The simplest thing to do is to create signed URLs (same as what you would do on AWS S3 buckets).

The URL can be for the entire bucket or for specific objects within the bucket (provide fine grained access is enabled for the bucket).