This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Cloud CDN private origin authentication with Cloud Storage backend

Posted on 10-07-2023 09:50 PM
wb
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Cloud CDN recently added support for "private origin authentication for Amazon Simple Storage Service (Amazon S3) and compatible object stores". https://cloud.google.com/cdn/docs/release-notes#September_14_2023 

Is private origin authentication not yet possible with Cloud Storage backends? Ideally I want to prevent clients from bypassing Cloud CDN and accessing the origin directly. I was hoping that we could, for example, assign to our Load Balancer a service account with the storage object viewer role.

The docs for Cloud CDN still seem to suggest that the bucket objects must be public unless using signed URLs. https://cloud.google.com/cdn/docs/setting-up-cdn-with-bucket#make_your_bucket_public 

Is this something that will (or already did) change or is this a special accommodation for AWS S3 backends?

Thanks.

1 1 493
1 REPLY 1

Posted on --/--/---- --:-- AM
VannGuce
Staff
Reply posted on --/--/---- --:-- AM

Hi,

Apparently, upon checking the documentation for setting up a cloud storage it seems that there is no private origin authentication that is the same with Amazon S3 that is available for cloud storage. Same with your observation, to achieve this, we can use a signed URL.

However, I bumped into this documentation that shows how a private GCS bucket can be accessed through Cloud CDN[1]. But please be informed that the link shared is not a google cloud documentation.

[1]https://medium.com/@thetechbytes/private-gcs-bucket-access-through-google-cloud-cdn-430d940ebad9