Building a Secure File Upload API Using Cloud Storage and Cloud Functions

 Building a secure file upload API using cloud storage (like Google Cloud Storage or AWS S3) and cloud functions (like Google Cloud Functions or AWS Lambda) involves several key components:


๐Ÿ” Security Goals

Validate file types and size.


Authenticate and authorize users.


Prevent direct access to cloud storage.


Use signed URLs or proxy uploads.


Sanitize file names.


✅ Recommended Architecture Overview

pgsql

Copy

Edit

Client (e.g., web or mobile app)

   |

   | ---> Upload request

   |

[Authenticated API Gateway / HTTPS Endpoint]

   |

   | ---> Validates request

   | ---> Generates signed URL

   |

[Cloud Function]

   |

   | ---> Returns signed URL or proxies the upload

   |

[Cloud Storage Bucket (Private)]

๐Ÿ“ฆ Step-by-Step Implementation (GCP Example)

1. Set up a secure Cloud Storage bucket

Create a private bucket.


Disable public access.


Enable uniform bucket-level access.


bash

Copy

Edit

gsutil mb -p [PROJECT_ID] -l [LOCATION] gs://[BUCKET_NAME]

gsutil uniformbucketlevelaccess set on gs://[BUCKET_NAME]

2. Write a Cloud Function to Generate Signed URLs

python

Copy

Edit

# Python (Google Cloud Function - HTTP Trigger)


from google.cloud import storage

from flask import jsonify, request

import time


def generate_upload_url(request):

    request_json = request.get_json()

    filename = request_json.get('filename')

    content_type = request_json.get('contentType')


    # Validation (basic)

    if not filename or not content_type:

        return jsonify({'error': 'Missing required fields'}), 400


    # File extension validation (example)

    if not filename.lower().endswith(('.png', '.jpg', '.jpeg', '.pdf')):

        return jsonify({'error': 'Invalid file type'}), 400


    bucket_name = 'your-private-bucket'

    expiration_time = 15 * 60  # 15 minutes


    storage_client = storage.Client()

    bucket = storage_client.bucket(bucket_name)

    blob = bucket.blob(filename)


    url = blob.generate_signed_url(

        version="v4",

        expiration=expiration_time,

        method="PUT",

        content_type=content_type,

    )


    return jsonify({'url': url, 'method': 'PUT', 'expiresIn': expiration_time})

3. Deploy the Cloud Function

bash

Copy

Edit

gcloud functions deploy generate_upload_url \

  --runtime python310 \

  --trigger-http \

  --allow-unauthenticated # (or add auth later)

4. Client Upload Flow

javascript

Copy

Edit

// Example using fetch in JavaScript


async function uploadFile(file) {

    const res = await fetch('https://<cloud-function-url>', {

        method: 'POST',

        headers: { 'Content-Type': 'application/json' },

        body: JSON.stringify({ filename: file.name, contentType: file.type })

    });

    const { url, method } = await res.json();


    const uploadRes = await fetch(url, {

        method,

        headers: { 'Content-Type': file.type },

        body: file

    });


    if (uploadRes.ok) {

        console.log('Upload successful!');

    } else {

        console.error('Upload failed.');

    }

}

๐Ÿ”’ Additional Security Measures

Authentication: Use Firebase Auth, OAuth, or IAM-based service auth.


Virus scanning: Trigger another cloud function after upload to scan the file (e.g., with ClamAV on Cloud Functions).


File size limits: Enforce client-side and server-side limits.


Storage lifecycle rules: Auto-delete old files.


Audit logs: Enable GCP/AWS audit logs to track uploads and access.


๐Ÿ“ Optional: Proxy File Uploads via Cloud Function

Instead of signed URLs, you can have clients upload files directly to a cloud function (e.g., multipart/form-data), which then writes to storage — slower and less scalable but useful for full control.

Learn Google Cloud Data Engineering Course

Read More

Cloud Storage - Specialized Use Cases & Security

Building a Pub/Sub Message Router with Cloud Run

Creating a Multi-Tenant Event Bus with Cloud Pub/Sub

Using Cloud Storage to Archive High-Volume Streaming Data

Visit Our Quality Thought Training in Hyderabad

Get Directions 



Comments

Post a Comment

Popular posts from this blog

Understanding Snowflake Editions: Standard, Enterprise, Business Critical

Understanding Snowflake Editions: Standard, Enterprise, Business Critical Snowflake offers several service editions to meet different business needs. These editions provide increasing levels of features, security, and compliance, depending on your organization's size, industry, and regulatory requirements. 1. Standard Edition Best for: Small to mid-sized teams or businesses that need core data warehousing features without advanced compliance needs. Key Features: Fully managed, cloud-native data platform Support for structured and semi-structured data Virtual warehouses for compute scaling Time Travel (1 day) – lets you query past versions of data Secure data sharing between Snowflake accounts Basic security with role-based access control Use Case Example: Startups or small companies analyzing business data without strict data compliance needs. 2. Enterprise Edition Best for: Organizations that need more control, scalability, and longer data retention. Includes everything in Standar...
Read more

Why Data Science Course?

Why Data Science Course? A Data Science course is valuable for several reasons: 1.Growing Job Market The demand for data scientists is increasing globally, with companies actively hiring professionals with data skills. Many industries, including healthcare, banking, and technology, rely on data science for better decision-making. 2. Diverse Career Options You can work as a Data Scientist, Data Analyst, Machine Learning Engineer, AI Specialist, Business Analyst, or Big Data Engineer. Data science skills are useful in various industries like finance, retail, healthcare, education, and sports analytics. 3. Develops Critical Thinking & Problem-Solving Skills A data science course helps you analyze complex problems, interpret data, and develop innovative solutions. Encourages logical reasoning, pattern recognition, and data-driven decision-making. 4. Learn Advanced Technologies & Tools Gain hands-on experience with tools like Python, R, SQL, TensorFlow, Tableau, Hadoop, and Power BI...
Read more

How To Do Medical Coding Course?

Medical coding is a great career choice, and there are different ways to get trained and certified. Here’s a step-by-step guide on how to do a medical coding course: Step 1: Understand Medical Coding Medical coding involves translating healthcare services, diagnoses, procedures, and equipment into standardized codes. These codes are used for billing and insurance purposes. Common coding systems: ICD-10-CM (Diagnosis Codes) CPT (Procedure Codes) HCPCS (Supplies & Services) Step 2: Choose the Right Course You can take medical coding courses from: Universities & Community Colleges (Online & In-person) Professional Organizations (AAPC, AHIMA) Online Platforms (Coursera, Udemy, edX) Step 3: Select a Certification Path The most recognized certifications include: Certified Professional Coder (CPC) – AAPC (Most popular) Certified Coding Specialist (CCS) – AHIMA (Hospital-based coding) Certified Inpatient Coder (CIC) – AAPC Certified Outpatient Coder (COC) – AAPC Step 4: Enroll in a...
Read more