I have a Global External Load balancer in GCP, that we use to serve the static assets(images, css files etc)
All the static assets are in GCS bucket.
If the GCS bucket is private, we get AccessDenied. I cant keep the bucket public as well.
Signed URL is also not an option cause the assets URL cannot change with time.
Is there a way where I can keep the GCS bucket private and use it to serve static assets via a cloud CDN?
If Public is the only way, can I have sort some ACLs where only Google IPs can access the bucket?
At the moment, there are 4 different ways to serve content via Cloud CDN using a private bucket:
tokenized access: I understand that this isn't very desirable, but it is an option. I wrote a blog post on how to do this.
token proxy: this deploys a Cloud Run instance that will deploy an ephemeral token for you so you can access a private GCS bucket.
Leverage v4 token signing: this option uses the the newer v4 token signing process. It is generally used for accessing a private AWS S3 bucket, but you can leverage the built-in S3 compatibility model within GCS to dynamically generate a v4 token. Here is a link to a blog post that tells you how to do it.
Engineering hack: you can contact Google technical support and request them to "enable private bucket access". What this does is it desensitizes the GCS authentication system and won't check for a token in the private bucket. A service account name is generated where you can add IAM read permissions to the service account.
Each of these methods has pros and cons. My personal favorite at the moment is the v4 token option. It leverages the native functionality so no additional costs of running a Cloud Run proxy, you don't need to actually deploy a Web server to generate an ephemeral token, and you aren't hard wiring something.