The Google Cloud storage signed URL data source generates a signed URL for a given storage object. Signed URLs provide a way to give time-limited read or write access to anyone in possession of the URL, regardless of whether they have a Google account.
For more info about signed URL's is available here.
data "google_storage_object_signed_url" "artifact" { bucket = "install_binaries" path = "path/to/install_file.bin" } resource "google_compute_instance" "vm" { name = "vm" ... provisioner "remote-exec" { inline = [ "wget '${data.google_storage_object_signed_url.artifact.signed_url}' -O install_file.bin", "chmod +x install_file.bin", "./install_file.bin" ] } }
data "google_storage_object_signed_url" "get_url" { bucket = "fried_chicken" path = "path/to/file" content_md5 = "pRviqwS4c4OTJRTe03FD1w==" content_type = "text/plain" duration = "2d" credentials = "${file("path/to/credentials.json")}" extension_headers { x-goog-if-generation-match = 1 } }
The following arguments are supported:
bucket
- (Required) The name of the bucket to read the object from path
- (Required) The full path to the object inside the bucket http_method
- (Optional) What HTTP Method will the signed URL allow (defaults to GET
) duration
- (Optional) For how long shall the signed URL be valid (defaults to 1 hour - i.e. 1h
). See here for info on valid duration formats. credentials
- (Optional) What Google service account credentials json should be used to sign the URL. This data source checks the following locations for credentials, in order of preference: data source credentials
attribute, provider credentials
attribute and finally the GOOGLE_APPLICATION_CREDENTIALS environment variable. NOTE the default google credentials configured by
gcloud
sdk or the service account associated with a compute instance cannot be used, because these do not include the private key required to sign the URL. A validjson
service account credentials key file must be used, as generated via Google cloud console.
content_type
- (Optional) If you specify this in the datasource, the client must provide the Content-Type
HTTP header with the same value in its request. content_md5
- (Optional) The MD5 digest value in Base64. Typically retrieved from google_storage_bucket_object.object.md5hash
attribute. If you provide this in the datasource, the client (e.g. browser, curl) must provide the Content-MD5
HTTP header with this same value in its request. extension_headers
- (Optional) As needed. The server checks to make sure that the client provides matching values in requests using the signed URL. Any header starting with x-goog-
is accepted but see the Google Docs for list of headers that are supported by Google. The following attributes are exported:
signed_url
- The signed URL that can be used to access the storage object without authentication.
© 2018 HashiCorpLicensed under the MPL 2.0 License.
https://www.terraform.io/docs/providers/google/d/signed_url.html