If you configure a private Object Storage Service (OSS) bucket as your origin server, we recommend that you grant Alibaba Cloud CDN permissions to access the OSS bucket and enable the private bucket access feature. This feature can be used for access authentication and to protect origin servers from unauthorized access. This way, Dynamic Content Delivery Network (DCDN) can accelerate the delivery of resources in the private OSS bucket.
Usage notes
The first time you use this feature, you need to grant DCDN read-only permissions on all OSS buckets in your account. By default, this feature uses temporary Security Token Service (STS) tokens to access OSS buckets. You cannot use this feature to write or delete objects in OSS buckets by using PUT requests.
If you configure a permanent security token, you need to restrict the token from being used to write or delete objects in OSS buckets by using PUT requests when you apply for the token. For information about how to access OSS by using a RAM user, see Access OSS by using a RAM user.
After you grant read-only permissions to Alibaba Cloud CDN and enable the private bucket access feature for an accelerated domain name, you can access all resources in your private buckets by using the accelerated domain name. Proceed with caution when you use this feature. If the private OSS bucket stores content other than what is intended for the visitors of the website, do not grant DCDN permissions on your private OSS bucket or enable the private bucket access feature.
If your website is vulnerable to attacks, purchase an Anti-DDoS service. In addition, proceed with caution when you grant Alibaba Cloud CDN permissions on private OSS buckets or enable access to private OSS buckets.
Access to private OSS buckets conflicts with the settings of the default homepage of the static website that is hosted on OSS. If you want to enable both features, see Why do requests destined for my accelerated domain name trigger the error message "You are forbidden to list buckets" after access to private OSS buckets is enabled?
After you enable the private bucket access feature, points of presence (POPs) add the Authorization header to back-to-origin requests. The value of the header is the authentication signature for accessing private OSS buckets. A back-to-origin request that retrieves resources from OSS buckets cannot include a signature in both the header and the URL parameters. If a back-to-origin request includes the Authorization header and URL parameters that are used for signature authentication, which are usually generated by the client, such as
Expires
,Signature
, andOSSAccessKeyId
, OSS authentication fails.After you grant DCDN permissions to access private OSS buckets, you can use features such as hotlink protection and URL signing that are provided by DCDN to protect resources from unauthorized access. For more information, see Configure a Referer whitelist or blacklist to enable hotlink protection and Configure URL signing.
Enable access to private OSS buckets
Log on to the DCDN console.
In the left-side navigation pane, click Domain Names.
- On the Domain Names page, find the domain name whose acceleration region you want to change and click Configure.
In the left-side navigation tree of the domain name, click Origin Fetch.
Optional. In the Private Bucket Origin section, click Authorize, and then click Confirm Authorization Policy. This step is required only if this is your first time authorizing DCDN to access private OSS buckets.
NoteIf you cannot grant permissions on private OSS buckets by using the DCDN console, you can grant permissions on private OSS buckets by using the RAM console. For more information, see Grant permissions on private OSS buckets by using the RAM console.
In the Private Bucket Origin section, turn on Private Bucket Origin.
NoteYou only need to perform the preceding steps if you want to authorize DCDN to access unencrypted objects in a private OSS bucket. If you want DCDN to access OSS objects that are encrypted by using Key Management Service (KMS), you need to first attach the AliyunKMSCryptoUserAccess policy to the RAM role AliyunCDNAccessingPrivateOSSRole.
Attach the AliyunKMSCryptoUserAccess policy to the RAM role AliyunCDNAccessingPrivateOSSRole.
Log on to the RAM console.
In the left-side navigation pane, choose .
In the Role Name column, find the RAM role AliyunCDNAccessingPrivateOSSRole.
Click Add Permissions. In the Add Permissions panel, the Principal field is automatically filled in.
Click System Policy and enter AliyunKMSCryptoUserAccess in the search box to search for the AliyunKMSCryptoUserAccess permission policy. Click the permission policy to add it to the Selected list.
Click OK.
Click Complete.
Grant permissions on private OSS buckets by using the RAM console
If you fail to grant permissions on private OSS buckets by using the DCDN console, you can grant permissions on private OSS buckets by using the RAM console.
Log on to the RAM console.
In the left-side navigation pane, choose Permissions > Policies.
On the Policies page, click Create Policy.
On the JSON tab, enter the following policy content:
{ "Version": "1", "Statement": [ { "Action": [ "oss:List*", "oss:Get*" ], "Resource": "*", "Effect": "Allow" } ] }
Click Next to edit policy information, configure the following parameters, and then click OK.
Name: AliyunCDNAccessingPrivateOSSRolePolicy.
Desciption: The policy that you want to attach to the RAM role, including read-only permissions on OSS buckets.
In the left-side navigation pane, choose Identities > Roles.
On the Roles page, click Create Role.
In the Select Trusted Entity section, select Alibaba Cloud Account and click Next.
In the Configure Role step, enter the following information:
RAM Role Name: AliyunCDNAccessingPrivateOSSRole.
Note: By default, Alibaba Cloud CDN and DCDN use this role to access private OSS buckets.
In the Select Trusted Alibaba Cloud Account section, select Current Alibaba Cloud Account and click OK.
After you create the role, click AliyunCDNAccessingPrivateOSSRole on the Roles page.
On the Trust Policy Management tab, click Edit Trust Policy, enter the following information, and then click OK.
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "cdn.aliyuncs.com" ] } } ], "Version": "1" }
On the Permissions tab, click Grant Permission.
In the Authorized Scope section, select Alibaba Cloud Account.
In the Select Policy section, click the Custom Policy tab, select the AliyunCDNAccessingPrivateOSSRolePolicy policy that you created, and then click OK.
Go to the Origin Fetch page in the DCDN console. You can see that the role is authorized to use the Alibaba Cloud OSS Private Bucket Access feature.
Revoke permissions on private OSS buckets
If you do not want DCDN to have permissions on private OSS buckets, you can revoke the permissions of the corresponding role in the RAM console.
Log on to the RAM console.
In the left-side navigation pane, choose .
On the Roles page, click AliyunCDNAccessingPrivateOSSRole.
Revoke all permissions from the role AliyunCDNAccessingPrivateOSSRole.
Find the policy that you want to manage and click Revoke Permission in the Actions column.
In the Revoke Permission dialog box, click Revoke Permission.
Choose .
Find AliyunCDNAccessingPrivateOSSRole and click Delete Role in the Actions column.
In the Delete Role message, enter AliyunCDNAccessingPrivateOSSRole, and click OK.
References
After you enable access to private buckets, the error message "You are forbidden to list buckets" may be displayed when you access the DCDN-accelerated domain name. For more information, see A "You are forbidden to list buckets" error is displayed when accessing the Alibaba Cloud Content Delivery Network accelerated domain name after private OSS bucket back-to-origin is enabled.
After you enable access to private buckets, DCDN includes signature information in the requests that retrieve content from the private buckets by default for non-anonymous access. However, to access the default homepage configured by using static website hosting, the request must be anonymous. For more information, see Why am I unable to access the default homepage of a bucket when I retrieve an object from a private bucket by using Alibaba Cloud CDN?