If you configure a private Object Storage Service (OSS) bucket as your origin server, we recommend that you enable the private bucket access feature and grant Alibaba Cloud CDN permissions to access the OSS bucket. This feature can be used for access authentication and protect origin servers from unauthorized access. You can also include the authentication information in user requests to access private OSS buckets. This topic describes how to enable and disable access to private OSS buckets.

Background information

After you enable access to a private OSS bucket, you can also use features such as referer whitelists, referer blacklists, and URL signing provided by Alibaba Cloud CDN to protect resources from unauthorized access. For more information, see Configure a referer whitelist or blacklist to enable hotlink protection and Configure URL signing.

Important
  • The first time you use this feature, you must grant the read-only permissions to Alibaba Cloud CDN to access all OSS buckets in your account.
  • After you grant the read-only permissions to Alibaba Cloud CDN and enable the private bucket access feature for an accelerated domain name, you can access all resources in your private buckets by using the accelerated domain name. Proceed with caution when you use this feature. Do not authorize Alibaba Cloud CDN to access your private OSS buckets or enable access to private OSS buckets if the private OSS bucket stores content other than what is intended for the visitors of the website.
  • If your website is vulnerable to attacks, purchase an Anti-DDoS service. In addition, proceed with caution when you grant Alibaba Cloud CDN permissions on private OSS buckets or enable access to private OSS buckets.
  • Access to private OSS buckets conflicts with the settings of the default homepage of the static website that is hosted on OSS. If you must enable both features, see Why do requests destined for my accelerated domain name trigger the error message "You are forbidden to list buckets" after access to private OSS buckets is enabled?

Enable access to private OSS buckets

  1. Log on to the Alibaba Cloud CDN console.
  2. In the left-side navigation pane, click Domain Names.
  3. On the Domain Names page, find the domain name that you want to manage and click Manage in the Actions column.
  4. In the left-side navigation pane of the domain name, click Back-to-origin.
  5. Optional:Perform this operation the first time you use this feature. In the Alibaba Cloud OSS Private Bucket Access section, click Authorize. Then, click Confirm Authorization Policy.
    Confirm Authorization Policy
  6. In the Alibaba Cloud OSS Private Bucket Access section, turn on Alibaba Cloud OSS Private Bucket Access.
    Note You need only to complete the preceding steps if you want to authorize Alibaba Cloud CDN to access unencrypted files in a specified private OSS bucket. If you want Alibaba Cloud CDN to access OSS objects that are encrypted by using Key Management Service (KMS), you must first attach the AliyunKMSCryptoUserAccess policy to the RAM role AliyunCDNAccessingPrivateOSSRole.
  7. In the Alibaba Cloud OSS Private Bucket Access dialog box that appears, select a type and click OK.
    Type
    ParameterDescription
    Type
    • Bucket in the Same Account: The system automatically configures a security token issued by Security Token Service (STS). However, Alibaba Cloud CDN can only access private OSS buckets in the same Alibaba Cloud account.
    • Bucket Across Accounts or in the Same Account: You need to configure a permanent security token. This way, Alibaba Cloud CDN not only can retrieve content from private OSS buckets in the same Alibaba Cloud account, but also from private OSS buckets across Alibaba Cloud accounts.
    AccessKey IDThe AccessKey ID of the Alibaba Cloud account to which the private OSS bucket belongs. For more information, see Create an AccessKey pair.
    AccessKey SecretThe AccessKey secret of the Alibaba Cloud account to which the private OSS bucket belongs.
  8. Optional: Attach the AliyunKMSCryptoUserAccess policy to the RAM role AliyunCDNAccessingPrivateOSSRole.
    1. Log on to the RAM console.
    2. In the left-side navigation pane, choose Identities > Roles.
    3. In the Role Name column, find the RAM role AliyunCDNAccessingPrivateOSSRole.
    4. Click Add Permissions in the Actions column. In the Add Permissions panel, the value of the Principal field is automatically specified.
    5. Click System Policy and enter AliyunKMSCryptoUserAccess in the search box to search for the AliyunKMSCryptoUserAccess permission policy. Click the permission policy to add it to the Selected list.
    6. Click OK.
    7. Click Complete.

Disable access to private OSS buckets

If you no longer want an accelerated domain name to access your private OSS buckets in the same account, you can log on to the RAM console and revoke the access permissions that are granted to Alibaba Cloud CDN.

  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Identities > Roles.
  3. In the Role Name column, find the RAM role AliyunCDNAccessingPrivateOSSRole.
    RAM roles
  4. Revoke all permissions that are granted to the RAM role AliyunCDNAccessingPrivateOSSRole.
    1. Click Revoke Permission in the Actions column.
    2. In the Revoke Permission dialog box, click Revoke Permission.
  5. Choose Identities > Roles and delete AliyunCDNAccessingPrivateOSSRole.
    1. Find the RAM role AliyunCDNAccessingPrivateOSSRole and click Delete in the Actions column.
    2. In the Delete Role message, click OK.