If your origin server is a private Object Storage Service (OSS) bucket, you must grant Alibaba Cloud CDN access permissions on the private OSS bucket before Alibaba Cloud CDN can access the bucket. Permission control can prevent hotlinking issues.

Background information

After you enable access to a private OSS bucket, you can also use features such as hotlink protection and URL signing provided by Alibaba Cloud CDN to ensure resource security. For more information, see Configure a Referer whitelist or blacklist to enable hotlink protection and URL signing.

Notice
  • After you authorize Alibaba Cloud CDN to access a private OSS bucket, Alibaba Cloud CDN is granted read-only permissions on all of your OSS buckets.
  • After you authorize Alibaba Cloud CDN and enable the private bucket access feature, Alibaba Cloud CDN can access all of the resources in the private OSS bucket through the accelerated domain name. Proceed with caution when you use this feature. Do not authorize Alibaba Cloud CDN to access your private OSS bucket or enable the private bucket access feature if the private OSS bucket stores content other than that is intended for the visitors of the website.
  • If your website is vulnerable to attacks, purchase an Anti-DDoS service. In addition, do not grant Alibaba Cloud CDN permissions on private OSS buckets or enable the private bucket access feature.

Enable access to a private OSS bucket

Procedure:
  1. Log on to the Alibaba Cloud CDN console.
  2. In the left-side navigation pane, click Domain Names.
  3. On the Domain Names page, find the domain name that you want to manage and click Manage in the Actions column of the domain name.
  4. In the management pane of the domain name, click Back-to-origin.
  5. This step is required only if this is your first time authorizing Alibaba Cloud CDN to access a private OSS bucket. In the Alibaba Cloud OSS Private Bucket Access section, click Authorize, and then click Confirm Authorization. Confirm the authorization
  6. In the Alibaba Cloud OSS Private Bucket Access section, turn on Alibaba Cloud OSS Private Bucket Access.
    Note You need only to complete the preceding steps if you want to authorize Alibaba Cloud CDN to access unencrypted files in a specified private OSS bucket. If you want Alibaba Cloud CDN to access OSS objects that are encrypted by using Key Management Service (KMS), you must first grant the AliyunKMSCryptoUserAccess permission to the Resource Access Management (RAM) role AliyunCDNAccessingPrivateOSSRole.
  7. This step is optional. Grant the AliyunKMSCryptoUserAccess permission to the RAM role AliyunCDNAccessingPrivateOSSRole.
    1. Log on to the RAM console.
    2. In the left-side navigation pane, click RAM Roles.
    3. On the RAM Roles page, find the RAM role AliyunCDNAccessingPrivateOSSRole.
    4. Click Add Permissions in the Actions column. In the Add Permissions panel, the value of the Principal field is automatically specified.
    5. Click System Policy and enter AliyunKMSCryptoUserAccess in the search box to search for the AliyunKMSCryptoUserAccess permission policy. Click the permission policy to add it to the Selected list.
    6. Click OK.
    7. Click Complete.

Disable access to private OSS buckets

If you do not want an accelerated domain name to access your private Object Storage Service (OSS) buckets, you can log on to the Resource Access Management (RAM) console and revoke the access permissions that are granted to Alibaba Cloud CDN. Then, Alibaba Cloud CDN can no longer access your private OSS buckets.

Procedure:
  1. Log on to the RAM console.
  2. In the left-side navigation pane, click RAM Roles.
  3. On the RAM Roles page, find the RAM role AliyunCDNAccessingPrivateOSSRole. RAM Roles
  4. Revoke all permissions that are granted to the RAM role AliyunCDNAccessingPrivateOSSRole.
    1. Click Remove Permission in the Actions column.
    2. In the Remove Permission message, click OK.
  5. Go to the RAM Roles page and delete the RAM role AliyunCDNAccessingPrivateOSSRole.
    1. Find the RAM role AliyunCDNAccessingPrivateOSSRole and click Delete in the Actions column.
    2. In the Delete RAM Role message, click OK.