1. Packages
  2. Google Cloud (GCP) Classic
  3. API Docs
  4. storage
  5. getObjectSignedUrl
Google Cloud Classic v7.29.0 published on Wednesday, Jun 26, 2024 by Pulumi


Explore with Pulumi AI

gcp logo
Google Cloud Classic v7.29.0 published on Wednesday, Jun 26, 2024 by Pulumi

    The Google Cloud storage signed URL data source generates a signed URL for a given storage object. Signed URLs provide a way to give time-limited read or write access to anyone in possession of the URL, regardless of whether they have a Google account.

    For more info about signed URL’s is available here.

    Example Usage

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    const artifact = gcp.storage.getObjectSignedUrl({
        bucket: "install_binaries",
        path: "path/to/install_file.bin",
    const vm = new gcp.compute.Instance("vm", {name: "vm"});
    import pulumi
    import pulumi_gcp as gcp
    artifact = gcp.storage.get_object_signed_url(bucket="install_binaries",
    vm = gcp.compute.Instance("vm", name="vm")
    package main
    import (
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := storage.GetObjectSignedUrl(ctx, &storage.GetObjectSignedUrlArgs{
    			Bucket: "install_binaries",
    			Path:   "path/to/install_file.bin",
    		}, nil)
    		if err != nil {
    			return err
    		_, err = compute.NewInstance(ctx, "vm", &compute.InstanceArgs{
    			Name: pulumi.String("vm"),
    		if err != nil {
    			return err
    		return nil
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    return await Deployment.RunAsync(() => 
        var artifact = Gcp.Storage.GetObjectSignedUrl.Invoke(new()
            Bucket = "install_binaries",
            Path = "path/to/install_file.bin",
        var vm = new Gcp.Compute.Instance("vm", new()
            Name = "vm",
    package generated_program;
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.storage.StorageFunctions;
    import com.pulumi.gcp.storage.inputs.GetObjectSignedUrlArgs;
    import com.pulumi.gcp.compute.Instance;
    import com.pulumi.gcp.compute.InstanceArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    public class App {
        public static void main(String[] args) {
        public static void stack(Context ctx) {
            final var artifact = StorageFunctions.getObjectSignedUrl(GetObjectSignedUrlArgs.builder()
            var vm = new Instance("vm", InstanceArgs.builder()
        type: gcp:compute:Instance
          name: vm
          Function: gcp:storage:getObjectSignedUrl
            bucket: install_binaries
            path: path/to/install_file.bin

    Full Example

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    import * as std from "@pulumi/std";
    const getUrl = std.file({
        input: "path/to/credentials.json",
    }).then(invoke => gcp.storage.getObjectSignedUrl({
        bucket: "fried_chicken",
        path: "path/to/file",
        contentMd5: "pRviqwS4c4OTJRTe03FD1w==",
        contentType: "text/plain",
        duration: "2d",
        credentials: invoke.result,
        extensionHeaders: {
            "x-goog-if-generation-match": "1",
    import pulumi
    import pulumi_gcp as gcp
    import pulumi_std as std
    get_url = gcp.storage.get_object_signed_url(bucket="fried_chicken",
            "x-goog-if-generation-match": "1",
    package main
    import (
    func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
    _, err := storage.GetObjectSignedUrl(ctx, invokeFile, err := std.File(ctx, &std.FileArgs{
    Input: "path/to/credentials.json",
    }, nil)
    if err != nil {
    return err
    Bucket: "fried_chicken",
    Path: "path/to/file",
    ContentMd5: pulumi.StringRef("pRviqwS4c4OTJRTe03FD1w=="),
    ContentType: pulumi.StringRef("text/plain"),
    Duration: pulumi.StringRef("2d"),
    Credentials: pulumi.StringRef(invokeFile.Result),
    ExtensionHeaders: map[string]interface{}{
    "x-goog-if-generation-match": "1",
    }, nil);
    if err != nil {
    return err
    return nil
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    using Std = Pulumi.Std;
    return await Deployment.RunAsync(() => 
        var getUrl = Gcp.Storage.GetObjectSignedUrl.Invoke(new()
            Bucket = "fried_chicken",
            Path = "path/to/file",
            ContentMd5 = "pRviqwS4c4OTJRTe03FD1w==",
            ContentType = "text/plain",
            Duration = "2d",
            Credentials = Std.File.Invoke(new()
                Input = "path/to/credentials.json",
            ExtensionHeaders = 
                { "x-goog-if-generation-match", "1" },
    package generated_program;
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.storage.StorageFunctions;
    import com.pulumi.gcp.storage.inputs.GetObjectSignedUrlArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    public class App {
        public static void main(String[] args) {
        public static void stack(Context ctx) {
            final var getUrl = StorageFunctions.getObjectSignedUrl(GetObjectSignedUrlArgs.builder()
                .extensionHeaders(Map.of("x-goog-if-generation-match", 1))
          Function: gcp:storage:getObjectSignedUrl
            bucket: fried_chicken
            path: path/to/file
            contentMd5: pRviqwS4c4OTJRTe03FD1w==
            contentType: text/plain
            duration: 2d
                Function: std:file
                  input: path/to/credentials.json
                Return: result
              x-goog-if-generation-match: 1

