Configure an OSS or S3 bucket as an origin server - Edge Security Acceleration

You can add an Alibaba Cloud Object Storage Service (OSS) or AWS Simple Storage Service (AWS S3) bucket as an origin server of a Dynamic Content Delivery Network (DCDN) website by using a DNS CNAME record or including the origin server in the origin pool of the website. This topic describes how to configure an OSS or AWS S3 bucket as an origin server of a DCDN website.

Usage notes

You can protect your resources by configuring Web Application Firewall (WAF) settings in DCDN, such as Referer whitelists, Referer blacklists, and rate limiting rules. For more information, see WAF.

Configure an OSS origin server

Usage notes

After you authorize DCDN to fetch content from a private OSS bucket within the same account or a different account, all resources in the bucket are accessible by using the DCDN-covered domain. Before you perform such origin fetch authorization, evaluate the need for the authorization based on your actual business requirements. If the private OSS bucket stores content other than what is intended for the visitors of the website, do not authorize DCDN to access the bucket.
If you want to authorize DCDN to fetch content from a private OSS bucket that belongs to another Alibaba Cloud account, do not grant the write or delete operations on the bucket to RAM users. For more information about how to grant a RAM user permissions to access OSS, see Access OSS by using a RAM user.
Fetching content from a private OSS bucket conflicts with the default homepage settings of static website hosting for the private OSS bucket. To use DCDN to accelerate access to a private bucket for which static website hosting is configured, see instructions in Why do requests destined for my accelerated domain name trigger the error message "You are forbidden to list buckets" after access to private OSS buckets is enabled?
An OSS origin server qualifies for OSS origin traffic discounts. For more information, see Billing overview.

Procedure

When you map an OSS bucket to the DCDN website by adding a CNAME record or including the bucket in the origin pool, set the origin server type to OSS. For more information, see Add DNS records or Create an origin pool.

For Access Type, select Public Access, Private Access (Same-account), or Private Access (Cross-account), depending on the access control list (ACL) and owning account of the bucket.

If you select Public Access, enter the public domain name of the bucket in the OSS Bucket field. In this case, you do not need to complete authorization. For more information about bucket domain names, see Endpoints and domain names.

If you select Private Access (Same-account) or Private Access (Cross-account), configure authorization and authentication by using the following steps.

Private Access (Same-account)

When you configure DCDN to fetch content from a private bucket in the same account, security tokens are automatically issued by Security Token Service (STS).

The first time you authorize DCDN to access a private OSS bucket within the same account, you must attach the default policy to the default role for this type of access. The default policy allows DCDN to access all OSS buckets within the same account in read-only mode by using security tokens.

In the Authorization section, click Authorize. On the Cloud Resource Access Authorization page, click Confirm Authorization Policy.
Note
If you cannot complete the authorization by clicking the Authorize button in the DCDN console, try performing the authorization in the Resource Access Management (RAM) console. For more information, see Use the RAM console to authorize DCDN to access private OSS buckets in the same account.
After the authorization is successful, select the domain name of the bucket from the OSS Bucket drop-down list.
Note
The previous authorization configuration allows DCDN to fetch only unencrypted data from the private bucket. To configure DCDN to fetch both encrypted and unencrypted data from the bucket, you must additionally attach the AliyunKMSCryptoUserAccess policy to the AliyunDCDNAccessingPrivateOSSRole role. Configure access to private OSS buckets
Optional. Attach the AliyunKMSCryptoUserAccess policy to the AliyunDCDNAccessingPrivateOSSRole role.
1. Log on to the RAM console.
2. In the left-side navigation pane, choose Identities > Roles.
3. In the Roles list, find the AliyunDCDNAccessingPrivateOSSRole role.
4. In the Actions column, click Grant Permission. In the Grant Permission panel, the Principal field is automatically filled in.
5. In the Policy section, select System Policy from the drop-down list next to the search box and enter AliyunKMSCryptoUserAccess in the search box. In the search result list, select the AliyunKMSCryptoUserAccess policy to add it to the Selected Policy list.
6. Click Grant permissions. Completed is displayed.
7. Click Close.

Private Access (Cross-account)

To authorize DCDN to access a private bucket that belongs to another Alibaba Cloud account, you must provide a long-term AccessKey pair.

