GCP App Engine Access to GCloud Storage without 'sharing publicly'


April 2019


203 time


I would like to know how to grant a Google Cloud Platform App Engine project permissions to serve content from Google Cloud Storage without setting the Google Cloud Storage bucket permissions to ‘share publicly'.

My App engine project is running Node JS. Uses Passport-SAML authentication to authenticate users before allowing them to view content, hence I do not want to set access on an individual user level via IAM. Images and videos are currently served from within a private folder of my app, which is only accessible once users are authenticated. I wish to move these assets to Google Cloud Storage and allow the app to read the files, whist not providing global access. How should I go about doing this? I failed to find any documentation on it.

2 answers


As stated in the official documentation:

By default, when you create a bucket for your project, your app has all the permissions required to read and write to it.

Whenever you create an App Engine application, there is a default bucket that comes with the following perks:

  • 5GB of free storage.
  • Free quota for Cloud Storage I/O operations

By default it is created automatically with your application, but in any case you can follow the same link I shared previously in other to create the bucket. Should you need more than those 5GB of free storage, you can make it a paid bucket and you will only be charged for the storage that surpasses the first 5 GB.

Then, you can make use of the Cloud Storage Client Libraries for Node.js and have a look at some nice samples (general samples here or even specific operations over files here) for working with the files inside your bucket.


Here there is a small working example on how to use the Cloud Storage client libraries to retrieve images from your private bucket without making them public, by means of authenticating requests. It works in a Cloud Function, so you should have no issues in reproducing the same behavior in App Engine. It does not perform exactly what you need, as it displays the image in the bucket alone, without any integration inside an HTML file, but you should be able to build something from that (I am not too used to work with Node.js, unfortunately).

I hope this can be of some help too.

'use strict';

const gcs = require('@google-cloud/storage')();

exports.imageServer = function imageSender(req, res) {
  let file = gcs.bucket('<YOUR_BUCKET>').file('<YOUR_IMAGE>');
  let readStream = file.createReadStream();

  res.setHeader("content-type", "image/jpeg");

I think this might work for you https://cloud.google.com/storage/docs/access-control/create-signed-urls-program I can't seem to find the API doc for nodejs (google is really messing around with their doc urls). Here's some sample code:

bucket.upload(filename, options, function(err, file, apiResponse) {
var mil = Date.now()+60000;
var config = {
  action: 'read',
  expires: mil

file.getSignedUrl(config, function(err, url) {
  if (err) {