Configure an OSS or S3 bucket as an origin server - Edge Security Acceleration

You can add an Alibaba Cloud Object Storage Service (OSS) or AWS Simple Storage Service (AWS S3) bucket as an origin server of an Edge Security Acceleration (ESA) website by using a DNS CNAME record or including the origin server in the origin pool of the website. This topic describes how to configure an OSS or AWS S3 bucket as an origin server of an ESA website.

Usage notes

You can protect your resources by configuring Web Application Firewall (WAF) settings in ESA, such as Referer whitelists, Referer blacklists, and rate limiting rules. For more information, see WAF.

Configure an OSS origin server

Usage notes

After you authorize ESA to fetch content from a private OSS bucket within the same account or a different account, all resources in the bucket are accessible by using the ESA-covered domain. Before you perform such origin fetch authorization, evaluate the need for the authorization based on your actual business requirements. If the private OSS bucket stores content other than what is intended for the visitors of the website, do not authorize ESA to access the bucket.
If you want to authorize ESA to fetch content from a private OSS bucket that belongs to another Alibaba Cloud account, do not grant the write or delete permissions on the bucket to Resource Access Management (RAM) users. For more information about how to grant a RAM user permissions to access OSS, see Access OSS by using a RAM user.
Fetching content from a private OSS bucket conflicts with the default homepage settings of static website hosting for the private OSS bucket. To use ESA to accelerate access to a private bucket for which static website hosting is configured, see instructions in Why do requests destined for my accelerated domain name trigger the error message "You are forbidden to list buckets" after access to private OSS buckets is enabled?
An OSS origin server qualifies for OSS origin traffic discounts. For more information, see Billing.

Procedure

When you map an OSS bucket to the ESA website by adding a CNAME record or including the bucket in the origin pool, set the origin server type to OSS. For more information, see Add DNS records or Create an origin pool.

For Access Type, select Public Access, Private Access (Same-account), or Private Access (Cross-account), depending on the access control list (ACL) and owning account of the bucket.

If you select Public Access, enter the public domain name of the bucket in the OSS Bucket field. In this case, you do not need to complete the authorization. For more information about bucket domain names, see Endpoints and domain names.

If you select Private Access (Same-account) or Private Access (Cross-account), configure authorization and authentication by using the following steps.

Private Access (Same-account)

The system automatically requests a security token from STS. This option allows ESA to pull content from private OSS buckets only in the same Alibaba Cloud account.

The first time you authorize ESA to access a private OSS bucket within the same account, the system creates a RAM role for ESA with the default permission policy attached. By assuming the role, ESA has read-only access to all OSS buckets within the same account by using temporary security tokens.

In the Authorization section, click Authorize. On the Cloud Resource Access Authorization page, click Agree to Authorization.
Note
If you cannot complete the authorization by clicking the Authorize button in the ESA console, try performing the authorization in the RAM console. For more information, see Use the RAM console to authorize ESA to access private OSS buckets in the same account.
After the authorization is successful, select the domain name of the bucket from the OSS Bucket drop-down list.
Note
The previous authorization configuration allows ESA to fetch only unencrypted data from the private bucket. To configure ESA to fetch both encrypted and unencrypted data from the bucket, you must additionally attach the AliyunKMSCryptoUserAccess policy to the AliyunESAAccessingPrivateOSSRole role.
Optional. Attach the AliyunKMSCryptoUserAccess policy to the AliyunESAAccessingPrivateOSSRole role.
1. Log on to the RAM console.
2. In the left-side navigation pane, choose Identities > Roles.
3. On the Roles page, find the RAM role AliyunESAAccessingPrivateOSSRole.
4. In the Actions column, click Grant Permission. In the Grant Permission panel, the Principal field is automatically filled in.
5. In the Policy section, select System Policy and enter AliyunKMSCryptoUserAccess in the search box to search for the AliyunKMSCryptoUserAccess permission policy. Click the permission policy to add it to the Selected Policy list.
6. Click Grant permissions. Completed is displayed.
7. Click Close.

Private Access (Cross-account)

You need to configure a permanent security token. This option allows ESA to pull content from private OSS buckets both in the same Alibaba Cloud account and across Alibaba Cloud accounts.