    Using getObjectSignedUrl

    Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

    function getObjectSignedUrl(args: GetObjectSignedUrlArgs, opts?: InvokeOptions): Promise<GetObjectSignedUrlResult>
    function getObjectSignedUrlOutput(args: GetObjectSignedUrlOutputArgs, opts?: InvokeOptions): Output<GetObjectSignedUrlResult>
    def get_object_signed_url(bucket: Optional[str] = None,
                              content_md5: Optional[str] = None,
                              content_type: Optional[str] = None,
                              credentials: Optional[str] = None,
                              duration: Optional[str] = None,
                              extension_headers: Optional[Mapping[str, str]] = None,
                              http_method: Optional[str] = None,
                              path: Optional[str] = None,
                              opts: Optional[InvokeOptions] = None) -> GetObjectSignedUrlResult
    def get_object_signed_url_output(bucket: Optional[pulumi.Input[str]] = None,
                              content_md5: Optional[pulumi.Input[str]] = None,
                              content_type: Optional[pulumi.Input[str]] = None,
                              credentials: Optional[pulumi.Input[str]] = None,
                              duration: Optional[pulumi.Input[str]] = None,
                              extension_headers: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                              http_method: Optional[pulumi.Input[str]] = None,
                              path: Optional[pulumi.Input[str]] = None,
                              opts: Optional[InvokeOptions] = None) -> Output[GetObjectSignedUrlResult]
    func GetObjectSignedUrl(ctx *Context, args *GetObjectSignedUrlArgs, opts ...InvokeOption) (*GetObjectSignedUrlResult, error)
    func GetObjectSignedUrlOutput(ctx *Context, args *GetObjectSignedUrlOutputArgs, opts ...InvokeOption) GetObjectSignedUrlResultOutput

    > Note: This function is named GetObjectSignedUrl in the Go SDK.

    public static class GetObjectSignedUrl 
        public static Task<GetObjectSignedUrlResult> InvokeAsync(GetObjectSignedUrlArgs args, InvokeOptions? opts = null)
        public static Output<GetObjectSignedUrlResult> Invoke(GetObjectSignedUrlInvokeArgs args, InvokeOptions? opts = null)
    public static CompletableFuture<GetObjectSignedUrlResult> getObjectSignedUrl(GetObjectSignedUrlArgs args, InvokeOptions options)
    // Output-based functions aren't available in Java yet
      function: gcp:storage/getObjectSignedUrl:getObjectSignedUrl
        # arguments dictionary

    The following arguments are supported:

    Bucket string
    The name of the bucket to read the object from
    Path string
    The full path to the object inside the bucket
    ContentMd5 string
    The MD5 digest value in Base64. Typically retrieved from google_storage_bucket_object.object.md5hash attribute. If you provide this in the datasource, the client (e.g. browser, curl) must provide the Content-MD5 HTTP header with this same value in its request.
    ContentType string
    If you specify this in the datasource, the client must provide the Content-Type HTTP header with the same value in its request.
    Credentials string

    What Google service account credentials json should be used to sign the URL. This data source checks the following locations for credentials, in order of preference: data source credentials attribute, provider credentials attribute and finally the GOOGLE_APPLICATION_CREDENTIALS environment variable.

    NOTE the default google credentials configured by gcloud sdk or the service account associated with a compute instance cannot be used, because these do not include the private key required to sign the URL. A valid json service account credentials key file must be used, as generated via Google cloud console.

