从具有访问限制的 GCS 服务 static 页面

Question

I'm serving a static page on google cloud storage. It works perfectly well, as long as it is public. Now i setted up acl so that only users of one group can read the storage and unauthenticated users get redirected to google authentication. The Problem is now, that the static content of the website, like javascript and css can't be found anymore and i get 404 Errors there. The static content is as well in the storage bucket and it works fine with public urls. When using authenticated urls, it does not work anymore.

Is my attempt of serving an access controlled page right? I guess so, because it works, except for the static content. So do you have any ideas what i am missing here?

Answer 1

Try to deploy on App Engine you file. For this

1. In the same root directory of your static file, create a app.yaml file with this content

runtime: nodejs10
env: standard
instance_class: F1
handlers:
  - url: /
    static_files: index.html
    require_matching_file: false
    upload: index.html
  - url: /(.*)
    static_files: /\1
    require_matching_file: false
    upload: /.*
  - url: .*
    script: auto

2. Deploy on App Engine gcloud app deploy
3. Check if it works on the provided URL.

If so:

4. Go to Security -> Identity Aware Proxy (IAP)
5. Activate IAP for App Engine; It's possible that the OAuth consent screen have to be configured at this step is you don't do it before
6. Select the checkbox on the left of your root service, and go the the info panel on the right of the page
7. Add members, groups or domain with the role IAP-secured Web app user

Test and enjoy!

Answer 2

You can use the following workaround to add user authentication to your GCS static pages based on buckets.

First you need to create a public file called redirect.html this file will be the entry point of your static webpage, and you need to add the following content

<html>
  <head>
    <meta http-equiv="Refresh" content="0; url=https://storage.cloud.google.com/[yourbucketname]/index.html">
  </head>
  Redirecting to your site..

index.html and other files must be private files with read permissions granted to selected users

The magic behind this is that your browser will prompt to choose a google account, in case that your browser doesn't have any active google account.

And only the users with Reader permission (or with other roles with read access) will access to your static website.

Just a friendly reminder, this will take the main Google account in the browser if your browser have more than 1 Google account this can cause authentication issues, if this happens use an incognito window.

you can find more information on this Medium article

Extra step

If you have enabled Data access logs this workaround will thrown some authentication issues, you need to add exceptions to the users that will use the authenticated site

To do this, in Cloud Console, navigate to IAM & Admin > Audit Logs . Look through the list or filter for Google Cloud Storage . Click on the row.

In the info panel on the right side, on the Exempted Users tab , click Add Exempted User.