How to upload file to Storage without login
In order to upload file to Storage without login google account, we have to implement policy document. After that, user can upload file to Storage from web page via Form directly.
There are 4 rough steps:
Step Four:fill above info into Form, upload file
After above steps, policy (policy_base64) and signature have been generated. Those two informations must be filled into Form. Besides, for metadata specified in policy conditions, it must be filled into Form also. It is very important and it will cause uploading fail if those informations do not fill into Form.
PHP Sample Code
github link
There are 4 rough steps:
- Service Account p12 file, it can be created at GCP Console
- Uploading object metadata, including
- Bucket
- Key
- ACL
- Expiration, for more information: Policy Document
- encryption
- fill above info to Form, upload file
Step One:p12 file
After login GCP Console, you can generate p12 file via API Manager -> Credentials -> Create credentials
Only Storage Admin assigned because we utilize Storage service only. If you need more permissions for other services, please refer available roles.
Please save your p12 file properly because there is only one chance to download the file.
Step Two:uploading object metadata
According to Policy Document, JSON format is required for uploading object metadata. There are two major parts:
- expiration:policy document expiration time (ISO8601 format), when sign a policy document, it required to specify available period and it will expired after specified time.
- conditions:metadata to describe uploading object
example:
{"expiration":"2017-04-24T11:11:51+02:00",
"conditions":[{"bucket":"upload"}, {"key":"myimg.png"}]}
PHP Sample Code
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $expire = time() + (60 * 5); // expired 5 min after | |
| $iso8601 = date('c', $expire); | |
| $policy = '{"expiration": "' . $iso8601 . '",' . | |
| '"conditions": ['. | |
| '{"acl":"public-read"},'. //specify object acl | |
| '{"bucket": "signed"},'. //specify bucket | |
| '{"key":"resource/ab.png"},'. //spcify object name | |
| '{"success_action_redirect":"http://localhost/success.php"}'. // specify redirect url after upload successful | |
| ']}'; | |
Step Three:encryption
Please follow encryption order carefully and confirm p12 file path is correct.
- policy must be utf-8 encoded => policy_utf
- Base64 encode (policy_utf) => policy_base64
- SHA256( RSA (Secret Key, policy_base64)) => singed
- Base64 encode (signed) => signature
PHP Sample Code
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $policy_utf = utf8_encode($policy);//ensure utf-8 | |
| $policy_base64 = base64_encode($policy_utf);//encoded by base64 | |
| $signature = googleSignString('docker-71ea7c875c5e.p12', $policy_base64); | |
| /* | |
| * @params p12FilePath Service account p12 file path | |
| * @params string Plain text for encoding | |
| */ | |
| function googleSignString($p12FilePath, $string){ | |
| $certs = []; | |
| if (!openssl_pkcs12_read(file_get_contents($p12FilePath), $certs, 'notasecret')) | |
| { | |
| echo "Unable to parse the p12 file. OpenSSL error: " . openssl_error_string(); exit(); | |
| } | |
| $RSAPrivateKey = openssl_pkey_get_private($certs["pkey"]); | |
| $signed = ''; | |
| if(!openssl_sign( $string, $signed, $RSAPrivateKey, 'sha256' )) | |
| { | |
| error_log( 'openssl_sign failed!' ); | |
| $signed = 'failed'; | |
| } | |
| else | |
| { | |
| $signed = base64_encode($signed); | |
| } | |
| return $signed; | |
| } |
Step Four:fill above info into Form, upload file
After above steps, policy (policy_base64) and signature have been generated. Those two informations must be filled into Form. Besides, for metadata specified in policy conditions, it must be filled into Form also. It is very important and it will cause uploading fail if those informations do not fill into Form.
PHP Sample Code
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <form action="https://<your bucket name>.storage.googleapis.com" method="post" enctype="multipart/form-data"> | |
| <input type="hidden" name="key" value="your object name here"> | |
| <input type="hidden" name="bucket" value="your bucket name here"> | |
| <input type="hidden" name="acl" value="public-read"> | |
| <input type="hidden" name="success_action_redirect" value="http://localhost/success.php"> | |
| <input type="hidden" name="GoogleAccessId" value="your service account created at step one"> | |
| <input type="hidden" name="policy" value="<?php echo $policy_base64; ?>"> | |
| <input type="hidden" name="signature" value="<?php echo $signature; ?>"> | |
| <input type="file" name="file"> | |
| <input type="submit" value="Upload!"> | |
| </form> |
- action:fill <bucket>.storage.googleapis.com, remember to replace <bucket> name, such as upload.storage.googleapis.com
- method:POST
- enctype:multipart/form-data
- GoogleAccessId:replace your service account created in step one
github link
留言
張貼留言