Re: [gs-discussion] Restrict buckets/objects by domain

262 views
Skip to first unread message

Google Cloud Storage Team

unread,
Oct 27, 2012, 6:37:22 PM10/27/12
to gs-dis...@googlegroups.com
Hi Erevald,

If your domain is a Google Apps domain, then you can limit access to that domain by including a clause like this in your bucket's or object's Access Control List (ACL):

<Entry>
  <Permission>Read</Permission>
  <Scope type="GroupByDomain">yourdomain.com</Scope>
</Entry>

http://storage.cloud.google.com/bucket/obj will then download the object if the user is logged in as x...@yourdomain.com

If your domain of interest is not a Google Apps domain then you could create a Google Group, including the set of valid users, and then restrict access to that group. That gives you the ability to manage your access indirectly, as a function of group membership, and avoids the need to modify the ACLs assigned to a potentially large number of resources every time your group composition changes.

Hope that helps,

Marc
Google Cloud Storage Team

On Sat, Oct 27, 2012 at 5:29 PM, Erevald Kullolli <mounta...@gmail.com> wrote:
Hi,

Is it possible to give access to private objects only to a certain domain or domains?

--
  

Erevald Kullolli

unread,
Oct 28, 2012, 7:34:56 AM10/28/12
to gs-dis...@googlegroups.com
Hi Marc,

I appreciate your help but I think my question wasn't very clear before, so I'll give you an example of what I'm trying to do.


Object
photo.jpg

path to stuff.some-domain.com/photo.jpg returns AccessDenied which is fine.

But how do I give permission to a domain such as www.my-domain.com (or by IP) to show the image?
I do not need to access user data.

Thank you for your help,
Erevald


--
 
 

Google Cloud Storage Team

unread,
Oct 28, 2012, 12:32:57 PM10/28/12
to gs-dis...@googlegroups.com
Are you saying that you want to have two domains, both pointing to the same bucket, and you want different permissions to apply depending on which domain name was used to access the resource? If so, I don't think we have that functionality. Moreover, we don't currently allow multiple CNAME aliases to point to the same bucket. There was a recent conversation about this topic on the discussion group.

If you can describe your use case (send it to gs-team AT google.com and please don't share any proprietary information in your use case description), I'd be happy to write an internal feature request.

Thanks,

Marc

Erevald Kullolli

unread,
Oct 28, 2012, 4:56:04 PM10/28/12
to gs-dis...@googlegroups.com, gs-...@google.com
Thanks, I'l send it to the team
Reply all
Reply to author
Forward
0 new messages