This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

How can I access static data from a GCP private bucket using Google Cloud CDN with ALB IP

Posted 4 weeks ago
HadeedDevops
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I'm trying to serve static content from a Google Cloud Storage (GCS) private bucket via Google Cloud CDN and a HTTPS Load Balancer. I've attached my custom domain and set up the load balancer, but I can't access the static files. I’ve tried:

  • Granting Storage Object Viewer and Storage Legacy Object Reader to the load balancer’s service account.

  • Setting the backend bucket in the load balancer.

  • Disable Enabling Cloud CDN.

  • Domain is properly attached and SSL is active.

Still, I get a 403 Forbidden or 404 Not Found error when trying to access files via the domain.


Domain Search shows.
This XML file does not appear to have any style information associated with it. The document tree is shown below.
Error
AccessDenied
Access denied
Error

What is the correct way to configure a private GCS bucket with Google Cloud CDN and load balancer while keeping the bucket private but accessible via the custom domain?
example.com/data/*  trying to access but above error.

Thanks in advance!

0 2 112
Topic Labels
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
a_aleinikov
Silver 4
Silver 4
Reply posted on --/--/---- --:-- AM

Hi @HadeedDevops ,
To serve static content from a private GCS bucket behind Cloud CDN + HTTPS Load Balancer, follow these steps:

  1. Create a backend bucket pointing to the private GCS bucket.

  2. Set an “Origin Access Identity” (signed URL or signed cookie setup) — GCP calls this “signed requests” — to allow the load balancer to access the private bucket.

  3. Ensure the bucket has “Uniform bucket-level access” enabled.

  4. Grant “Storage Object Viewer” role to the load balancer’s service account at the bucket level, not just project.

  5. Use signed URLs or signed cookies to let clients access content without opening the bucket to the public.

Without signed access, the bucket will block requests even if the load balancer and CDN are correctly set.

0 Likes

Posted on --/--/---- --:-- AM
HadeedDevops
Bronze 1
Bronze 1
In response to a_aleinikov
Reply posted on --/--/---- --:-- AM

There is no service account appearing for the load balancers. The load balancer is currently using the Network Admin service account. I have already granted the required permissions, including Storage Admin and Viewer roles. However, at step 5, I encountered an error. Since I am operating within the organization with full access (Admin and Owner roles), I am unsure what the issue might be. Would it be possible to have a quick Google Meet call so you can assist and guide me through this?

0 Likes
Top Labels in this Space
Top Solution Authors
View all