aknuds1 aknuds1 - 5 months ago 55
Node.js Question

gcloud-node - How do I ensure that files uploaded to Google Cloud Storage via signed URLs are publicly readable?

I want to allow clients (JavaScript in browser) to upload files to Google Cloud Storage, something I currently accomplish by generating signed URLs. However, the uploaded files are private by default. How can I ensure that files uploaded via signed URLs are publicly readable?


Controlling file ACLs is handled via the header x-goog-acl, which must also be included when calculating the signed URL. For public readability, use the value public-read.

Example client side code:

let request = new XMLHttpRequest()
request.onreadystatechange = () => {
  if (request.readyState === XMLHttpRequest.DONE) {
    if (request.status === 200) {
      console.log(`Google Cloud Storage upload was successful:`, request.responseText)
    } else {
      console.log(`Google Cloud Storage upload was not successful: ${request.status}`)

request.open('PUT', signedUrl, true)
// Don't care about content-type header for signature calculation
request.setRequestHeader('content-type', 'ignore')
request.setRequestHeader('x-goog-acl', 'public-read')

Example server side code (for getting signed URL):

let gcloud = require('gcloud')
let moment = require('moment')

let gcs = gcloud.storage({
  projectId: process.env.GCLOUD_PROJECT_ID,
  credentials: {
    client_email: process.env.GCLOUD_CLIENT_EMAIL,
    private_key: process.env.GCLOUD_PRIVATE_KEY,

let bucket = gcs.bucket('aBucket')
let cloudFile = bucket.file('aFile')
  action: 'write',
  expires: moment.utc().add(1, 'days').format(),
  contentType: 'ignore',
  extensionHeaders: {'x-goog-acl': 'public-read',},
}, (error, signedUrl) => {
  if (error != null) {
    console.log(`Failed to obtain signed URL for file`)
  } else {
    console.log(`Got signed URL for file: ${signedUrl}`)