Support for Google Compute Backend Bucket Signed URL Key

[zsgilber]

Describe the feature or resource

We would like to be able to provision backend buckets that are restricted to signed URLs. Currently, a backend bucket provisioned via the ComputeBackendBucket resource will be exposed publicly. There is currently a terraform resource for this: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_backend_bucket_signed_url_key

Importance

This not a blocker, but is a pain point. We have to manually add the signed url key whenever we want to add a new backend bucket that we don't want to expose publicly.

[maqiuyujoyce]

Hi @zsgilber , thank you for the request! We've added it to the list of resources we're looking into and will let you know when we have more information.

[maqiuyujoyce]

Hi @zsgilber , in your use case, do you expect that you can manage the signed URL keys in the non-authoritative manner with a separate resource (i.e. like what Terraform does)?

[zsgilber]

Hi @maqiuyujoyce, as long as the key can be added to the bucket through config-connector, that would work for us. Our use case is to automate Cloud CDN backend bucket creation for buckets where we want to use a signed URL or cookie to restrict access.

[maqiuyujoyce]

Thanks for sharing your use case, @zsgilber ! Then I assume it also works for you if the list of signed URL keys (names and values) is maintained in the ComputeBackendBucket resource like below, right? To clarify, we haven't determined the UX for the signed URL key yet, but just want to collect some information.

  apiVersion: compute.cnrm.cloud.google.com/v1beta1
  kind: ComputeBackendBucket
  metadata:
    name: test
  spec:
    ...
    cdnPolicy:
      signedUrlKeys:
        - keyName: key-1
          keyValue: test-url-1
        - keyName: key-2
          keyValue: test-url-2
    ...

[zsgilber]

Yes that would definitely work for us! As far as I understand the keys don't have any use outside of the backend bucket or service they are attached to, so managing them with those resources makes sense to me.

[maqiuyujoyce]

Thanks for the confirmation, @zsgilber ! We'll take it into consideration when we look into this feature.

[ymmt2005]

Hello.

For us, it would be nice if we could specify the key value with the name of a Secret Manager secret. That'd allow our app to retrieve the secret and create a signed URL securely.