I’m trying to serve static content from a Google Cloud Storage (GCS) private bucket via Google Cloud CDN and a HTTPS Load Balancer. I’ve attached my custom domain and set up the load balancer, but I can’t access the static files. I’ve tried:
Granting Storage Object Viewer and Storage Legacy Object Reader to the load balancer’s service account.
Setting the backend bucket in the load balancer.
Disable Enabling Cloud CDN.
Domain is properly attached and SSL is active.
Still, I get a 403 Forbidden or 404 Not Found error when trying to access files via the domain.
Domain Search shows.
This XML file does not appear to have any style information associated with it. The document tree is shown below.
Error
AccessDenied
Access denied
Error
What is the correct way to configure a private GCS bucket with Google Cloud CDN and load balancer while keeping the bucket private but accessible via the custom domain? example.com/data/* trying to access but above error.
Hi @HadeedDevops ,
To serve static content from a private GCS bucket behind Cloud CDN + HTTPS Load Balancer, follow these steps:
Create a backend bucket pointing to the private GCS bucket.
Set an “Origin Access Identity” (signed URL or signed cookie setup) — GCP calls this “signed requests” — to allow the load balancer to access the private bucket.
Ensure the bucket has “Uniform bucket-level access” enabled.
Grant “Storage Object Viewer” role to the load balancer’s service account at the bucket level, not just project.
Use signed URLs or signed cookies to let clients access content without opening the bucket to the public.
Without signed access, the bucket will block requests even if the load balancer and CDN are correctly set.
There is no service account appearing for the load balancers. The load balancer is currently using the Network Admin service account. I have already granted the required permissions, including Storage Admin and Viewer roles. However, at step 5, I encountered an error. Since I am operating within the organization with full access (Admin and Owner roles), I am unsure what the issue might be. Would it be possible to have a quick Google Meet call so you can assist and guide me through this?
this seems like a common pattern to serve static website form a private bucket - why the hell is this so complex in GCP? Can someone share detailed instructions on how to set this up? I am able to setup a NEG - however, it fetches the entire bucket as a list on the browser.
I finally found a solution using a Cloud Run service as a proxy with Nginx. This setup acts as the missing web server for the private GCS bucket.
Here’s how it works:
The Cloud Run proxy uses GCS FUSE (Volume Mounts) to securely mount the private bucket as a local folder.
Nginx receives the GCLB’s requests and applies its web server logic (like finding index.html) to serve files from that mounted folder.
The best part is the result: It’s a “Zero-Ops” solution. It’s secure, high-performance (with the GCLB’s CDN), and to update the website, you only need to sync files to the GCS bucket. You never have to redeploy this proxy.