Open zsgilber opened 2 years ago
Hi @zsgilber , thank you for the request! We've added it to the list of resources we're looking into and will let you know when we have more information.
Hi @zsgilber , in your use case, do you expect that you can manage the signed URL keys in the non-authoritative manner with a separate resource (i.e. like what Terraform does)?
Hi @maqiuyujoyce, as long as the key can be added to the bucket through config-connector
, that would work for us. Our use case is to automate Cloud CDN backend bucket creation for buckets where we want to use a signed URL or cookie to restrict access.
Thanks for sharing your use case, @zsgilber ! Then I assume it also works for you if the list of signed URL keys (names and values) is maintained in the ComputeBackendBucket
resource like below, right? To clarify, we haven't determined the UX for the signed URL key yet, but just want to collect some information.
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeBackendBucket
metadata:
name: test
spec:
...
cdnPolicy:
signedUrlKeys:
- keyName: key-1
keyValue: test-url-1
- keyName: key-2
keyValue: test-url-2
...
Yes that would definitely work for us! As far as I understand the keys don't have any use outside of the backend bucket or service they are attached to, so managing them with those resources makes sense to me.
Thanks for the confirmation, @zsgilber ! We'll take it into consideration when we look into this feature.
Hello.
For us, it would be nice if we could specify the key value with the name of a Secret Manager secret. That'd allow our app to retrieve the secret and create a signed URL securely.
Describe the feature or resource
We would like to be able to provision backend buckets that are restricted to signed URLs. Currently, a backend bucket provisioned via the
ComputeBackendBucket
resource will be exposed publicly. There is currently a terraform resource for this: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_backend_bucket_signed_url_keyImportance
This not a blocker, but is a pain point. We have to manually add the signed url key whenever we want to add a new backend bucket that we don't want to expose publicly.