If Alibaba Cloud Object Storage Service (OSS) is used to serve origin content, you can grant permissions to Alibaba Cloud Content Delivery Network (CDN) to access a private OSS bucket through an accelerated domain name. This prevents resource hotlinking. This topic describes how to grant the access permissions on private buckets.

Background information

After you enable access to a private OSS bucket, you can use the features such as hotlink protection and URL signing that are provided by Alibaba Cloud CDN to ensure resource security. For more information, see Configure hotlink protection and URL signing.

Notice
  • After you turn on Alibaba Cloud OSS Private Bucket Access, Alibaba Cloud CDN is granted read-only permissions to access all your OSS buckets.
  • After the required permissions are granted and enabled for an accelerated domain name, Alibaba Cloud CDN can use the accelerated domain name to access the objects in the specified private bucket. Enable this feature with caution. If the private bucket cannot provide appropriate origin content for the accelerated domain name, do not perform the authorization or enable access to Alibaba Cloud OSS private buckets.
  • If your website is vulnerable to attacks, purchase the Anti-DDoS service. Do not perform the authorization or enable access to Alibaba Cloud OSS private buckets.

Procedure

  1. Log on to the Alibaba Cloud CDN console.
  2. In the left-side navigation pane, click Domain Names.
  3. On the Domain Names page, find the domain name that you want to manage and click Manage in the Actions column of the domain name.
  4. In the management pane of the domain name, click Back-to-origin.
  5. In the Alibaba Cloud OSS Private Bucket Access section, click Authorize.
  6. Click Confirm.
    Note You can enable the access permission on private OSS buckets only when OSS buckets are used to serve origin content.
  7. In the Alibaba Cloud OSS Private Bucket Access section, turn on Alibaba Cloud OSS Private Bucket Access.
    Based on the preceding settings, Alibaba Cloud CDN is authorized to access unencrypted files in the specified private OSS bucket that serves origin content. Alibaba Cloud CDN cannot access objects that are encrypted based on Key Management Service (KMS) in OSS. You must grant the AliyunKMSCryptoUserAccess permission to the Resource Access Management (RAM) role AliyunCDNAccessingPrivateOSSRole. This allows Alibaba Cloud CDN to access encrypted objects.

    You can disable access to private OSS buckets. For more information, see Disable private bucket back-to-origin authorization.

  8. Optional:Grant the AliyunKMSCryptoUserAccess permission to the RAM role AliyunCDNAccessingPrivateOSSRole.
    1. Log on to the RAM console.
    2. In the left-side navigation pane, click RAM Roles.
    3. On the RAM Roles page, find the RAM role AliyunCDNAccessingPrivateOSSRole.
    4. Click Add Permissions in the Actions column of the RAM role. In the Add Permissions panel, the value of the Principal field is automatically specified.
    5. Click System Policy and enter AliyunKMSCryptoUserAccess in the search bar. The AliyunKMSCryptoUserAccess authorization policy appears in the search result. Click the authorization policy to move it to the Selected pane.
    6. Click OK.
    7. Click Complete.