LOG IN SIGN UP
Documentation

Google Cloud Storage

Google Cloud Storage (GCS) can be used as an origin server with your Fastly services once you set up and configure your GCS account and link it to a Fastly service. It can also be configured to use private content. This speeds up your content delivery and reduces your origin’s workload and response times with the dedicated links between Google and Fastly's POPs.

Using GCS as an origin server

To make your GCS data available through Fastly follow the steps below.

Set up and configure your GCS account

  1. Sign up for Google Cloud Storage and start the basic setup.
  2. Create a bucket to store your origin's data and remember the name. You'll need the bucket name to connect your GCS account to your Fastly service.

    Google Cloud Storage New Bucket window

  3. Add a file to the bucket and then make the file public.

    Google Cloud Storage Public File example

Create a new origin in your Fastly service for your GCS account

Link your GCS account to a Fastly service following the steps below.

  1. Log in to the Fastly application.
  2. Create a new service if you don't already have one set up.
  3. Select the appropriate service from the Service menu.
  4. Click the blue Configure button to the right of the service name.
  5. Click the Hosts pane from the list on the left.
  6. In the Backends area click the New button to create a new backend. The New Backend window appears.

    adding Google Cloud new backend

  7. Fill out the New Backend window as follows:

    • In the Address field, type the address of your secure server (for example, origin.example.com).
    • In the Port field type 443.
    • In the Name field, type the name of your server (for example, Google Cloud Storage).
    • Leave the Health Check, Auto Load Balance, and Weight controls set to their default values.
    • From the Shielding menu, select an available interconnect location from the list of shielding locations. See our information on interconnect locations below for more details.
  8. Click the Create button. The server appears in the Backends area.

Interconnect locations

The following interconnects allow you to establish direct links with Google's edge network when you choose your shielding location. By selecting one of the locations listed below, you will be eligible to receive discounted pricing from Google CDN Interconnect for traffic traveling from Google Cloud Platform to Fastly's network. Most customers select interconnects closest to their origin.

Interconnects exist in the following locations within North America:

Interconnects outside of North America exist in:

Review our caveats of shielding and select an interconnect accordingly.

Set the Cache-Control header for your GCS bucket

GCS performs its own caching, which may complicate efforts to purge cache with the Fastly application. To avoid potential problems, we recommend using the gsutil command line utility to set the Cache-Control header for one or more files in your GCS bucket:

gsutil setmeta -h "Cache-Control: max-age=0, s-maxage=86400" gs://bucket/*.html

Replace bucket in the example above with your GCS bucket's name. Note that max-age should instruct GCS to cache your content for zero seconds, and Fastly to cache your content for one day. See Google's setmeta docs for more information.

Set the default host for your service to your GCS bucket

  1. Click Settings from the list on the left. The Settings controls appear.

    the Default Host area of the settings

  2. In the Default Host field of the Default Settings area, type the name of the default host for this service.

    The name you type should match the name of the bucket you created in your GCS account and will take the format <your bucket name>.storage.googleapis.com. In this example, our bucket name is test123, so our Default Host name would be test123.storage.googleapis.com.

  3. Decide how to change the default TTL for your GCS bucket, if at all, keeping the following in mind:

    • Your GCS account controls the default TTL for your GCS content. GCS currently sets the default TTL to 3600 seconds. Changing the default TTL via the Default TTL (s) field will not override the default setting in your GCS account.
    • To override the default TTL set by GCS from within the Fastly application, create a new cache setting and enter the TTL there.
    • To override the default TTL in GCS, download the gsutil tool and then change the cache-control headers to delete the default TTL or change it to an appropriate setting.

Create new domains for GCS to respond to

  1. Click Domains from the list on the left. The Domains controls appear.

    the Domains controls, without any domains created

  2. Click the New button in the Domains area. The New Domain window appears.

    the new domain window

  3. In the Domain Name field, type the name users will type in their browsers to access your site, then click the Create button to create the new domain.

  4. Because GCS responds to different hostnames than your Fastly service, create a second domain by following the domain creation steps immediately above.

  5. In the Domain Name field of the second domain you create, type the same value as the default host you created earlier (e.g., <your bucket name>.storage.googleapis.com).

    Shielding POPs need this additional domain so they can route requests correctly. (See Caveats of Shielding for more information.)

  6. Deploy the new origins by activating the new version of your service.

Once you have deployed, you can use http://<domain>.global.prod.fastly.net/<filename> to access the files you uploaded.