    Duration string
    For how long shall the signed URL be valid (defaults to 1 hour - i.e. 1h). See here for info on valid duration formats.
    ExtensionHeaders Dictionary<string, string>
    As needed. The server checks to make sure that the client provides matching values in requests using the signed URL. Any header starting with x-goog- is accepted but see the Google Docs for list of headers that are supported by Google.
    HttpMethod string
    What HTTP Method will the signed URL allow (defaults to GET)
    Bucket string
    The name of the bucket to read the object from
    Path string
    The full path to the object inside the bucket
    ContentMd5 string
    The MD5 digest value in Base64. Typically retrieved from google_storage_bucket_object.object.md5hash attribute. If you provide this in the datasource, the client (e.g. browser, curl) must provide the Content-MD5 HTTP header with this same value in its request.
    ContentType string
    If you specify this in the datasource, the client must provide the Content-Type HTTP header with the same value in its request.
    Credentials string

    What Google service account credentials json should be used to sign the URL. This data source checks the following locations for credentials, in order of preference: data source credentials attribute, provider credentials attribute and finally the GOOGLE_APPLICATION_CREDENTIALS environment variable.

    NOTE the default google credentials configured by gcloud sdk or the service account associated with a compute instance cannot be used, because these do not include the private key required to sign the URL. A valid json service account credentials key file must be used, as generated via Google cloud console.

    Duration string
    For how long shall the signed URL be valid (defaults to 1 hour - i.e. 1h). See here for info on valid duration formats.
    ExtensionHeaders map[string]string
    As needed. The server checks to make sure that the client provides matching values in requests using the signed URL. Any header starting with x-goog- is accepted but see the Google Docs for list of headers that are supported by Google.
    HttpMethod string
    What HTTP Method will the signed URL allow (defaults to GET)
    bucket String
    The name of the bucket to read the object from
    path String
    The full path to the object inside the bucket
    contentMd5 String
    The MD5 digest value in Base64. Typically retrieved from google_storage_bucket_object.object.md5hash attribute. If you provide this in the datasource, the client (e.g. browser, curl) must provide the Content-MD5 HTTP header with this same value in its request.
    contentType String
    If you specify this in the datasource, the client must provide the Content-Type HTTP header with the same value in its request.
    credentials String

    What Google service account credentials json should be used to sign the URL. This data source checks the following locations for credentials, in order of preference: data source credentials attribute, provider credentials attribute and finally the GOOGLE_APPLICATION_CREDENTIALS environment variable.

    NOTE the default google credentials configured by gcloud sdk or the service account associated with a compute instance cannot be used, because these do not include the private key required to sign the URL. A valid json service account credentials key file must be used, as generated via Google cloud console.

    duration String
    For how long shall the signed URL be valid (defaults to 1 hour - i.e. 1h). See here for info on valid duration formats.
    extensionHeaders Map<String,String>
    As needed. The server checks to make sure that the client provides matching values in requests using the signed URL. Any header starting with x-goog- is accepted but see the Google Docs for list of headers that are supported by Google.
    httpMethod String
    What HTTP Method will the signed URL allow (defaults to GET)
    bucket string
    The name of the bucket to read the object from
    path string
    The full path to the object inside the bucket
    contentMd5 string
    The MD5 digest value in Base64. Typically retrieved from google_storage_bucket_object.object.md5hash attribute. If you provide this in the datasource, the client (e.g. browser, curl) must provide the Content-MD5 HTTP header with this same value in its request.
    contentType string
    If you specify this in the datasource, the client must provide the Content-Type HTTP header with the same value in its request.
    credentials string

    What Google service account credentials json should be used to sign the URL. This data source checks the following locations for credentials, in order of preference: data source credentials attribute, provider credentials attribute and finally the GOOGLE_APPLICATION_CREDENTIALS environment variable.

    NOTE the default google credentials configured by gcloud sdk or the service account associated with a compute instance cannot be used, because these do not include the private key required to sign the URL. A valid json service account credentials key file must be used, as generated via Google cloud console.

    duration string
    For how long shall the signed URL be valid (defaults to 1 hour - i.e. 1h). See here for info on valid duration formats.
    extensionHeaders {[key: string]: string}
    As needed. The server checks to make sure that the client provides matching values in requests using the signed URL. Any header starting with x-goog- is accepted but see the Google Docs for list of headers that are supported by Google.
    httpMethod string
    What HTTP Method will the signed URL allow (defaults to GET)
    bucket str
    The name of the bucket to read the object from
    path str
    The full path to the object inside the bucket
    content_md5 str
    The MD5 digest value in Base64. Typically retrieved from google_storage_bucket_object.object.md5hash attribute. If you provide this in the datasource, the client (e.g. browser, curl) must provide the Content-MD5 HTTP header with this same value in its request.
    content_type str
    If you specify this in the datasource, the client must provide the Content-Type HTTP header with the same value in its request.
    credentials str

    What Google service account credentials json should be used to sign the URL. This data source checks the following locations for credentials, in order of preference: data source credentials attribute, provider credentials attribute and finally the GOOGLE_APPLICATION_CREDENTIALS environment variable.

