If your origin server is a private Object Storage Service (OSS) bucket, you must grant Alibaba Cloud CDN access permissions on the private OSS bucket before Alibaba Cloud CDN can access the bucket. Permission control protects origin servers from unauthorized access. This topic describes how to enable and disable access to private OSS buckets.

Background information

After you enable access to a private OSS bucket, you can also use features such as referer whitelists, referer blacklists, and URL signing provided by Alibaba Cloud CDN to protect resources from unauthorized access. For more information, see Configure a Referer whitelist or blacklist to enable hotlink protection and Configure URL signing.

Notice
  • After you authorize Alibaba Cloud CDN to access a private OSS bucket, Alibaba Cloud CDN is granted read-only permissions on all of your OSS buckets.
  • After you authorize Alibaba Cloud CDN to access private OSS buckets, Alibaba Cloud CDN can access all of the resources in the private OSS buckets through the accelerated domain names. Proceed with caution. Do not authorize Alibaba Cloud CDN to access your private OSS buckets or enable access to private OSS buckets if the private OSS bucket stores content other than what is intended for the visitors of the website.
  • If your website is vulnerable to attacks, purchase an Anti-DDoS service. In addition, proceed with caution when you grant Alibaba Cloud CDN permissions on private OSS buckets or enable access to private OSS buckets.
  • To address this issue, you can disable static website hosting or create a URI rewrite rule. For more information, see Why do requests destined for my accelerated domain name trigger the error message "You are forbidden to list buckets" after access to private Object Storage Service (OSS) is enabled?

Enable access to private OSS buckets

  1. Log on to the Alibaba Cloud CDN console.
  2. In the left-side navigation pane, click Domain Names.
  3. On the Domain Names page, find the domain name and click Manage in the Actions column.
  4. In the left-side management pane of the domain name, click Back-to-origin.
  5. Optional:This step is required only if this is your first time authorizing Alibaba Cloud CDN to access private OSS buckets. In the Alibaba Cloud OSS Private Bucket Access section, click Authorize, and then click Confirm Authorization.
    Confirm the authorization policy
  6. In the Alibaba Cloud OSS Private Bucket Access section, turn on Alibaba Cloud OSS Private Bucket Access.
    Note You need only to complete the preceding steps if you want to authorize Alibaba Cloud CDN to access unencrypted files in a specified private OSS bucket. If you want Alibaba Cloud CDN to access OSS objects that are encrypted by using Key Management Service (KMS), you must first grant the AliyunKMSCryptoUserAccess permission to the Resource Access Management (RAM) role AliyunCDNAccessingPrivateOSSRole.
  7. Optional:Grant the AliyunKMSCryptoUserAccess permission to the RAM role AliyunCDNAccessingPrivateOSSRole.
    1. Log on to the RAM console.
    2. In the left-side navigation pane, choose Identities > Roles.
    3. In the Role Name column, find the RAM role AliyunCDNAccessingPrivateOSSRole.
    4. Click Add Permissions in the Actions column. In the Add Permissions panel, the value of the Principal field is automatically specified.
    5. Click System Policy and enter AliyunKMSCryptoUserAccess in the search box to search for the AliyunKMSCryptoUserAccess permission policy. Click the permission policy to add it to the Selected list.
    6. Click OK.
    7. Click Complete.

Disable access to private OSS buckets

If you do not want an accelerated domain name to access your private Object Storage Service (OSS) buckets, you can log on to the RAM console and revoke the access permissions that are granted to Alibaba Cloud CDN. Then, Alibaba Cloud CDN can no longer access your private OSS buckets.

  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Identities > Roles.
  3. In the Role Name column, find the RAM role AliyunCDNAccessingPrivateOSSRole.
    RAM roles
  4. Revoke all permissions that are granted to the RAM role AliyunCDNAccessingPrivateOSSRole.
    1. Click Remove Permission in the Actions column.
    2. In the Remove Permission message, click OK.
  5. Choose Identities > Roles and delete AliyunCDNAccessingPrivateOSSRole.
    1. Find the RAM role AliyunCDNAccessingPrivateOSSRole and click Delete in the Actions column.
    2. In the Delete RAM Role message, click OK.