All Products
Search
Document Center

CDN:Configure access to private OSS buckets

Last Updated:Nov 12, 2024

If you configure a private Object Storage Service (OSS) bucket as your origin server, we recommend that you grant Alibaba Cloud CDN permissions to access the OSS bucket and enable the private bucket access feature. This feature can be used for access authentication and to protect origin servers from unauthorized access. This way, Alibaba Cloud CDN can accelerate the delivery of resources in the private OSS bucket.

Usage notes

  • The first time you use this feature, you need to grant Alibaba Cloud CDN read-only permissions on all OSS buckets in your account. By default, this feature uses temporary Security Token Service (STS) tokens to access OSS buckets. You cannot use this feature to write or delete objects in OSS buckets by using PUT requests.

  • If you configure a permanent security token, you need to restrict the token from being used to write or delete objects in OSS buckets by using PUT requests when you apply for the token. For information about how to access OSS by using a RAM user, see Access OSS by using a RAM user.

  • After you grant read-only permissions to Alibaba Cloud CDN and enable the private bucket access feature for an accelerated domain name, you can access all resources in your private buckets by using the accelerated domain name. Proceed with caution when you use this feature. If the private OSS bucket stores content other than what is intended for the visitors of the website, do not grant Alibaba Cloud CDN permissions on your private OSS bucket or enable the private bucket access feature.

  • If your website is vulnerable to attacks, purchase an Anti-DDoS service. In addition, proceed with caution when you grant Alibaba Cloud CDN permissions on private OSS buckets or enable access to private OSS buckets.

  • Access to private OSS buckets conflicts with the settings of the default homepage of the static website that is hosted on OSS. If you want to enable both features, see Why do requests destined for my accelerated domain name trigger the error message "You are forbidden to list buckets" after access to private OSS buckets is enabled?

  • After you enable the private bucket access feature, points of presence (POPs) add the Authorization header to origin requests. The value of the header is the authentication signature for accessing private OSS buckets. An origin request that retrieves resources from an OSS bucket cannot include a signature in both the Authorization header and URL parameters. If an origin request includes the Authorization header and URL parameters that are used for signature authentication, which are usually generated by the client, such as Expires, Signature, and OSSAccessKeyId, OSS authentication fails.

  • You can use features such as hotlink protection and URL signing that are provided by Alibaba Cloud CDN to protect resources from unauthorized access. For more information, see Configure a Referer whitelist or blacklist to enable hotlink protection and Configure URL signing.

Enable access to private OSS buckets

  1. Log on to the Alibaba Cloud CDN console.

  2. In the left-side navigation pane, click Domain Names.

  3. On the Domain Names page, find the domain name that you want to manage and click Manage.

  4. In the left-side navigation tree of the domain name, click Origin Fetch.

  5. Optional. Perform this operation the first time you use this feature. In the Alibaba Cloud OSS Private Bucket Access section, click Authorize. Then, click Confirm Authorization Policy.

    同意授权

    Note

    If you fail to grant permissions on private OSS buckets by using the CDN console, you can grant permissions on private OSS buckets by using the RAM console. For more information, see Grant permissions on private OSS buckets by using the RAM console.

  6. In the Alibaba Cloud OSS Private Bucket Access section, turn on Alibaba Cloud OSS Private Bucket Access.

    Note

    You only need to complete the preceding steps if you want to authorize Alibaba Cloud CDN to access unencrypted objects in a private OSS bucket. If you want Alibaba Cloud CDN to access OSS objects that are encrypted by using Key Management Service (KMS), you need to first attach the AliyunKMSCryptoUserAccess policy to the RAM role AliyunCDNAccessingPrivateOSSRole. For more information, see Attach the AliyunKMSCryptoUserAccess policy to the RAM role AliyunCDNAccessingPrivateOSSRole.

  7. In the Alibaba Cloud OSS Private Bucket Access dialog box that appears, select a type and click OK.

    回源类型

    Parameter

    Description

    Type

    • Bucket in the Same Account: The system automatically configures a security token issued by STS. However, Alibaba Cloud CDN can access only private OSS buckets in the same Alibaba Cloud account.

