HEX
Server: Apache/2.4.65 (Ubuntu)
System: Linux ielts-store-v2 6.8.0-1036-gcp #38~22.04.1-Ubuntu SMP Thu Aug 14 01:19:18 UTC 2025 x86_64
User: root (0)
PHP: 7.2.34-54+ubuntu20.04.1+deb.sury.org+1
Disabled: pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,
$ pwd: /snap/google-cloud-cli/current/help/man/man1/
Upload Files
File: //snap/google-cloud-cli/current/help/man/man1/gcloud_alpha_storage_sign-url.1
.TH "GCLOUD_ALPHA_STORAGE_SIGN\-URL" 1



.SH "NAME"
.HP
gcloud alpha storage sign\-url \- generate a URL with embedded authentication that can be used by anyone



.SH "SYNOPSIS"
.HP
\f5gcloud alpha storage sign\-url\fR \fIURL\fR [\fIURL\fR\ ...] [\fB\-\-duration\fR=\fIDURATION\fR,\ \fB\-d\fR\ \fIDURATION\fR;\ default=3600] [\fB\-\-headers\fR=[\fIKEY\fR=\fIVALUE\fR,...]] [\fB\-\-http\-verb\fR=\fIHTTP_VERB\fR,\ \fB\-m\fR\ \fIHTTP_VERB\fR;\ default="GET"] [\fB\-\-private\-key\-file\fR=\fIPRIVATE_KEY_FILE\fR] [\fB\-\-private\-key\-password\fR=\fIPRIVATE_KEY_PASSWORD\fR,\ \fB\-p\fR\ \fIPRIVATE_KEY_PASSWORD\fR] [\fB\-\-query\-params\fR=[\fIKEY\fR=\fIVALUE\fR,...]] [\fB\-\-region\fR=\fIREGION\fR,\ \fB\-r\fR\ \fIREGION\fR] [\fIGCLOUD_WIDE_FLAG\ ...\fR]



.SH "DESCRIPTION"

\fB(ALPHA)\fR \fBgcloud alpha storage sign\-url\fR will generate a signed URL
that embeds authentication data so the URL can be used by someone who does not
have a Google account. Use the global
\f5\fI\-\-impersonate\-service\-account\fR\fR flag to specify the service
account that will be used to sign the specified URL or authenticate with a
service account directly. Otherwise, a service account key is required. Please
see the Signed URLs documentation
(https://cloud.google.com/storage/docs/access\-control/signed\-urls) for
background about signed URLs.

Note, \f5gcloud alpha storage sign\-url\fR does not support operations on
sub\-directories. For example, unless you have an object named
\f5some\-directory/\fR stored inside the bucket \f5some\-bucket\fR, the
following command returns an error: \f5gcloud alpha storage sign\-url
gs://some\-bucket/some\-directory/\fR.



.SH "EXAMPLES"

To create a signed url for downloading an object valid for 10 minutes with the
credentials of an impersonated service account:

.RS 2m
$ gcloud alpha storage sign\-url gs://my\-bucket/file.txt \e
    \-\-duration=10m \e
    \-\-impersonate\-service\-account=sa@my\-project.iam.gserviceaccount.\e
com
.RE

To create a signed url that will bill to my\-billing\-project when already
authenticated as a service account:

.RS 2m
$ gcloud alpha storage sign\-url gs://my\-bucket/file.txt \e
    \-\-query\-params=userProject=my\-billing\-project
.RE

To create a signed url, valid for one hour, for uploading a plain text file via
HTTP PUT:

.RS 2m
$ gcloud alpha storage sign\-url gs://my\-bucket/file.txt \e
    \-\-http\-verb=PUT \-\-duration=1h \e
    \-\-headers=content\-type=text/plain \e
    \-\-impersonate\-service\-account=sa@my\-project.iam.gserviceaccount.\e
com
.RE

To create a signed URL that initiates a resumable upload for a plain text file
using a private key file:

.RS 2m
$ gcloud alpha storage sign\-url gs://my\-bucket/file.txt \e
    \-\-http\-verb=POST \e
    \-\-headers=x\-goog\-resumable=start,content\-type=text/plain \e
    \-\-private\-key\-file=key.json
.RE



.SH "POSITIONAL ARGUMENTS"

.RS 2m
.TP 2m
\fIURL\fR [\fIURL\fR ...]

The URLs to be signed. May contain wildcards.


.RE
.sp

.SH "FLAGS"

.RS 2m
.TP 2m
\fB\-\-duration\fR=\fIDURATION\fR, \fB\-d\fR \fIDURATION\fR; default=3600

Specifies the duration that the signed url should be valid for, default duration
is 1 hour. For example 10s for 10 seconds. See $ gcloud topic datetimes for
information on duration formats.

The max duration allowed is 12 hours. This limitation exists because the
system\-managed key used to sign the URL may not remain valid after 12 hours.

Alternatively, the max duration allowed is 7 days when signing with either the
\f5\fI\-\-private\-key\-file\fR\fR flag or an account that authorized with
\f5\fIgcloud auth activate\-service\-account\fR\fR.

.TP 2m
\fB\-\-headers\fR=[\fIKEY\fR=\fIVALUE\fR,...]

Specifies the headers to be used in the signed request. Possible headers are
listed in the XML API's documentation:
https://cloud.google.com/storage/docs/xml\-api/reference\-headers#headers

.TP 2m
\fB\-\-http\-verb\fR=\fIHTTP_VERB\fR, \fB\-m\fR \fIHTTP_VERB\fR; default="GET"

Specifies the HTTP verb to be authorized for use with the signed URL, default is
GET. When using a signed URL to start a resumable upload session, you will need
to specify the \f5\fIx\-goog\-resumable:start\fR\fR header in the request or
else signature validation will fail.

.TP 2m
\fB\-\-private\-key\-file\fR=\fIPRIVATE_KEY_FILE\fR

The service account private key used to generate the cryptographic signature for
the generated URL. Must be in PKCS12 or JSON format. If encrypted, will prompt
for the passphrase used to protect the private key file (default
\f5\fInotasecret\fR\fR).

Note: Service account keys are a security risk if not managed correctly. Review
best practices for managing service account keys
(https://cloud.google.com/iam/docs/best\-practices\-for\-managing\-service\-account\-keys)
before using this option.

.TP 2m
\fB\-\-private\-key\-password\fR=\fIPRIVATE_KEY_PASSWORD\fR, \fB\-p\fR \fIPRIVATE_KEY_PASSWORD\fR

Specifies the PRIVATE_KEY_FILE password instead of prompting.

.TP 2m
\fB\-\-query\-params\fR=[\fIKEY\fR=\fIVALUE\fR,...]

Specifies the query parameters to be used in the signed request. Possible query
parameters are listed in the XML API's documentation:
https://cloud.google.com/storage/docs/xml\-api/reference\-headers#query

.TP 2m
\fB\-\-region\fR=\fIREGION\fR, \fB\-r\fR \fIREGION\fR

Specifies the region in which the resources for which you are creating signed
URLs are stored.

Default value is \f5\fIauto\fR\fR which will cause gcloud alpha storage
sign\-url to fetch the region for the resource. When auto\-detecting the region,
the current user's credentials, not the credentials from PRIVATE_KEY_FILE, are
used to fetch the bucket's metadata.


.RE
.sp

.SH "GCLOUD WIDE FLAGS"

These flags are available to all commands: \-\-access\-token\-file, \-\-account,
\-\-billing\-project, \-\-configuration, \-\-flags\-file, \-\-flatten,
\-\-format, \-\-help, \-\-impersonate\-service\-account, \-\-log\-http,
\-\-project, \-\-quiet, \-\-trace\-token, \-\-user\-output\-enabled,
\-\-verbosity.

Run \fB$ gcloud help\fR for details.



.SH "NOTES"

This command is currently in alpha and might change without notice. If this
command fails with API permission errors despite specifying the correct project,
you might be trying to access an API with an invitation\-only early access
allowlist. This variant is also available:

.RS 2m
$ gcloud storage sign\-url
.RE
@ Telegram