this Space
Top Solution Authors
View all