configure an OSS bucket as an origin server, configure the server used to store static resources, configure the origin server for DNS resolution - Edge Security Acceleration

This topic describes an acceleration solution for websites with static resources such as images, audio, and videos. We recommend that you use Alibaba Cloud Object Storage Service (OSS) together with Edge Security Acceleration (ESA) to achieve efficient and secure global content distribution, and improve the loading speed and user experience for your website.

Usage notes

After you authorize ESA to fetch content from a private OSS bucket within the same account or across different accounts, all resources in the bucket are accessible by using the ESA-covered domain. Perform such origin fetch authorization with caution. If the private OSS bucket stores content other than what is intended for the visitors of the website, do not authorize ESA to access the bucket.
If you want to authorize ESA to fetch content from a private OSS bucket that belongs to another Alibaba Cloud account, do not grant the write or delete permissions on the bucket to Resource Access Management (RAM) users. For more information about how to grant a RAM user the permissions to access OSS, see Access OSS by using a RAM user.
Fetching content from a private OSS bucket conflicts with the default homepage settings of static website hosting for the private OSS bucket. To use ESA to accelerate access to a private bucket for which static website hosting is configured, see instructions in Why do requests destined for my accelerated domain name trigger the error message "You are forbidden to list buckets" after access to private OSS buckets is enabled?
An OSS origin server qualifies for OSS origin traffic discounts. For more information, see Billing overview.

Procedure

When you map an OSS bucket to your ESA website by adding a CNAME record or including the bucket in the origin pool, set the origin server type to OSS. For more information, see Manage DNS records or Create an origin pool.

For Access Type, select Public Access, Private Access (Same-account), or Private Access (Cross-account), depending on the access control list (ACL) and owning account of the bucket.

If you select Public Access, enter the public domain name of the bucket in the OSS Bucket field. In this case, you do not need to complete the authorization. For more information about bucket domain names, see Endpoints and domain names.

If you select Private Access (Same-account) or Private Access (Cross-account), configure authorization and authentication by using the following steps.

Private Access (Same-account)

The system automatically requests a security token from STS. This option allows ESA to pull content from private OSS buckets only within the same Alibaba Cloud account.

The first time you authorize ESA to access a private OSS bucket within the same account, the system creates a RAM role for ESA with the default permission policy attached. By assuming the role, ESA has read-only access to all OSS buckets within the same account by using temporary security tokens.

In the Authorization section, click Authorize. On the Cloud Resource Access Authorization page, click Agree to Authorization.
Note
If you cannot complete the authorization by clicking the Authorize button in the ESA console, try performing the authorization in the RAM console. For more information, see Use the RAM console to authorize ESA to access private OSS buckets in the same account.
After the authorization is successful, select the domain name of the bucket from the OSS Bucket drop-down list.
Note
The previous authorization configuration allows ESA to fetch only non-encrypted data from the private bucket. To configure ESA to fetch both encrypted and non-encrypted data from the bucket, you must additionally attach the AliyunKMSCryptoUserAccess policy to the AliyunESAAccessingPrivateOSSRole role.
Optional. Attach the AliyunKMSCryptoUserAccess policy to the AliyunESAAccessingPrivateOSSRole role.
1. Log on to the RAM console.
2. In the left-side navigation pane, choose Identities > Roles.
3. On the Roles page, find the RAM role AliyunESAAccessingPrivateOSSRole.
4. In the Actions column, click Grant Permission. In the Grant Permission panel, the Principal field is automatically filled in.
5. In the Policy section, select System Policy from the drop-down list next to the search box and enter AliyunKMSCryptoUserAccess in the search box. In the search result list, select the AliyunKMSCryptoUserAccess policy to add it to the Selected Policy list.
6. Click Grant permissions. Completed is displayed.
7. Click Close.

Private Access (Cross-account)

You need to configure a permanent security token. This option allows ESA to pull content from private OSS buckets both in the same Alibaba Cloud account and across Alibaba Cloud accounts.

Parameter	Description
Access Type	Select Private Access (Cross-account).
OSS Bucket	Enter the public domain name of the bucket. For more information about bucket domain names, see Endpoints and domain names.
AccessKey ID	Specify the AccessKey ID of the Alibaba Cloud account to which the private OSS bucket belongs. For more information, see Create an AccessKey pair.
AccessKey Secret	Specify the AccessKey secret of the Alibaba Cloud account to which the private OSS bucket belongs.

Use the RAM console to authorize ESA to access private OSS buckets in the same account

If you cannot authorize ESA to access a private bucket in the ESA console, you can do it in the RAM console.

Log on to the RAM console.
In the left-side navigation pane, choose Permissions > Policies.
On the Policies page, click Create Policy.
1. Click the JSON tab. In the policy editor, enter the following policy content:
```
{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "oss:List*",
                "oss:Get*"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}
```
2. Click Next to edit policy information, configure the following parameters, and then click OK.
  Name: Enter AliyunESAAccessingPrivateOSSRolePolicy.
  Description: Enter a policy description. For example, you can enter the following description: This policy grants ESA read-only permissions on a private OSS bucket.
In the left-side navigation pane, select Identities > Roles.
1. On the Roles page, click Create Role.
2. On the Create Role page, set Principal Type to Cloud Account, specify the Alibaba Cloud account, and then click OK.
3. In the Configure Role step, provide the following information:
  RAM Role Name: Enter AliyunESAAccessingPrivateOSSRole.
  Note: Enter a role description. For example, you can enter the following description: This role is assumed by ESA to fetch content from a private OSS bucket.
4. Select Current Alibaba Cloud Account for Select Trusted Alibaba Cloud Account. Then, click OK.
After the role is created, click AliyunESAAccessingPrivateOSSRole in the Roles list.
1. On the Trust Policy tab, click Edit Trust Policy, enter the following information, and then click Save trust policy document.
```
{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "dcdnservices.aliyuncs.com"
        ]
      }
    }
  ],
  "Version": "1"
}
```
2. On the Permissions tab, click Grant Permission. In the Grant Permission panel, configure the following settings:
  Select Account for Resource Scope.
  In the Policy section, select Custom Policy from the drop-down list next to the search box, select the AliyunESAAccessingPrivateOSSRolePolicy policy, and then click Grant permissions.
Verify the authorization status on the CNAME record configuration page of the ESA console. ESA is authorized to access private OSS buckets in the same account.

Revoke authorization of ESA access to private buckets

Log on to the RAM console.
In the left-side navigation pane, choose Identities > Roles.
On the Roles page, click AliyunESAAccessingPrivateOSSRole.
Revoke all permissions from the role AliyunESAAccessingPrivateOSSRole.
1. Click Revoke Permission in the Actions column.
2. In the Revoke Permission dialog box, click Revoke Permission.
Go back to the Roles page and delete the AliyunESAAccessingPrivateOSSRole role.
1. Find AliyunESAAccessingPrivateOSSRole and click Delete Role in the Actions column.
2. In the Delete Role dialog box, enter the role name and click Delete Role.

What to do next

You can protect your resources by configuring Web Application Firewall (WAF) settings in ESA, such as Referer whitelists, Referer blacklists, and rate limiting rules. For more information, see WAF.