ONLY cloudflare shall be able to access my google storage bucket

Hi, for setting up GCP storage with CF CDN there are many tutorials [

Using Google Cloud Storage + Cloudflare to Host a … - YouTube › watch
](Using Google Cloud Storage + Cloudflare to Host a Static Website for just PENNIES PER MONTH! - YouTube)

but I have some different use case now, since I use worker interceptors to decide who is allowed to access the files, I therefore want that NOBODY can access files directly from google cloud storage, except cloudflare. only cloudflare should be able to access the files from my GCP bucket (to refresh content since CDN cache expires if it ain’t frequently used)

has anyone some kind of idea how to achieve that? these are network settings and I really have Zero experience with setting up secure network environments like that.

I basically want to block ALL requests to my google cloud storage bucket, except requests from cloudflare.

restricting access to the bucket via IAM ACL ain’t a solution, because cloudflare cdn can access only public files or not?

This is not something that is going to be easy to set up. You are going to have to create a service account in your google console that has access to the bucket and have your worker use that service account.

If you are looking to deploy a static website then I would recommend checking out Cloudflare’s Pages.

1 Like

Well, but if using :orange: proxied CNAME record to this bucket (like you would), everyone would have the access to the files if they just request them.

If interested, I would suggest looking into below:

While AWS seems to have it:

Some older feature request:

Why not to try out Firebase Hosting?

I am not familiar that much :grimacing:

1 Like

Thanks a lot! Setting that up with GCP storage seems quite complicated with that whole VPC stuff since they don’t support IP whitelisting. maybe I shall go with AWS S3 for that one

can you maybe confirm, is this what I need?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.