    NOTE the default google credentials configured by gcloud sdk or the service account associated with a compute instance cannot be used, because these do not include the private key required to sign the URL. A valid json service account credentials key file must be used, as generated via Google cloud console.

    duration str
    For how long shall the signed URL be valid (defaults to 1 hour - i.e. 1h). See here for info on valid duration formats.
    extension_headers Mapping[str, str]
    As needed. The server checks to make sure that the client provides matching values in requests using the signed URL. Any header starting with x-goog- is accepted but see the Google Docs for list of headers that are supported by Google.
    http_method str
    What HTTP Method will the signed URL allow (defaults to GET)
    bucket String
    The name of the bucket to read the object from
    path String
    The full path to the object inside the bucket
    contentMd5 String
    The MD5 digest value in Base64. Typically retrieved from google_storage_bucket_object.object.md5hash attribute. If you provide this in the datasource, the client (e.g. browser, curl) must provide the Content-MD5 HTTP header with this same value in its request.
    contentType String
    If you specify this in the datasource, the client must provide the Content-Type HTTP header with the same value in its request.
    credentials String

    What Google service account credentials json should be used to sign the URL. This data source checks the following locations for credentials, in order of preference: data source credentials attribute, provider credentials attribute and finally the GOOGLE_APPLICATION_CREDENTIALS environment variable.

    NOTE the default google credentials configured by gcloud sdk or the service account associated with a compute instance cannot be used, because these do not include the private key required to sign the URL. A valid json service account credentials key file must be used, as generated via Google cloud console.

    duration String
    For how long shall the signed URL be valid (defaults to 1 hour - i.e. 1h). See here for info on valid duration formats.
    extensionHeaders Map<String>
    As needed. The server checks to make sure that the client provides matching values in requests using the signed URL. Any header starting with x-goog- is accepted but see the Google Docs for list of headers that are supported by Google.
    httpMethod String
    What HTTP Method will the signed URL allow (defaults to GET)

    getObjectSignedUrl Result

    The following output properties are available:

    Bucket string
    Id string
    The provider-assigned unique ID for this managed resource.
    Path string
    SignedUrl string
    The signed URL that can be used to access the storage object without authentication.
    ContentMd5 string
    ContentType string
    Credentials string
    Duration string
    ExtensionHeaders Dictionary<string, string>
    HttpMethod string
    Bucket string
    Id string
    The provider-assigned unique ID for this managed resource.
    Path string
    SignedUrl string
    The signed URL that can be used to access the storage object without authentication.
    ContentMd5 string
    ContentType string
    Credentials string
    Duration string
    ExtensionHeaders map[string]string
    HttpMethod string
    bucket String
    id String
    The provider-assigned unique ID for this managed resource.
    path String
    signedUrl String
    The signed URL that can be used to access the storage object without authentication.
    contentMd5 String
    contentType String
    credentials String
    duration String
    extensionHeaders Map<String,String>
    httpMethod String
    bucket string
    id string
    The provider-assigned unique ID for this managed resource.
    path string
    signedUrl string
    The signed URL that can be used to access the storage object without authentication.
    contentMd5 string
    contentType string
    credentials string
    duration string
    extensionHeaders {[key: string]: string}
    httpMethod string
    bucket str
    id str
    The provider-assigned unique ID for this managed resource.
    path str
    signed_url str
    The signed URL that can be used to access the storage object without authentication.
    content_md5 str
    content_type str
    credentials str
    duration str
    extension_headers Mapping[str, str]
    http_method str
    bucket String
    id String
    The provider-assigned unique ID for this managed resource.
    path String
    signedUrl String
    The signed URL that can be used to access the storage object without authentication.
    contentMd5 String
    contentType String
    credentials String
    duration String
    extensionHeaders Map<String>
    httpMethod String

    Package Details

    Google Cloud (GCP) Classic pulumi/pulumi-gcp
    This Pulumi package is based on the google-beta Terraform Provider.
    gcp logo
    Google Cloud Classic v7.29.0 published on Wednesday, Jun 26, 2024 by Pulumi