If you configure a private Object Storage Service (OSS) bucket as your origin server, we recommend that you grant Alibaba Cloud CDN permissions to access the OSS bucket and enable the private bucket access feature. This feature can be used for access authentication and to protect origin servers from unauthorized access. This way, Alibaba Cloud Content Delivery Network (CDN) can accelerate the delivery of resources in the private OSS bucket.
Usage notes
The first time you use this feature, you need to grant CDN read-only permissions on all OSS buckets in your account. By default, this feature uses temporary Security Token Service (STS) tokens to access OSS buckets. You cannot use this feature to write or delete objects in OSS buckets by using PUT requests.
If you configure a permanent security token, you need to restrict the token from being used to write or delete objects in OSS buckets by using PUT requests when you apply for the token. For information about how to access OSS by using a RAM user, see Access OSS by using a RAM user.
After you grant read-only permissions to Alibaba Cloud CDN and enable the private bucket access feature for an accelerated domain name, you can access all resources in your private buckets by using the accelerated domain name. Proceed with caution when you use this feature. If the private OSS bucket stores content other than what is intended for the visitors of the website, do not grant Alibaba Cloud CDN permissions on your private OSS bucket or enable the private bucket access feature.
If your website is vulnerable to attacks, purchase an Anti-DDoS service. In addition, proceed with caution when you grant Alibaba Cloud CDN permissions on private OSS buckets or enable access to private OSS buckets.
Access to private OSS buckets conflicts with the settings of the default homepage of the static website that is hosted on OSS. If you want to enable both features, see Why do requests destined for my accelerated domain name trigger the error message "You are forbidden to list buckets" after access to private OSS buckets is enabled?
After you enable the private bucket access feature, points of presence (POPs) add the Authorization header to origin requests. The value of the header is the authentication signature for accessing private OSS buckets. An origin request that retrieves resources from an OSS bucket cannot include a signature in both the Authorization header and URL parameters. If an origin request includes the Authorization header and URL parameters that are used for signature authentication, which are usually generated by the client, such as
Expires
,Signature
, andOSSAccessKeyId
, OSS authentication fails.You can use features such as hotlink protection and URL signing that are provided by Alibaba Cloud CDN to protect resources from unauthorized access. For more information, see Configure a Referer whitelist or blacklist to enable hotlink protection and Configure URL signing.
Enable access to private OSS buckets
Log on to the Alibaba Cloud CDN console.
In the left-side navigation pane, click Domain Names.
On the Domain Names page, find the domain name that you want to manage and click Manage.
In the left-side navigation tree of the domain name, click Origin Fetch.
Optional. Perform this operation the first time you use this feature. In the Alibaba Cloud OSS Private Bucket Access section, click Authorize. Then, click Confirm Authorization Policy.
NoteIf you fail to grant permissions on private OSS buckets by using the CDN console, you can grant permissions on private OSS buckets by using the RAM console. For more information, see Grant permissions on private OSS buckets by using the RAM console.
In the Alibaba Cloud OSS Private Bucket Access section, turn on Alibaba Cloud OSS Private Bucket Access.
NoteYou only need to complete the preceding steps if you want to authorize Alibaba Cloud CDN to access unencrypted objects in a private OSS bucket. If you want Alibaba Cloud CDN to access OSS objects that are encrypted by using Key Management Service (KMS), you need to first attach the AliyunKMSCryptoUserAccess policy to the RAM role AliyunCDNAccessingPrivateOSSRole. For more information, see Attach the AliyunKMSCryptoUserAccess policy to the RAM role AliyunCDNAccessingPrivateOSSRole.
In the Alibaba Cloud OSS Private Bucket Access dialog box that appears, select a type and click OK.
Parameter
Description
Type
Bucket in the Same Account: The system automatically configures a security token issued by STS. However, Alibaba Cloud CDN can access only private OSS buckets in the same Alibaba Cloud account.
Bucket Across Accounts or in the Same Account: You need to configure a permanent security token. This way, Alibaba Cloud CDN not only can retrieve content from private OSS buckets in the same Alibaba Cloud account, but also from private OSS buckets across Alibaba Cloud accounts.
AccessKey ID
The AccessKey ID of the Alibaba Cloud account to which the private OSS bucket belongs. For more information, see Create an AccessKey pair.
