This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Private GCS Bucket host static site

Posted on 01-04-2024 09:10 PM
abhishek-wings
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

If I want to publish private bucket content over the internet, meaning I want to host my static website on a private bucket and add an HTTPS load balancer as the frontend, it's not working.

In AWS, it's easily possible to publish a private bucket through CloudFront.

3 7 2,822
Topic Labels
7 REPLIES 7

Posted on --/--/---- --:-- AM
Marramirez
Silver 5
Silver 5
Reply posted on --/--/---- --:-- AM

Hello @abhishek-wings!

Take a look at this guide on how to configure a bucket to host a static website. Cloud Storage doesn't support custom domains with HTTPS on its own, the mentioned guide utilizes Cloud Storage with an external Application Load Balancer to serve content from a custom domain over HTTPS.

Also, take a look at Static website examples and tips for GCP. 

If the above option doesn't work, you can contact Google Cloud Support to further look into your case. Let me know if it helped, thanks!

Posted on --/--/---- --:-- AM
lai-123
Bronze 1
Bronze 1
In response to Marramirez
Reply posted on --/--/---- --:-- AM

what if there is an Org policy in place that prevents public access to the bucket. what would be Google's workaround that ? 

Message: 

 

IAM policy update failed

You cannot add the principals allUsers or allAuthenticatedUsers to the bucket's policy because public access prevention is enforced. This constraint could be enforced at the bucket, project, folder, or organization level. Ask your org or project administrator about access options.

Thanks,

Posted on --/--/---- --:-- AM
ZKH
Bronze 3
Bronze 3
In response to lai-123
Reply posted on --/--/---- --:-- AM

Hi @lai-123,

If I may, the answer to your use case is further down in my below answer.
I hope this will helps you

Posted on --/--/---- --:-- AM
lai-123
Bronze 1
Bronze 1
In response to ZKH
Reply posted on --/--/---- --:-- AM

Hi,

Thank you for the Info. The documentation talks about Amazon S3 buckets, does this apply to GCS buckets ?  Is there a Google documentation on that ? 

 

Thanks,

Posted on --/--/---- --:-- AM
ZKH
Bronze 3
Bronze 3
In response to lai-123
Reply posted on --/--/---- --:-- AM

Yes, it also concerns GCS. 


"Private origin authentication gives Cloud CDN long-term resource access to private Amazon S3 buckets or other compatible object stores"

You will find the informations here : https://cloud.google.com/cdn/docs/configure-private-origin-authentication 

Kindly

 

Posted on --/--/---- --:-- AM
ZKH
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hi @abhishek-wings 

For this achievement, you can use Private Origin Authentication feature.
Here are non exhaustifs steps you can follow:

  • Create your private GCS bucket and upload your static website's contents
  • Create a service account with a GCS HMAC Key/Secret pair on GCS Settings
  • Create an External HTTP/HTTPS Load Balancer:
    • CDN enabled
    • FQDN based Internet NEG as backend service (targetting your GCS Bucket)
    • Update your Backend Service SecuritySettings configuration with HMAC Id and key 

I hope this will helps you !

Posted on --/--/---- --:-- AM
kaushik853
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

@ZKH Unfortunately you can not do this with google cloud bucket, as the lb backend already has an GCS category, which doesnt have this option to use private origin

0 Likes
Top Labels in this Space
Top Solution Authors
View all