Skip to Content

Google Professional Cloud Developer: How to Configure Google Cloud Storage for Secure Document Sharing with Expiring Access?

By: Author Alex Lim

Posted on

Categories Exam

Learn the best way to set up Google Cloud Storage to enable sharing documents securely with external users while allowing access to expire after a set time period. The solution is to generate signed URLs for each shared document.

Table of Contents

Question

You are developing a secure document sharing platform. The platform allows users to share documents with other users who may be external to their organization. Access to these documents should be revoked after a configurable time period. The documents are stored in Cloud Storage. How should you configure Cloud Storage to support this functionality?

A. Create signed policy documents on the Cloud Storage bucket.
B. Apply access control list (ACL) permissions to the Cloud Storage bucket.
C. Generate a signed URL for each document the user wants to share.
D. Grant the Storage Object Viewer IAM role to all authenticated users.

Answer

C. Generate a signed URL for each document the user wants to share.

Explanation

To support secure document sharing with external users where access is revoked after a configurable time period, the best approach is to generate a signed URL for each document the user wants to share (Option C).

A signed URL is a URL that provides time-limited access to a specific Cloud Storage object. It contains authentication information in its query string allowing users without a Google account to access the object.

Here’s how it works:

  1. When a user wants to share a document, your application generates a signed URL for that specific document/object in Cloud Storage.
  2. The signed URL specifies the amount of time for which it will be valid, after which it automatically expires and access is revoked.
  3. Your application provides the signed URL to the external user to grant them temporary access to that one document.
  4. The external user can access the document via the signed URL for the specified validity period without needing a Google account.
  5. After the expiration time passes, the signed URL stops working and the external user loses access, achieving the goal of revoking access after a configurable time period.

The other options are not suitable for this use case:

  • Policy documents (Option A) and ACLs (Option B) apply permissions to buckets or objects but do not provide a way to share individual objects with expiring access.
  • Granting the Storage Object Viewer role to all users (Option D) would give permanent access to all documents to any authenticated user, not just specific external users, and would not allow revoking access after a time period.

Therefore, generating signed URLs (Option C) is the correct and secure way to implement the required external document sharing functionality with configurable expiring access in Google Cloud Storage.

Google Professional Cloud Developer certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Google Professional Cloud Developer exam and earn Google Professional Cloud Developer certification.