gcloud storage sign-url

NAME
gcloud storage sign-url - generate a URL with embedded authentication that can be used by anyone
SYNOPSIS
gcloud storage sign-urlURL[URL …][--duration=DURATION,-dDURATION; default=3600][--headers=[KEY=VALUE,…]][--http-verb=HTTP_VERB,-mHTTP_VERB; default="GET"][--path-style-url][--private-key-file=PRIVATE_KEY_FILE][--private-key-password=PRIVATE_KEY_PASSWORD,-pPRIVATE_KEY_PASSWORD][--query-params=[KEY=VALUE,…]][--region=REGION,-rREGION][GCLOUD_WIDE_FLAG]
DESCRIPTION
gcloud storage sign-url will generate a signed URL that embedsauthentication data so the URL can be used by someone who does not have a Googleaccount. Use the global--impersonate-service-account flag tospecify the service account that will be used to sign the specified URL orauthenticate with a service account directly. Otherwise, a service account keyis required. Please see theSignedURLs documentation for background about signed URLs.

Note,gcloud storage sign-url does not support operations onsub-directories. For example, unless you have an object namedsome-directory/ stored inside the bucketsome-bucket,the following command returns an error:gcloud storage sign-urlgs://some-bucket/some-directory/.

EXAMPLES
To create a signed url for downloading an object valid for 10 minutes with thecredentials of an impersonated service account:
gcloudstoragesign-urlgs://my-bucket/file.txt--duration=10m--impersonate-service-account=sa@my-project.iam.gserviceaccount.com

To create a signed url that will bill to my-billing-project when alreadyauthenticated as a service account:

gcloudstoragesign-urlgs://my-bucket/file.txt--query-params=userProject=my-billing-project

To create a signed url, valid for one hour, for uploading a plain text file viaHTTP PUT:

gcloudstoragesign-urlgs://my-bucket/file.txt--http-verb=PUT--duration=1h--headers=content-type=text/plain--impersonate-service-account=sa@my-project.iam.gserviceaccount.com

To create a signed URL that initiates a resumable upload for a plain text fileusing a private key file:

gcloudstoragesign-urlgs://my-bucket/file.txt--http-verb=POST--headers=x-goog-resumable=start,content-type=text/plain--private-key-file=key.json
POSITIONAL ARGUMENTS
URL [URL …]
The URLs to be signed. May contain wildcards.
FLAGS
--duration=DURATION,-dDURATION; default=3600
Specifies the duration that the signed url should be valid for, default durationis 1 hour. For example 10s for 10 seconds. See $gcloud topic datetimes forinformation on duration formats.

The max duration allowed is 12 hours. This limitation exists because thesystem-managed key used to sign the URL may not remain valid after 12 hours.

Alternatively, the max duration allowed is 7 days when signing with either the--private-key-file flag or an account thatauthorized withgcloud authactivate-service-account.

--headers=[KEY=VALUE,…]
Specifies the headers to be used in the signed request. Possible headers arelisted in the XML API's documentation:https://cloud.google.com/storage/docs/xml-api/reference-headers#headers
--http-verb=HTTP_VERB,-mHTTP_VERB; default="GET"
Specifies the HTTP verb to be authorized for use with the signed URL, default isGET. When using a signed URL to start a resumable upload session, you will needto specify thex-goog-resumable:startheader in the request or else signature validation will fail.
--path-style-url
Generate path-style signed URL.

By default, virtual hosted-style signed URL is generated, except fordomain-namedbuckets. Use this flag to force the generation of path-style signed URL.Signed URL generated for domain-named buckets is always path-style. Learn moreabout the two URL styleshere.

--private-key-file=PRIVATE_KEY_FILE
The service account private key used to generate the cryptographic signature forthe generated URL. Must be in PKCS12 or JSON format. If encrypted, will promptfor the passphrase used to protect the private key file (defaultnotasecret).

Note: Service account keys are a security risk if not managed correctly. Reviewbestpractices for managing service account keys before using this option.

--private-key-password=PRIVATE_KEY_PASSWORD,-pPRIVATE_KEY_PASSWORD
Specifies the PRIVATE_KEY_FILE password instead of prompting.
--query-params=[KEY=VALUE,…]
Specifies the query parameters to be used in the signed request. Possible queryparameters are listed in the XML API's documentation:https://cloud.google.com/storage/docs/xml-api/reference-headers#query
--region=REGION,-rREGION
Specifies the region in which the resources for which you are creating signedURLs are stored.

Default value isauto which will causegcloud storage sign-url to fetch the region for the resource. Whenauto-detecting the region, the current user's credentials, not the credentialsfrom PRIVATE_KEY_FILE, are used to fetch the bucket's metadata.

GCLOUD WIDE FLAGS
These flags are available to all commands:--access-token-file,--account,--billing-project,--configuration,--flags-file,--flatten,--format,--help,--impersonate-service-account,--log-http,--project,--quiet,--trace-token,--user-output-enabled,--verbosity.

Run$gcloud help for details.

NOTES
This variant is also available:
gcloudalphastoragesign-url

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-11-11 UTC.