If your origin server is a private Object Storage Service (OSS) bucket, you must grant Alibaba Cloud CDN access permissions on the private OSS bucket before Alibaba Cloud CDN can access the bucket. Permission control can prevent hotlink issues.

Background information

After you enable access to a private OSS bucket, you can also use features such as hotlink protection and URL signing provided by Alibaba Cloud CDN to ensure resource security. For more information, see Configure a Referer whitelist or blacklist to enable hotlink protection and Configure URL signing.

Notice
  • After you authorize Alibaba Cloud CDN to access a private OSS bucket, Alibaba Cloud CDN is granted read-only permissions on all of your OSS buckets.
  • After you authorize Alibaba Cloud CDN to access private OSS buckets, Alibaba Cloud CDN can access all of the resources in the private OSS buckets through the accelerated domain names. Proceed with caution when you use this feature. Do not authorize Alibaba Cloud CDN to access your private OSS buckets or enable access to private OSS buckets if the private OSS bucket stores content other than what is intended for the visitors of the website.
  • If your website is vulnerable to attacks, purchase an Anti-DDoS service. In addition, do not grant Alibaba Cloud CDN permissions on private OSS buckets or enable access to private OSS buckets.
  • Access to private OSS buckets conflicts with the settings of the default homepage of the static website that is hosted on OSS. If you must enable both features, see Why do requests destined for my accelerated domain name trigger the error message "You are forbidden to list buckets" after access to private Object Storage Service (OSS) is enabled?

Enable access to a private OSS bucket

Procedure:
  1. Log on to the Alibaba Cloud CDN console.
  2. In the left-side navigation pane, click Domain Names.
  3. On the Domain Names page, find the domain name that you want to manage and click Manage in the Actions column of the domain name.
  4. In the management pane of the domain name, click Back-to-origin.
  5. This step is required only if this is your first time authorizing Alibaba Cloud CDN to access a private OSS bucket. In the Alibaba Cloud OSS Private Bucket Access section, click Authorize, and then click Confirm Authorization. Confirm the authorization
  6. In the Alibaba Cloud OSS Private Bucket Access section, turn on Alibaba Cloud OSS Private Bucket Access.
    Note You need only to complete the preceding steps if you want to authorize Alibaba Cloud CDN to access unencrypted files in a specified private OSS bucket. If you want Alibaba Cloud CDN to access OSS objects that are encrypted by using Key Management Service (KMS), you must first grant the AliyunKMSCryptoUserAccess permission to the Resource Access Management (RAM) role AliyunCDNAccessingPrivateOSSRole.
  7. This step is optional. Grant the AliyunKMSCryptoUserAccess permission to the RAM role AliyunCDNAccessingPrivateOSSRole.
    1. Log on to the RAM console.
    2. In the left-side navigation pane, choose Identities > Roles.
    3. In the Role Name column, find the RAM role AliyunCDNAccessingPrivateOSSRole.
    4. Click Add Permissions in the Actions column. In the Add Permissions panel, the value of the Principal field is automatically specified.
    5. Click System Policy and enter AliyunKMSCryptoUserAccess in the search box to search for the AliyunKMSCryptoUserAccess permission policy. Click the permission policy to add it to the Selected list.
    6. Click OK.
    7. Click Complete.

Disable access to private OSS buckets

If you do not want an accelerated domain name to access your private Object Storage Service (OSS) buckets, you can log on to the Resource Access Management (RAM) console and revoke the access permissions that are granted to Alibaba Cloud CDN. Then, Alibaba Cloud CDN can no longer access your private OSS buckets.

Procedure:
  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Identities > Roles.
  3. In the Role Name column, find the RAM role AliyunCDNAccessingPrivateOSSRole. RAM roles
  4. Revoke all permissions that are granted to the RAM role AliyunCDNAccessingPrivateOSSRole.
    1. Click Remove Permission in the Actions column.
    2. In the Remove Permission message, click OK.
  5. Choose Identities > Roles and delete AliyunCDNAccessingPrivateOSSRole.
    1. Find the RAM role AliyunCDNAccessingPrivateOSSRole and click Delete in the Actions column.
    2. In the Delete RAM Role message, click OK.