Screencast: Using Apigee to create a Signed URL for Google Cloud Storage (18 minutes)

Another tech screencast! Can you ever get enough of these? 🙂

This one covers how you can use an Apigee API Proxy to create a signed URL that grants a time-limited access to an object within a Google Cloud Storage bucket.

For those who don't know, Google Cloud Storage presents an HTTP interface to PUT and GET arbitrary files (aka objects) into Storage "buckets". Any request must be authenticated*. Normally the caller needs to present credentials directly issued by Google Cloud, to access the GCS bucket. The signed URL allows an authorized party to generate a specially-formed URL that grants anyone with the URL, access to PUT a file into the bucket, or GET a file from the bucket, for a limited time. 60 seconds, 5 minutes, 3 hours, whatever you like.

Signed URLs is a nice way to allow upload and download of arbitrary files, even large payloads.

But how do you create a signed URL? Google Cloud publishes a tool, gsutil, that allows you to create a signed URL from the command line. But what if you'd like to include GCS into your API-oriented integration architecture?

What if I told you that you could use an Apigee proxy to generate the signed URL, and deliver it back to the client?

This would allow you to use Apigee to authenticate client apps via Apigee-managed client credentials, and potentially authenticate the user as well, and then generate a limited-time-use signed URL and return that to the client. The API proxy can then act as a control channel for the GCS data channel. Effectively the client

  • connects to Apigee to request the signed URL
  • uses the returned signed URL to upload or download an object.

Click through to view the screencast!

10998-thumbnail-20210512-135052.png

Comments
DavitH
Explorer

Signed URL Generator

Hello @dchiesa1Thank you for the excellent screencast, your solution worked right out of the box. 

I want to implement a Signed URL generator library, so we can reuse it in different modules. While trying to instantiate the app : 

MessageContext msgCtxt = new MessageContextImpl();
RootContext rootContext = new RootContext();
FlowEvaluator evaluator = new FlowEvaluator(rootContext);
MessageFlowImpl messageFlow = new MessageFlowImpl(evaluator, msgCtxt);
ExecutionContext execContext = new ExecutionContextImpl(messageFlow);
V4SignedUrlCallout signedUrlCallout = new V4SignedUrlCallout(properties);
ExecutionResult execute = signedUrlCallout.execute(msgCtxt, execContext);

I'm getting the following error message on the line 2

Caused by: java.lang.ClassNotFoundException: com.apigee.decisiontree.DecisionTree

Where can I find that library? Is there a better way to create a Signed URL?

Thanks in advance.

 

 

 

DavitH
Explorer

I found using the Google Cloud Storage Java API to be the easiest solution for my case.

You can refer to https://cloud.google.com/storage/docs/samples/storage-generate-signed-url-v4

-
Thanks
dchiesa1
Staff

I'm glad you sorted it out. 

To answer your prior question ( in case anyone else is interested in the answer), the com.apigee.decisiontree.DecisionTree class is part of the Apigee runtime.  Obviously you don't need that if all you want to do is create a signed URL. You are pulling that in by referring to FlowEvaluator, and  ExecutionContext and all that other Apigee-specific stuff. That will work in an Apigee callout, but it will not work in a standalone library. 

If you wanted to use my code, you would need to refactor the V4SignedUrlCallout to extract just the stuff that does signed URLs. But I think you found a different path, a long time ago. 

Version history
Last update:
‎05-12-2021 02:24 PM
Updated by: