Authenticated Static Sites on GCS
Excited about Identity Aware Proxy and want to use it to host a simple static site on GCS? You can’t. Yet. But you can get close with GCS and authenticated objects. This walkthrough shows one low-cost pattern ideal for hosting single page html sites (or files like PDF’s) that you want to host on a memorable domain and restricted to name Google accounts.
This pattern uses GCS’ abilities to both host public static websites and restrict private object access to named Google accounts. The result allows you to host a private website that only <yourname>@gmail.com can access through the redirect shown in this for about 99.99% less $$ than hosting the same content on AppEngine.
Setup Your Bucket
Start by creating a bucket, named after your site. If you haven’t yet confirmed ownership of the domain, you’ll be walked through adding a TXT record to your domain to confirm ownership.
When creating the bucket, select object-level and bucket-level permissions so we can independently control access to the public and private files:
You’ll then need to set a CNAME record that points your custom domain to Google Storage’s default address of c.storage.googleapis.com so files in this bucket can be served as a default page.
Set Your Site
Now, we need to upload a landing page. This page must be public to work with GCS, so instead of hosting our private content it will simply redirect to it. Do this by creating a file named redirect.html, replacing ${DOMAIN} with your bucket name in the following snippet:
<html>
<head>
<meta http-equiv="Refresh" content="0; url=https://storage.cloud.google.com/${DOMAIN}.com/index.html?authuser=1">
</head>
Redirecting to your site...Now we open up access to redirect.html to the world by adding the allUsers name with Reader access.
Next, upload your single-page html or other file. In this case, we’ll be hosting a single index.html file. Note that this private file will be served directly from a GCS path so relative includes will *not* work as expected. Now we take advantage of GCS’ integration with Google identities by sharing directly with the named Google accounts that we wish to have Reader access to this file:
The contents of our bucket should now look like this. Note that redirect.html is public, while index.html is not
And lastly from the GCS explorer, set your bucket’s website configuration to server our redirect.html as our base URL. I’ve decided here to also serve as my 404 page, so any path will redirect to my expected page:
Results
Now when anyone visits the more memorable authenticated.yoursite.com, our redirect page will reroute visitors to index.html(which could be a PDF or any file!) that only named Google accounts can access.
