google-cloud-platformpre-signed-url

Is it safe to use Google Cloud Signed URLs for anonymous user uploads directly from the browser?

A Google Cloud signed URL looks like this, which seems pretty insecure to give to an anonymous user to upload a file from the browser:

https://storage.googleapis.com/mybucketname/mypath.extension
  ?X-Goog-Algorithm=GOOG4-RSA-SHA256
  &X-Goog-Credential=my-service-account-name@myprojectname.iam.gserviceaccount.com%2Fsomenumber%2Fauto%2Fstorage%2Fgoog4_request
  &X-Goog-Date=20240209T090634Z
  &X-Goog-Expires=7200
  &X-Goog-SignedHeaders=content-type%3Bhost
  &X-Goog-Signature=somehash

The fact that it includes mybucketname is probably okay, but my-service-account-name@myprojectname for the IAM service? And then I'm unsure what you can unpack from the Goog-Signature, if it's safe to give to anonymous users or they can hack into it to escalate access somehow.

I was planning (after advice from several developers on the web), to get a signed URL, and use that signed URL to upload directly from the browser a large file like a video, so it takes the shortest path and doesn't need to go through the server. But is it safe? Or should I do it another way?

Solution

  • Signed URLs contain authentication information in their query string, allowing users without credentials to perform specific actions on a resource. When you generate a signed URL, you specify a user or service account which must have sufficient permission to make the request that the signed URL will make. After you generate a signed URL, anyone who possesses it can use the signed URL to perform specified actions, such as reading an object, within a specified period of time.

    Using signed URLs to upload files directly from the browser to Google Cloud Storage is generally considered safe, but there are some security considerations to keep in mind.Explained clearly in this blog Using signed URLs to simplify data uploads by Emerick Bosch

    Signed URLs can be used by anyone while they are valid.

    Signed URLs do not perform data validation.

    Using signed URLs does not remove the need to have an authority for storage access.

    Authorization for a signed URL occurs when it is used, not when it is created.

    Signed URLs (uploads) for anonymous accounts. Rethink why you want anonymous users to upload anything. Fraud and identity impersonation is already too easy today. They will be able to upload large videos on your bucket. Bucket you own, you pay and you are legally responsible.Sites which allow anonymous users to upload content, they implement various measures to address legal risks. As guillaume blaquiere mentioned,you should review that with a legal expert.