Using GCS with private objects

To use Fastly with GCS private objects, be sure you've already made your GCS data available to Fastly by pointing to the right GCS bucket, then follow the steps below.

Setting up interoperable access

By default, GCS authenticates requests using OAuth2, which Fastly does not support. To access private objects on GCS, your project must have HMAC authentication enabled and interoperable storage access keys (an "Access Key" and "Secret" pair) created. Do this by following the steps below.

  1. Open the Google Cloud Platform console and select the appropriate project.
  2. Click Settings. The Settings appear with the Project Access controls highlighted.
  3. Click the Interoperability tab. The Interoperability API access controls appear.
  4. If you have not set up interoperability before, click Enable interoperability access.
  5. Click Make <PROJECT-ID> your default project for interoperable access.

    If that project already serves as the default project, that information appears instead.

    the interoperability tab

  6. Click Create a new key. An access key and secret code appear.

    the interoperability tab

  7. Save the access key and secret code that appear. You'll need these later when you're creating an authorization header.

Setting up Fastly to use GCS private content

To use GCS private content with Fastly, create two headers, a Date header (required Authorization Signature) and an Authorization header.

Create a Date header

  1. Log in to the Fastly application.
  2. Click the configure tab to access the control panel.

    the configure tab

  3. Select the appropriate service from the Service menu.

  4. Click the blue Configure button to the right of the service name.

  5. Click Content from the section list on the left.

  6. In the Headers area, click the New button to create a new header. The New Header window appears.

    creating a date header via the new header window

  7. Fill out the New Header window as follows:

    • In the Name field, type Date.
    • From the Type/Action menus, select Request and Set.
    • In the Destination field, type http.Date.
    • In the Source field type now.
    • From the Ignore if Set menu, select No.
    • In the Priority field, type 10.
  8. Click the Create button. A new Date header appears in the Headers area of the Content section. You will use this later within the Signature of the Authorization header.

Create an Authorization header

  1. Click the New button again to create another new header.

    creating and authorization header via the new header window

  2. Fill out the New Header window as follows:

    • In the Name field, type Authorization.
    • From the Type/Action menus, select Request and Set.
    • In the Destination field, type http.Authorization.
    • From the Ignore if Set menu, select No.
    • In the Priority field, type 20.
  3. In the Source field, type the header authorization information using the following format:

      "AWS <access key>:" digest.hmac_sha1_base64("<GCS secret>", req.request LF LF LF req.http.Date LF "/<GCS bucket name>" req.url.path)
    

    replacing <access key>, <GCS secret>, and <GCS bucket name> with the information you gathered before you began. For example:

      "AWS GOOGQORE5WOJJHLXH6OD:" digest.hmac_sha1_base64("oQb0hdmaxFOc5UmC6F833Cde0+ghRSgsr7CCnX62", req.request LF LF LF req.http.Date LF "/test123" req.url.path)
    
  4. Click the Create button. A new Authorization header appears in the Headers area of the Content section.

A detailed look at the Source field

So what's going on in the Source field of the Authorization header? Here's the basic format:

AWS<access key><signature function><key><message>

It tells us the following:

Element Description
AWS A constant placed before the access key. It's always AWS.
access key The access key ID from your GCS developer's account. We used GOOGQORE5WOJJHLXH6OD in this example.
signature function The algorithm used to validate the key and message of the signature. We used digest.hmac_sha1_base64(<key>, <message>) in this example.
key The secret key ID from your GCS developer's account. We used oQb0hdmaxFOc5UmC6F833Cde0+ghRSgsr7CCnX62 in this example.
message The UTF-8 encoding of the StringToSign. See the table below for a break down of each portion of the message.

The message that's part of the Source field in the Authorization header takes on this basic format:

<HTTP-verb><\n><Content-MD5>\n<Content-Type><\n><Date><\n><CanonicalExtensionHeaders><\n><CanonicalizedResource>

It tells us the following:

Element Description
HTTP-verb The REST verb. We use req.request in this example.
\n A newline indicator constant. It's always \n.
Content-MD5 The content-md5 header value, used as a message integrity check. It's often left blank. We use LF (line feed) in this example.
Content-Type The content-type header value, used to specify the MIME-type. It's often left blank. We use LFin this example.
Date The date and time stamp. We use req.http.Date (which we created first as a separate header in the steps above).
CanonicalExtensionHeaders The x-amz- or x-goog- headers, which customize your GCS implementation. It's often left blank. We use LF in this example.
CanonicalizedResource Your GCS resource path name. We're concatenating GCS bucket name "/test123" with object path req.url.path in this example.