Private GCS Bucket host static site

abhishek-wings · January 5, 2024, 5:10am

If I want to publish private bucket content over the internet, meaning I want to host my static website on a private bucket and add an HTTPS load balancer as the frontend, it’s not working.

In AWS, it’s easily possible to publish a private bucket through CloudFront.

Marramirez · January 9, 2024, 4:47pm

Hello @abhishek-wings !

Take a look at this guide on how to configure a bucket to host a static website. Cloud Storage doesn’t support custom domains with HTTPS on its own, the mentioned guide utilizes Cloud Storage with an external Application Load Balancer to serve content from a custom domain over HTTPS.

Also, take a look at Static website examples and tips for GCP.

If the above option doesn’t work, you can contact Google Cloud Support to further look into your case. Let me know if it helped, thanks!

ZKH · April 23, 2024, 12:47pm

Hi @abhishek-wings

For this achievement, you can use Private Origin Authentication feature.
Here are non exhaustifs steps you can follow:

Create your private GCS bucket and upload your static website’s contents
Create a service account with a GCS HMAC Key/Secret pair on GCS Settings
Create an External HTTP/HTTPS Load Balancer:
- CDN enabled
- FQDN based Internet NEG as backend service (targetting your GCS Bucket)
- Update your Backend Service SecuritySettings configuration with HMAC Id and key

I hope this will helps you !

lai-123 · April 24, 2024, 6:01pm

what if there is an Org policy in place that prevents public access to the bucket. what would be Google’s workaround that ?

Message:

IAM policy update failed

You cannot add the principals allUsers or allAuthenticatedUsers to the bucket’s policy because public access prevention is enforced. This constraint could be enforced at the bucket, project, folder, or organization level. Ask your org or project administrator about access options.

Thanks,

ZKH · April 25, 2024, 10:02am

Hi @lai-123 ,

If I may, the answer to your use case is further down in my below answer.
I hope this will helps you

lai-123 · April 25, 2024, 1:50pm

Hi,

Thank you for the Info. The documentation talks about Amazon S3 buckets, does this apply to GCS buckets ? Is there a Google documentation on that ?

Thanks,

ZKH · April 25, 2024, 2:40pm

Yes, it also concerns GCS.

“Private origin authentication gives Cloud CDN long-term resource access to private Amazon S3 buckets or other compatible object stores”

You will find the informations here : https://cloud.google.com/cdn/docs/configure-private-origin-authentication

Kindly

kaushik853 · February 10, 2025, 7:08am

@ZKH Unfortunately you can not do this with google cloud bucket, as the lb backend already has an GCS category, which doesnt have this option to use private origin

Topic		Replies	Views
Hosting static site from private storage bucket Compute Infrastructure cloud-storage , server-configuration	2	173	August 10, 2022
how can we host static website using global https loadbalancer and cdn keeping bucket private in gcp Compute Infrastructure cloud-cdn	1	47	December 19, 2023
How can I access static data from a GCP private bucket using Google Cloud CDN with ALB IP Compute Infrastructure cloud-cdn	5	720	November 7, 2025

Private GCS Bucket host static site

IAM policy update failed

AI Suggested topics