Re: How to serve static assets from a private buck...

carlosferreira · 09-16-2024 07:45 AM

I'm conducting a POC where the goal is to store a static website in a private bucket and make it available via a Load Balancer. The idea is to restrict access through Cloud Armor, allowing only a specific range of IPs, which would be used by a VPN. I've already added the Load Balancer's Service Account to the bucket with the 'Storage Admin' permission, but I'm still getting a 'Permission Denied' error when trying to access the website. Has anyone encountered this before or knows what might be missing?

kensan

Hi @carlosferreira

Welcome to Google Cloud Community!

Based on this community thread, @ErnestoC mentioned that there isn't any documentation on setting up a Load Balancer with a private Cloud Storage bucket.

You can make your Google Cloud Storage public and use Cloud Armor to permit access only from specific IP addresses while blocking all others. For more information, please refer to the documentation.

For Cloud Armor, you can set allow and deny rules which will control the access to your bucket by specifying IP addresses to be allowed and denied. Please keep in mind that lower priority numbers are evaluated first.

You also need to grant a role as a ‘Storage Object Viewer' to the users that need to access the website.

Example:

Screenshot 2024-09-20 2.11.38 AM.png

An alternative work around for this issue is adding Cloud CDN to access the private bucket objects.

I hope the above information is helpful.

carlosferreira

The objective would be to keep the bucket private, but thanks for the help!

How to serve static assets from a private bucket via GCP GLB