gcloud compute sign-url

NAME
gcloud compute sign-url - sign specified URL for use with Cloud CDN Signed URLs
SYNOPSIS
gcloud compute sign-urlURL--expires-in=EXPIRES_IN--key-file=LOCAL_FILE_PATH--key-name=KEY_NAME[--validate][GCLOUD_WIDE_FLAG]
DESCRIPTION
gcloud compute sign-url generates a signed URL for the specifiedURL and optionally validates the response by sending a request to the signedURL.

Cloud CDN Signed URLs give you a way to serve responses from the globallydistributed CDN cache, even if the request needs to be authorized.

Signed URLs are a mechanism to temporarily give a client access to a privateresource without requiring additional authorization. To achieve this, the fullrequest URL that should be allowed is hashed and cryptographically signed. Byusing the signed URL you give it, that one request will be considered authorizedto receive the requested content.

Generally, a signed URL can be used by anyone who has it. However, it is usuallyonly intended to be used by the client that was directly given the URL. Tomitigate this, they expire at a time chosen by the issuer. To minimize the riskof a signed URL being shared, it is recommended that the signed URL be set toexpire as soon as possible.

A 128-bit secret key is used for signing the URLs.

The URLs to sign have the following restrictions:

  • The URL scheme must be either HTTP or HTTPS.
  • The URLs must not contain the query parameters:Expires,KeyName orSignature, since they are used for signing.
  • The URL must not have a fragment.
POSITIONAL ARGUMENTS
URL
The URL to sign.
REQUIRED FLAGS
--expires-in=EXPIRES_IN
The duration for which the signed URL will be valid. For example, specifying12h will cause the signed URL to be valid up to 12 hours. See $gcloud topic datetimes forinformation on duration formats.
--key-file=LOCAL_FILE_PATH
The file containing the RFC 4648 Section 5 base64url encoded 128-bit secret keyfor Cloud CDN Signed URL. It is vital that the key is strongly random. One wayto generate such a key is with the following command:
head-c16/dev/random|base64|tr+/-_ >[KEY_FILE_NAME]
--key-name=KEY_NAME
Name of the Cloud CDN Signed URL key.
OPTIONAL FLAGS
--validate
If provided, validates the generated signed URL by sending a HEAD request andprints out the HTTP response code.

If the signed URL is valid, the result should be the same as the response codesent by the backend. If it isn't, recheck the key name and the contents of thekey file, and ensure that expires-in is set to at least several seconds and thatthe clock on the computer running this command is accurate.

If not provided, the generated signed URL is not verified.

GCLOUD WIDE FLAGS
These flags are available to all commands:--access-token-file,--account,--billing-project,--configuration,--flags-file,--flatten,--format,--help,--impersonate-service-account,--log-http,--project,--quiet,--trace-token,--user-output-enabled,--verbosity.

Run$gcloud help for details.

NOTES
These variants are also available:
gcloudalphacomputesign-url
gcloudbetacomputesign-url

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-07-22 UTC.