Parameter	Description
Access Type	Select Private Access (Cross-account).
OSS Bucket	Enter the public domain name of the bucket in the OSS Bucket field. For more information about bucket domain names, see Endpoints and domain names.
AccessKey ID	Specify the AccessKey ID of the Alibaba Cloud account to which the private OSS bucket belongs. For more information, see Create an AccessKey pair.
AccessKey Secret	Specify the AccessKey secret of the Alibaba Cloud account to which the private OSS bucket belongs.

Use the RAM console to authorize DCDN to access private OSS buckets in the same account

If you cannot authorize DCDN to access a private bucket in the DCDN console, you can do it in the RAM console.

Log on to the RAM console.
In the left-side navigation pane, choose Permissions > Policies.
On the Policies page, click Create Policy.
1. Click the JSON tab. In the policy editor, enter the following policy content:
```
{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "oss:List*",
                "oss:Get*"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}
```
2. Click Next to edit policy information, configure the following parameters, and then click OK.
  Name: Enter AliyunDCDNAccessingPrivateOSSRolePolicy.
  Description: Enter a policy description. For example, you can enter the "This policy grants DCDN read-only permissions on a private OSS bucket" description for the policy.
In the left-side navigation pane, choose Identities > Roles.
1. On the Roles page, click Create Role.
2. On the Create Role page, select Alibaba Cloud Account in the Select Role Type section and click Next.
3. In the Configure Role step, provide the following information:
  RAM Role Name: Enter AliyunDCDNAccessingPrivateOSSRole.
  Note: Enter a role description. For example, you can enter the "This role is used by DCDN to fetch content from a private OSS bucket" description for the role.
4. Select Current Alibaba Cloud Account for Select Trusted Alibaba Cloud Account. Then, click OK.
After the role is created, click AliyunDCDNAccessingPrivateOSSRole in the Roles list.
1. On the Trust Policy tab, click Edit Trust Policy, enter the following information, and then click Save trust policy document.
```
{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "dcdnnext.aliyuncs.com"
        ]
      }
    }
  ],
  "Version": "1"
}
```
2. On the Permissions tab, click Grant Permission. In the Grant Permission panel, configure the following settings:
  Select Account for Resource Scope.
  In the Policy section, select Custom Policy from the drop-down list next to the search box, select the AliyunDCDNAccessingPrivateOSSRolePolicy policy, and click Grant permissions.
Verify the authorization status on the CNAME record configuration page of the DCDN console. DCDN is authorized to access private OSS buckets in the same account.

Revoke authorization of DCDN access to private buckets

Log on to the RAM console.
In the left-side navigation pane, choose Identities > Roles.
In the Roles list, click AliyunDCDNAccessingPrivateOSSRole.
Revoke all permissions granted to the AliyunDCDNAccessingPrivateOSSRole role.
1. Click Revoke Permission in the Actions column.
2. In the Revoke Permission dialog box, click Revoke Permission.
Go back to the Roles page and delete the AliyunDCDNAccessingPrivateOSSRole role.
1. Find the AliyunDCDNAccessingPrivateOSSRole role in the role list and click Delete Role in the Actions column.
2. In the Delete Role message, enter the role name and click Delete Role.

Configure an AWS S3 origin server

Procedure

When you map an AWS S3 bucket to the DCDN website by adding a CNAME record or including the bucket in the origin pool, set the origin server type to S3-compatible. For more information, see Add DNS records or Create an origin pool.
For Access Type, select Public Access or Private Access.

If you select Public Access, enter the public endpoint of the bucket in the Origin Address field. In this case, you do not need to complete authorization. For more information about endpoints, see Website endpoints.
If you select Private Access, provide the following information for authorization and authentication.

Parameter	Description
Origin Address	The public endpoint of the AWS S3 Bucket. Example: `your-bucket-name.s3.us-west-1.amazonaws.com`. For more information, see Website endpoints.
Signature Version	The signing protocol that is configured for the AWS S3 bucket. DCDN supports only the AWS Signature V4 protocol for AWS S3 buckets. For more information, see AWS Signature Version 4 (SigV4) authentication-specific policy keys.
Region	The code of the region in which the AWS S3 bucket resides. Example:`us-west-1`. For more information, see AWS service endpoints.
AccessKey	The access key ID of the Identity and Access Management (IAM) account that is used to access the AWS S3 bucket. For more information, see Managing access keys (console).
SecretKey	The secret access key of the IAM account that is used to access the AWS S3 bucket.