AccessKey Secret
The AccessKey secret of the Alibaba Cloud account to which the private OSS bucket belongs.
Optional. Attach the AliyunKMSCryptoUserAccess policy to the RAM role AliyunCDNAccessingPrivateOSSRole.
Log on to the RAM console.
In the left-side navigation pane, choose .
On the Roles page, find the RAM role AliyunCDNAccessingPrivateOSSRole.
Click Grant Permission. In the Grant Permission panel, the Principal field is automatically filled in.
In the Policy section, select System Policy and enter AliyunKMSCryptoUserAccess in the search box to search for the AliyunKMSCryptoUserAccess permission policy. Click the permission policy to add it to the Selected Policy list.
Click Grant permissions. Completed is displayed.
Click Close.
Grant permissions on private OSS buckets by using the RAM console
If you fail to grant permissions on private OSS buckets by using the Alibaba Cloud CDN console, you can grant permissions on private OSS buckets by using the RAM console.
Log on to the RAM console.
In the left-side navigation pane, choose Permissions > Policies.
On the Policies page, click Create Policy.
Click the JSON tab. In the policy editor, enter the following policy content:
{ "Version": "1", "Statement": [ { "Action": [ "oss:List*", "oss:Get*" ], "Resource": "*", "Effect": "Allow" } ] }
Click Next to edit policy information, configure the following parameters, and then click OK.
Name: AliyunCDNAccessingPrivateOSSRolePolicy.
Desciption: The policy that you want to attach to the RAM role, including read-only permissions on OSS buckets.
In the left-side navigation pane, choose Identities > Roles.
On the Roles page, click Create Role.
In the Select Trusted Entity section, select Alibaba Cloud Account and click Next.
In the Configure Role step, enter the following information:
RAM Role Name: AliyunCDNAccessingPrivateOSSRole.
Note: By default, Alibaba Cloud CDN and DCDN use this role to access private OSS buckets.
In the Select Trusted Alibaba Cloud Account section, select Current Alibaba Cloud Account and click OK.
After you create the role, click AliyunCDNAccessingPrivateOSSRole on the Roles page.
On the Trust Policy tab, click Edit Trust Policy, enter the following information, and then click Save trust policy document.
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "cdn.aliyuncs.com" ] } } ], "Version": "1" }
On the Permissions tab, click Grant Permission.
In the Resource Scope section, select Account.
In the Policy section, select Custom Policy, select the AliyunCDNAccessingPrivateOSSRolePolicy policy that you created, and then click Grant permissions.
Go to the Origin Fetch page in the Alibaba Cloud CDN console. You can see that the role is authorized to use the Alibaba Cloud OSS Private Bucket Access feature.
Revoke permissions on private OSS buckets
If you do not want Alibaba Cloud CDN to have permissions on private OSS buckets, you can revoke the permissions of the corresponding role in the RAM console.
Log on to the RAM console.
In the left-side navigation pane, choose .
On the Roles page, click AliyunCDNAccessingPrivateOSSRole.
Revoke all permissions from the role AliyunCDNAccessingPrivateOSSRole.
Find the policy that you want to manage and click Revoke Permission in the Actions column.
In the Revoke Permission message, click Revoke Permission.
Choose .
Find AliyunCDNAccessingPrivateOSSRole and click Delete Role in the Actions column.
In the Delete Role dialog box, enter AliyunCDNAccessingPrivateOSSRole, and click Delete Role.
References
For information about how to use Alibaba Cloud CDN to accelerate the delivery of resources from OSS buckets, see Use Alibaba Cloud CDN to accelerate the delivery of resources from OSS buckets.
After you enable access to private buckets, the error message "You are forbidden to list buckets" may be displayed when you access the Alibaba Cloud CDN-accelerated domain name. For more information about how to fix the error, see A "You are forbidden to list buckets" error is displayed when accessing the Alibaba Cloud Content Delivery Network accelerated domain name after private OSS bucket origin fetch is enabled.
After you enable access to private buckets, Alibaba Cloud CDN includes signature information in the requests that retrieve content from the private buckets by default for non-anonymous access. However, to access the default homepage configured by using static website hosting, the request must be anonymous. For more information, see Why am I unable to access the default homepage of a bucket when I retrieve an object from a private bucket by using Alibaba Cloud CDN?