.TH "GCLOUD_ALPHA_COMPUTE_SIGN\-URL" 1



.SH "NAME"
.HP
gcloud alpha compute sign\-url \- sign specified URL for use with Cloud CDN Signed URLs



.SH "SYNOPSIS"
.HP
\f5gcloud alpha compute sign\-url\fR \fIURL\fR \fB\-\-expires\-in\fR=\fIEXPIRES_IN\fR \fB\-\-key\-file\fR=\fILOCAL_FILE_PATH\fR \fB\-\-key\-name\fR=\fIKEY_NAME\fR [\fB\-\-validate\fR] [\fIGCLOUD_WIDE_FLAG\ ...\fR]



.SH "DESCRIPTION"

\fB(ALPHA)\fR \fBgcloud alpha compute sign\-url\fR generates a signed URL for
the specified URL and optionally validates the response by sending a request to
the signed URL.

Cloud CDN Signed URLs give you a way to serve responses from the globally
distributed CDN cache, even if the request needs to be authorized.

Signed URLs are a mechanism to temporarily give a client access to a private
resource without requiring additional authorization. To achieve this, the full
request URL that should be allowed is hashed and cryptographically signed. By
using the signed URL you give it, that one request will be considered authorized
to receive the requested content.

Generally, a signed URL can be used by anyone who has it. However, it is usually
only intended to be used by the client that was directly given the URL. To
mitigate this, they expire at a time chosen by the issuer. To minimize the risk
of a signed URL being shared, it is recommended that the signed URL be set to
expire as soon as possible.

A 128\-bit secret key is used for signing the URLs.

The URLs to sign have the following restrictions:

.RS 2m
.IP "\(bu" 2m
The URL scheme must be either HTTP or HTTPS.
.IP "\(bu" 2m
The URLs must not contain the query parameters: \f5Expires\fR, \f5KeyName\fR or
\f5Signature\fR, since they are used for signing.
.IP "\(bu" 2m
The URL must not have a fragment.
.RE
.sp



.SH "POSITIONAL ARGUMENTS"

.RS 2m
.TP 2m
\fIURL\fR

The URL to sign.


.RE
.sp

.SH "REQUIRED FLAGS"

.RS 2m
.TP 2m
\fB\-\-expires\-in\fR=\fIEXPIRES_IN\fR

The duration for which the signed URL will be valid. For example, specifying
\f512h\fR will cause the signed URL to be valid up to 12 hours. See $ gcloud
topic datetimes for information on duration formats.

.TP 2m
\fB\-\-key\-file\fR=\fILOCAL_FILE_PATH\fR

The file containing the RFC 4648 Section 5 base64url encoded 128\-bit secret key
for Cloud CDN Signed URL. It is vital that the key is strongly random. One way
to generate such a key is with the following command:

.RS 2m
head \-c 16 /dev/random | base64 | tr +/ \-_ > [KEY_FILE_NAME]
.RE

.TP 2m
\fB\-\-key\-name\fR=\fIKEY_NAME\fR

Name of the Cloud CDN Signed URL key.


.RE
.sp

.SH "OPTIONAL FLAGS"

.RS 2m
.TP 2m
\fB\-\-validate\fR

If provided, validates the generated signed URL by sending a HEAD request and
prints out the HTTP response code.

If the signed URL is valid, the result should be the same as the response code
sent by the backend. If it isn't, recheck the key name and the contents of the
key file, and ensure that expires\-in is set to at least several seconds and
that the clock on the computer running this command is accurate.

If not provided, the generated signed URL is not verified.


.RE
.sp

.SH "GCLOUD WIDE FLAGS"

These flags are available to all commands: \-\-access\-token\-file, \-\-account,
\-\-billing\-project, \-\-configuration, \-\-flags\-file, \-\-flatten,
\-\-format, \-\-help, \-\-impersonate\-service\-account, \-\-log\-http,
\-\-project, \-\-quiet, \-\-trace\-token, \-\-user\-output\-enabled,
\-\-verbosity.

Run \fB$ gcloud help\fR for details.



.SH "NOTES"

This command is currently in alpha and might change without notice. If this
command fails with API permission errors despite specifying the correct project,
you might be trying to access an API with an invitation\-only early access
allowlist. These variants are also available:

.RS 2m
$ gcloud compute sign\-url
.RE

.RS 2m
$ gcloud beta compute sign\-url
.RE