All Products
Search

This Product

    CDN:Configure origin fetch from private OSS buckets

    Document Center

    CDN:Configure origin fetch from private OSS buckets

    Last Updated:Dec 15, 2025

    If your accelerated domain name uses a private Alibaba Cloud Object Storage Service (OSS) bucket to authenticate access and prevent unauthorized traffic, you can enable the origin fetch feature for private OSS buckets. This lets you use CDN to accelerate resources in the private OSS bucket.

    How it works and its benefits

    • How it works: After you enable this feature, CDN automatically adds an Authorization field to the header of each origin request sent to your private OSS bucket. The value of this field is a valid signature generated from the identity information that you authorized, such as a Security Token Service (STS) temporary token or an AccessKey. OSS uses this signature to authenticate the request.

    • Secure access: By granting CDN read-only permissions, you can ensure the legitimacy of origin requests. This method avoids the security risks associated with making a private bucket public.

    • Cost optimization: When end-user requests are served by the CDN cache, the traffic fees are significantly lower than the fees for outbound Internet traffic generated by direct access to OSS. Additionally, traffic from CDN to OSS is billed as origin traffic, which has a lower unit price than outbound Internet traffic from OSS. This combination effectively reduces your overall costs. For more information, see Billing of CDN-accelerated OSS resources.

    Procedure

    The configuration process involves two steps: first, perform a one-time authorization for your account, and then enable the feature for the specified accelerated domain name.

    1. Grant CDN access to OSS. Before you use this feature for the first time on any domain name in your account, you must grant CDN permission to access OSS. This is a one-time, account-level authorization. If you are not prompted to authorize, you can skip this step.

      (Recommended) Authorization in the console

      1. Log on to the CDN console.

      2. In the navigation pane on the left, click Domain Names.

      3. On the Domain Names page, find the domain name that you want to manage and click Manage.

      4. In the navigation pane on the left for the domain name, click Origin Fetch.

      5. In the Alibaba Cloud OSS Private Bucket Access section, click Authorize. On the authorization confirmation page, click Authorize.

        image

      Manual authorization via RAM

      1. Log on to the RAM console.

      2. In the navigation pane on the left, click Permissions > Policies.

      3. On the Policies page, click Create Policy.

      4. On the JSON tab, enter the following policy.

        5. {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "oss:List*",
                "oss:Get*"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

      5. Click OK. On the Create Policy page, enter the following information and click OK.

      6. Set Policy Name to AliyunCDNAccessingPrivateOSSRolePolicy.

      7. Set Description to "This authorization policy is for the role that is used by CDN/DCDN to perform origin fetch from a private OSS bucket. It includes read-only permissions for OSS."

      In the navigation pane on the left, click Identities > Roles.

      1. On the Roles page, click Create Role.

      2. Set Principal Type to Alibaba Cloud Account, select Current Alibaba Cloud Account for Principal Name, and click OK.

      3. In the Create Role step, enter the following information.

      4. Set Role Name to AliyunCDNAccessingPrivateOSSRole.

      After the role is created, click AliyunCDNAccessingPrivateOSSRole in the role list on the Roles page to go to the role details page.

      1. On the Trust Policy tab, click Edit Trust Policy, enter the following information, and click OK.

        2. {
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "cdn.aliyuncs.com"
        ]
      }
    }
  ],
  "Version": "1"
}

      2. Switch to the Grants tab. Click Grant Permission.

      3. Resource Scope: Account

      4. Principal: Select the AliyunCDNAccessingPrivateOSSRole that you created.

      5. Authorization Policy: Select Custom Policy, select the AliyunCDNAccessingPrivateOSSRolePolicy that you created, and click Grant permissions.

      Return to the Origin Fetch page in the CDN console. The authorization for the Alibaba Cloud OSS Private Bucket Access feature is now complete.

