This GCP function is allowing to access direct access to a bucket resource if accessed inside authorized networks.
Main use case is to allow people using the company VPN or in the office to download an Android APK without having to log-in with their personal account.
Permissions:
- Service Account Token Creator
- Storage Object Viewer
Try the service account by signing a resource access. Example:
$ gsutil signurl -d 10m service-account.json gs://your-bucket/cradopaud.jpg
URL HTTP Method Expiration Signed URL
gs://your-bucket/cradopaud.jpg GET 2020-10-09 13:45:23 https://storage.googleapis.com/...
https://cloud.google.com/python/setup
python3.8 -m venv env source env/bin/activate pip install flask google-cloud-storage pip freeze > requirements.txt
gcloud components update gcloud config set project your-project gcloud functions describe vpn_bypass
gcloud functions deploy vpn_bypass --runtime python38 --trigger-http --allow-unauthenticated --service-account vpn-bypass@your-project.iam.gserviceaccount.com --set-env-vars BUCKET_NAME=your-bucket
Test locally: pip install functions-framework functions-framework --target vpn_bypass --debug curl http://0.0.0.0:8080
https://stackoverflow.com/a/53700497/5489877 https://github.com/GoogleCloudPlatform/functions-framework-python