Sample for HMAC SignedURL for Google Cloud Storage. Normally, you use RSA private key to sign a URL for GCS. However, another way to sign a url is to enable interop mode for GCS and use HMAC keys and the GCS XML API. HMAC is faster in the signing operation but is currently associated with either a user’s or service account

(EDIT: 8/12/19: GCP Service accounts now support HMAC!:

Anyway, i thought i’d write this up since i didn’t find and example of this anywhere though it was mentioned in the documentation below. You can find the source code on HMAC signing below as well.

From the docs and the cloud console:

“Note: Signing with the RSA algorithm is supported for the Cloud Storage XML API, but not the JSON API. You can also sign URLs using HMAC when using the XML API for interoperable access.”

NOTE: “The Interoperability API lets you use HMAC authentication and lets Cloud Storage interoperate with tools written for other cloud storage systems. Turn on this API only if you require interoperable access for the current user. This API is enabled per project member, not per project. Each member can set a default project and maintain their own access keys.”

“Use an access key to authenticate yourself when making requests to Cloud Storage. The key is linked to your Google user account.”

gain, your HMAC key is associated with your useraccount and at the time of writing

nope…on 8/12/19: you can use service accounts

so, in the example below, just replace the steps to get the key and ID with the service account flow. I’ll leave the following as userbased though!

Anyway, to use this sample, first enable iterop access and generate a key:


Substitute the key,secret into the sample (make sure you have access to the bucket/object).

$ python hmac_sign.py 
put status_code: 200
get status_code: 200
data; lorem ipsum


This site supports webmentions. Send me a mention via this form.