You can add an Alibaba Cloud Object Storage Service (OSS) or AWS Simple Storage Service (AWS S3) bucket as an origin server of a Dynamic Content Delivery Network (DCDN) website by using a DNS CNAME record or including the origin server in the origin pool of the website. This topic describes how to configure an OSS or AWS S3 bucket as an origin server of a DCDN website.
Usage notes
You can protect your resources by configuring Web Application Firewall (WAF) settings in DCDN, such as Referer whitelists, Referer blacklists, and rate limiting rules. For more information, see WAF.
Configure an OSS origin server
Usage notes
After you authorize DCDN to fetch content from a private OSS bucket within the same account or a different account, all resources in the bucket are accessible by using the DCDN-covered domain. Before you perform such origin fetch authorization, evaluate the need for the authorization based on your actual business requirements. If the private OSS bucket stores content other than what is intended for the visitors of the website, do not authorize DCDN to access the bucket.
If you want to authorize DCDN to fetch content from a private OSS bucket that belongs to another Alibaba Cloud account, do not grant the write or delete operations on the bucket to RAM users. For more information about how to grant a RAM user permissions to access OSS, see Access OSS by using a RAM user.
Fetching content from a private OSS bucket conflicts with the default homepage settings of static website hosting for the private OSS bucket. To use DCDN to accelerate access to a private bucket for which static website hosting is configured, see instructions in Why do requests destined for my accelerated domain name trigger the error message "You are forbidden to list buckets" after access to private OSS buckets is enabled?
An OSS origin server qualifies for OSS origin traffic discounts. For more information, see Billing overview.
Procedure
When you map an OSS bucket to the DCDN website by adding a CNAME record or including the bucket in the origin pool, set the origin server type to OSS. For more information, see Add DNS records or Create an origin pool.
For Access Type, select Public Access, Private Access (Same-account), or Private Access (Cross-account), depending on the access control list (ACL) and owning account of the bucket.
If you select Public Access, enter the public domain name of the bucket in the OSS Bucket field. In this case, you do not need to complete authorization. For more information about bucket domain names, see Endpoints and domain names.
If you select Private Access (Same-account) or Private Access (Cross-account), configure authorization and authentication by using the following steps.
Private Access (Same-account)
When you configure DCDN to fetch content from a private bucket in the same account, security tokens are automatically issued by Security Token Service (STS).
The first time you authorize DCDN to access a private OSS bucket within the same account, you must attach the default policy to the default role for this type of access. The default policy allows DCDN to access all OSS buckets within the same account in read-only mode by using security tokens.
In the Authorization section, click Authorize. On the Cloud Resource Access Authorization page, click Confirm Authorization Policy.
NoteIf you cannot complete the authorization by clicking the Authorize button in the DCDN console, try performing the authorization in the Resource Access Management (RAM) console. For more information, see Use the RAM console to authorize DCDN to access private OSS buckets in the same account.
After the authorization is successful, select the domain name of the bucket from the OSS Bucket drop-down list.
NoteThe previous authorization configuration allows DCDN to fetch only unencrypted data from the private bucket. To configure DCDN to fetch both encrypted and unencrypted data from the bucket, you must additionally attach the AliyunKMSCryptoUserAccess policy to the AliyunDCDNAccessingPrivateOSSRole role. Configure access to private OSS buckets
Private Access (Cross-account)
To authorize DCDN to access a private bucket that belongs to another Alibaba Cloud account, you must provide a long-term AccessKey pair.
Parameter
Description
Access Type
Select Private Access (Cross-account).
OSS Bucket
Enter the public domain name of the bucket in the OSS Bucket field. For more information about bucket domain names, see Endpoints and domain names.
AccessKey ID
Specify the AccessKey ID of the Alibaba Cloud account to which the private OSS bucket belongs. For more information, see Create an AccessKey pair.
AccessKey Secret
Specify the AccessKey secret of the Alibaba Cloud account to which the private OSS bucket belongs.
Use the RAM console to authorize DCDN to access private OSS buckets in the same account
Revoke authorization of DCDN access to private buckets
Configure an AWS S3 origin server
Procedure
When you map an AWS S3 bucket to the DCDN website by adding a CNAME record or including the bucket in the origin pool, set the origin server type to S3-compatible. For more information, see Add DNS records or Create an origin pool.
For Access Type, select Public Access or Private Access.
If you select Public Access, enter the public endpoint of the bucket in the Origin Address field. In this case, you do not need to complete authorization. For more information about endpoints, see Website endpoints.
If you select Private Access, provide the following information for authorization and authentication.
Parameter | Description |
Origin Address | The public endpoint of the AWS S3 Bucket. Example: |
Signature Version | The signing protocol that is configured for the AWS S3 bucket. DCDN supports only the AWS Signature V4 protocol for AWS S3 buckets. For more information, see AWS Signature Version 4 (SigV4) authentication-specific policy keys. |
Region | The code of the region in which the AWS S3 bucket resides. Example: |
AccessKey | The access key ID of the Identity and Access Management (IAM) account that is used to access the AWS S3 bucket. For more information, see Managing access keys (console). |
SecretKey | The secret access key of the IAM account that is used to access the AWS S3 bucket. |