Parameter	Description
Access Type	Select Private Access (Cross-account).
OSS Bucket	Enter the public domain name of the bucket. For more information about bucket domain names, see Endpoints and domain names.
AccessKey ID	Specify the AccessKey ID of the Alibaba Cloud account to which the private OSS bucket belongs. For more information, see Create an AccessKey pair.
AccessKey Secret	Specify the AccessKey secret of the Alibaba Cloud account to which the private OSS bucket belongs.

Use the RAM console to authorize ESA to access private OSS buckets in the same account

If you cannot authorize ESA to access a private bucket in the ESA console, you can do it in the RAM console.

Log on to the RAM console.
In the left-side navigation pane, choose Permissions > Policies.
On the Policies page, click Create Policy.
1. Click the JSON tab. In the policy editor, enter the following policy content:
```
{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "oss:List*",
                "oss:Get*"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}
```
2. Click Next to edit policy information, configure the following parameters, and then click OK.
  Name: Enter AliyunESAAccessingPrivateOSSRolePolicy.
  Description: Enter a policy description. For example, you can enter the "This policy grants ESA read-only permissions on a private OSS bucket" description for the policy.
In the left-side navigation pane, choose Identities > Roles.
1. On the Roles page, click Create Role.
2. On the Create Role page, select Alibaba Cloud Account in the Select Role Type section and click Next.
3. In the Configure Role step, provide the following information:
  RAM Role Name: Enter AliyunESAAccessingPrivateOSSRole.
  Note: Enter a role description. For example, you can enter the "This role is assumed by ESA to fetch content from a private OSS bucket" description for the role.
4. Select Current Alibaba Cloud Account for Select Trusted Alibaba Cloud Account. Then, click OK.
After the role is created, click AliyunESAAccessingPrivateOSSRole in the Roles list.
1. On the Trust Policy tab, click Edit Trust Policy, enter the following information, and then click Save trust policy document.
```
{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "dcdnservices.aliyuncs.com"
        ]
      }
    }
  ],
  "Version": "1"
}
```
2. On the Permissions tab, click Grant Permission. In the Grant Permission panel, configure the following settings:
  Select Account for Resource Scope.
  In the Policy section, select Custom Policy from the drop-down list next to the search box, select the AliyunESAAccessingPrivateOSSRolePolicy policy, and then click Grant permissions.
Verify the authorization status on the CNAME record configuration page of the ESA console. ESA is authorized to access private OSS buckets in the same account.

Revoke authorization of ESA access to private buckets

Log on to the RAM console.
In the left-side navigation pane, choose Identities > Roles.
On the Roles page, click AliyunESAAccessingPrivateOSSRole.
Revoke all permissions from the role AliyunESAAccessingPrivateOSSRole.
1. Click Revoke Permission in the Actions column.
2. In the Revoke Permission dialog box, click Revoke Permission.
Go back to the > Roles page and delete the AliyunESAAccessingPrivateOSSRole role.
1. Find AliyunESAAccessingPrivateOSSRole and click Delete Role in the Actions column.
2. In the Delete Role dialog box, enter the role name and click Delete Role.

Configure an AWS S3 origin server

Procedure

When you map an AWS S3 bucket to the ESA website by adding a CNAME record or including the bucket in the origin pool, set the origin server type to S3-compatible. For more information, see Add DNS records or Create an origin pool.
For Access Type, select Public Access or Private Access.

If you select Public Access, enter the public endpoint of the bucket in the Origin Address field. In this case, you do not need to complete the authorization. For more information about endpoints, see Website endpoints.

If you select Private Access, provide the following information for authorization and authentication.

Parameter	Description
Origin Address	The public endpoint of the AWS S3 Bucket. Example: `your-bucket-name.s3.us-west-1.amazonaws.com`. For more information, see Website endpoints.
Signature Version	The signing protocol that is configured for the AWS S3 bucket. ESA supports only the AWS Signature V4 protocol for AWS S3 buckets. For more information, see AWS Signature Version 4 (SigV4) authentication-specific policy keys.
Region	The code of the region in which the AWS S3 bucket resides. Example: `us-west-1`. For more information, see AWS service endpoints.
AccessKey	The access key ID of the Identity and Access Management (IAM) user that is used to access the AWS S3 bucket. For more information, see Manage access keys for IAM users.
SecretKey	The secret access key of the IAM user that is used to access the AWS S3 bucket.