    • Bucket Across Accounts or in the Same Account: You need to configure a permanent security token. This way, Alibaba Cloud CDN not only can retrieve content from private OSS buckets in the same Alibaba Cloud account, but also from private OSS buckets across Alibaba Cloud accounts.

    AccessKey ID

    The AccessKey ID of the Alibaba Cloud account to which the private OSS bucket belongs. For more information, see Create an AccessKey pair.

    AccessKey Secret

    The AccessKey secret of the Alibaba Cloud account to which the private OSS bucket belongs.

  8. Optional. Attach the AliyunKMSCryptoUserAccess policy to the RAM role AliyunCDNAccessingPrivateOSSRole.

    1. Log on to the RAM console.

    2. In the left-side navigation pane, choose Identities > Roles.

    3. On the Roles page, find the RAM role AliyunCDNAccessingPrivateOSSRole.

    4. Click Grant Permission. In the Grant Permission panel, the Principal field is automatically filled in.

    5. In the Policy section, select System Policy and enter AliyunKMSCryptoUserAccess in the search box to search for the AliyunKMSCryptoUserAccess permission policy. Click the permission policy to add it to the Selected Policy list.

    6. Click Grant permissions. Completed is displayed.

    7. Click Close.

      image

Grant permissions on private OSS buckets by using the RAM console

If you fail to grant permissions on private OSS buckets by using the Alibaba Cloud CDN console, you can grant permissions on private OSS buckets by using the RAM console.

  1. Log on to the RAM console.

  2. In the left-side navigation pane, choose Permissions > Policies.

  3. On the Policies page, click Create Policy.

    1. Click the JSON tab. In the policy editor, enter the following policy content:

      {
          "Version": "1",
          "Statement": [
              {
                  "Action": [
                      "oss:List*",
                      "oss:Get*"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
              }
          ]
      }
    2. Click Next to edit policy information, configure the following parameters, and then click OK.

      Name: AliyunCDNAccessingPrivateOSSRolePolicy.

      Desciption: The policy that you want to attach to the RAM role, including read-only permissions on OSS buckets.

  4. In the left-side navigation pane, choose Identities > Roles.

    1. On the Roles page, click Create Role.

    2. In the Select Trusted Entity section, select Alibaba Cloud Account and click Next.

    3. In the Configure Role step, enter the following information:

      RAM Role Name: AliyunCDNAccessingPrivateOSSRole.

      Note: By default, Alibaba Cloud CDN and DCDN use this role to access private OSS buckets.

    4. In the Select Trusted Alibaba Cloud Account section, select Current Alibaba Cloud Account and click OK.

  5. After you create the role, click AliyunCDNAccessingPrivateOSSRole on the Roles page.

    1. On the Trust Policy tab, click Edit Trust Policy, enter the following information, and then click Save trust policy document.

      {
        "Statement": [
          {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
              "Service": [
                "cdn.aliyuncs.com"
              ]
            }
          }
        ],
        "Version": "1"
      }
    2. On the Permissions tab, click Grant Permission.

      In the Resource Scope section, select Account.

      In the Policy section, select Custom Policy, select the AliyunCDNAccessingPrivateOSSRolePolicy policy that you created, and then click Grant permissions.

  6. Go to the Origin Fetch page in the Alibaba Cloud CDN console. You can see that the role is authorized to use the Alibaba Cloud OSS Private Bucket Access feature.

Revoke permissions on private OSS buckets

If you do not want Alibaba Cloud CDN to have permissions on private OSS buckets, you can revoke the permissions of the corresponding role in the RAM console.

  1. Log on to the RAM console.

  2. In the left-side navigation pane, choose Identities > Roles.

  3. On the Roles page, click AliyunCDNAccessingPrivateOSSRole.

    image

  4. Revoke all permissions from the role AliyunCDNAccessingPrivateOSSRole.

    1. Find the policy that you want to manage and click Revoke Permission in the Actions column.

    2. In the Revoke Permission message, click Revoke Permission.

  5. Choose Identities > Roles.

    1. Find AliyunCDNAccessingPrivateOSSRole and click Delete Role in the Actions column.

    2. In the Delete Role dialog box, enter AliyunCDNAccessingPrivateOSSRole, and click Delete Role.

References