Cloud storage and secure download strategy on app engine. GCS acl or blobstore

Question

My appengine app creates cloudstorage files. The files will be downloaded by a third party. The files contain personal medical information.

What wo

Answer 1

If a small number of users have access to all the files in the bucket, then solution #1 would be sufficient, as managing the ACL would not be too much of a pain.

However, if you have many different users who each require different access to the different files in the bucket, then solution #1 is impractical.

I'd avoid solution #2 as well, as you'd be paying for unnecessary incoming/outgoing GAE bandwidth.

Maybe a third solution to consider, would be to use App Engine handle authentication, and write logic to determine which users have access to which files. Then, when a file is requested for download, you create Signed URLs to download the data direct from GCS. You can set the expiration parameter to a value that works for you, which would invalidate the URL after a set amount of time.