Frustrated with the lack of IAM permissions for hosting static sites

Am I missing something or is there no good way to host a static site where you can grant permissions via IAM? I tried gcloud storage using authenticated URLs, it redirects to some weird hostname that’s a mile long, which causes CORS issues trying to load other data from the bucket. I could probably use a load balancer + IAP, but that’s a lot of money to spend just for a tiny static site with no usage. Finally I could merge this into an app deployed in GAE but that’s a lot of extra work just to host a small static site. Been frustrated with this issue for years

One other thing to note is that IAP doesn’t support bucket backends anyway (

thanks, well there goes that option too! why so difficult google???

How about Firebase hosting?

how can I prevent public access and use IAM to grant?

This caused us a lot of headaches too — but mainly because of the inability to easily make it internal only (which is very easy on AWS for similar s3 static site functionality) — you have to grant allUsers access to it in GCP and then even if you put a cloud armor rule in front of the web site, it’s still actually public. we damn near had a public data exposure last year, because we were migrating our AWS static site module to GCP with the equivalent functionality, and they tried to just literally port the functionality 1:1 …… for that issue we ended up just ditching static site functionality altogether and had to roll our own nginx frontend that serves the bucket

but we’re now having requests to lock it down by group — so for that we’re going to have to use IAP + the same nginx frontend we already have (which itself will then be restricted to the IAP network only blahblahblah)

thanks for sharing the pain. what is nginx serving from?

it doesn’t solve your problem of not wanting to pay for IAP, but you can do an nginx container hosting the status files (cloud run, gke, whatever), and put a load balancer / IAP in front of that, similar to what was suggested above

there is a way to build something so nginx will serve from object storage directly, but, depending on the size and how often it changes, you could also build the container and use gsutil cp or similar to copy in the pipeline

yeah, before I’ve done this with app engine and enabling IAP there. if it’s static you can the built in nginx to serve files for free with no instances spun up even. but it’s a pain

and you have to copy and have duplicates, potentially be out of date

IIRC, a coworker of mine at a previous job managed to set something mostly working with gcsfuse (inside docker)

GKE in our case b/c we already have that infra for that type of thing

yah I guess I wouldn’t even need IAP then I could just use a load balancer w/ cloud armor allows for the group(ithink?)

oh for the actual nginx container we mount the drive with gcs-fuse-csi-driver --if you need it to be super-performant that’s probably not the best option but it works for our internal needs of serving doc sites or whatever

some suggestions in that issuetracker issue. it is now “assigned”, but it looks to me like it’s just assigned to some kind of generic contact.

The tech lead for IAP did mention some big challenges in their comment back of 5/22. But of course, as an end-user, it’s very frustrating that this is still not possible

i ended up making this instead. I’m not a go developer so it’s kinda hacked together and may have some bugs but I think it covers the broad strokes. This will serve up a GCS bucket’s contents as static files, after verifying a valid IAP JWT is present.