    2. Enable Alibaba Cloud OSS Private Bucket Access and configure the origin fetch type.

      1. Find the Alibaba Cloud OSS Private Bucket Access section and turn on the switch.

      2. In the Alibaba Cloud OSS Private Bucket Access dialog box, select an origin fetch type and click OK.

        Origin fetch type

        Origin fetch type

        Recommended use case

        Bucket in the Same Account

        (Recommended) This is suitable for cases where CDN and the OSS bucket are under the same Alibaba Cloud account. The system automatically uses a temporary STS token for authentication. This simplifies configuration, eliminates the need to manage keys, and provides higher security.

        Bucket Across Accounts or in the Same Account

        This is suitable for cases where CDN and the OSS bucket belong to different Alibaba Cloud accounts. It also supports same-account scenarios. This method requires you to manually provide the AccessKey ID and AccessKey secret of the Alibaba Cloud account to which the destination private OSS bucket belongs. For more information, see Create an AccessKey pair.

        Note

        • Access scope: After you enable this feature, the accelerated domain name can access all resources in its origin private bucket. You cannot restrict access to specific resources within the bucket in CDN.

        • Signature conflicts: To prevent OSS authentication failures, make sure that origin requests do not contain signatures in both the request header and URL parameters.

        • Feature conflicts: This feature conflicts with the default index page configuration of the static website hosting feature in OSS. To use both features at the same time, see the related document.

    Security recommendations

    After you enable origin fetch from a private bucket, your origin data is secure. However, the resources cached on POPs are publicly accessible by default. To prevent unauthorized use of CDN traffic, we strongly recommend that you use the following security features provided by CDN:

    Disable origin fetch from private OSS buckets

    If you no longer want an accelerated domain name to access resources in a private bucket, revoke the authorization in the RAM console. This action revokes the permissions that allow CDN to perform origin fetch from the private OSS bucket.

    1. You can disable the feature in the CDN console.

      1. Log on to the CDN console.

      2. In the navigation pane on the left, click Domain Names.

      3. On the Domain Names page, find the domain name that you want to manage and click Manage.

      4. In the navigation pane on the left for the domain name, click Origin Fetch.

      5. In the Alibaba Cloud OSS Private Bucket Access section, turn off the Alibaba Cloud OSS Private Bucket Access switch.

    2. Completely delete the authorization in the RAM console.

      1. Log on to the RAM console.

      2. In the navigation pane on the left, click Identities > Roles.

      3. In the Role Name list, click the AliyunCDNAccessingPrivateOSSRole role.

        image

      4. Remove all permissions from the AliyunCDNAccessingPrivateOSSRole role.

        1. Click Revoke Permission for the permission.

        2. In the confirmation dialog box that appears, click Revoke Permission.

      5. Return to the Identities > Roles page and delete the AliyunCDNAccessingPrivateOSSRole role.

        1. Click Delete Role for the AliyunCDNAccessingPrivateOSSRole role.

        2. In the Delete Role confirmation dialog box, click Delete Role.

      6. Return to the Permission Management > Policies page and delete the AliyunCDNAccessingPrivateOSSRolePolicy policy.

        1. Click the Delete Policy button for the AliyunCDNAccessingPrivateOSSRolePolicy.

        2. In the Delete Policy confirmation dialog box, enter the policy name and click Delete Policy.

    FAQ

    How do I resolve the This request is forbidden by kms. error when CDN accesses OSS resources?

    If you use Key Management Service (KMS) to encrypt data in your OSS bucket, you must grant the CDN origin fetch role additional permissions to use the KMS key. Otherwise, CDN cannot decrypt or access these files, and a This request is forbidden by kms. error is returned.

    1. Log on to the RAM console.

    2. In the navigation pane on the left, choose Identities > Roles.

    3. In the Role Name list, find the AliyunCDNAccessingPrivateOSSRole role.

    4. Click Grant Permission. The Principal is automatically filled in.

    5. Under Policy, select System Policy. Search for and click AliyunKMSCryptoUserAccess to add it to the Selected Policy box.

    6. Click Grant Permissions. A message indicates that the operation is completed.

    7. Click Close.

      image

    8. Use the Refresh Resources feature. After the refresh task is complete, try to access the resource again.

    Reference

    Best practices for using CDN to accelerate access to OSS resources