All Products
Search

This Product

    CDN:Configure origin fetch from private OSS buckets

    Document Center

    CDN:Configure origin fetch from private OSS buckets

    Last Updated:Sep 17, 2025

    If your accelerated domain name uses a private Alibaba Cloud Object Storage Service (OSS) bucket as the origin server, you must enable origin fetch from the private OSS bucket. This feature authenticates access, prevents unauthorized traffic, and allows CDN to accelerate resources in the private OSS bucket.

    Usage notes

    • The first time you use this feature, you must grant authorization by enabling the default authorization policy in a single click. After the policy is enabled, CDN is granted read-only access to all OSS buckets that belong to your Alibaba Cloud account. This access uses temporary Security Token Service (STS) tokens and does not support write or delete operations, such as PUT.

    • If you configure a permanent security token, you must restrict its permissions. The token must not have permissions for write or delete operations, such as PUT, on the OSS bucket. For more information about how to configure access permissions for a Resource Access Management (RAM) user to access OSS, see Access OSS as a RAM user.

    • After you grant authorization and enable origin fetch from a private bucket for an accelerated domain name, you can access all resources in the private bucket through that domain name. Evaluate this decision carefully as needed. If the content in the private bucket is not suitable for origin fetch acceleration by CDN, do not grant the authorization or enable this feature.

    • If your website is at risk of attacks, we recommend that you purchase an Anti-DDoS service. Exercise caution when you grant authorization or enable origin fetch from private buckets.

    • The CDN origin fetch feature for private OSS buckets conflicts with the default index page configuration for static website hosting in OSS. To use both features at the same time, see the related document.

    • After you enable origin fetch from a private bucket, CDN nodes add an `Authorization` header to origin requests. The header value contains the signature information that is required to authenticate access to the private OSS bucket. Note that a single origin request to OSS cannot contain a signature in both the header and the URL parameters. If it does, OSS authentication fails. .

    • You can use the Referer hotlink protection and URL signing features that are provided by Alibaba Cloud CDN to enhance the protection of your resources from unauthorized access. For more information, see Configure a Referer blacklist or whitelist and Configure URL signing.

    Enable origin fetch from a private bucket

    1. Log on to the CDN console.

    2. In the navigation pane on the left, click Domain Names.

    3. On the Domain Names page, find the domain name that you want to manage and click Manage.

    4. In the navigation pane on the left of the domain name, click Origin Fetch.

    5. Optional: If you are using this feature for the first time, you must grant authorization. In the Alibaba Cloud OSS Private Bucket Access section, click Authorize, and then click Agree To Authorize.

      同意授权

      Note

      If you cannot grant authorization in a single click in the CDN console, you can grant permissions in the RAM console. For more information, see Grant permissions for CDN and DCDN to perform origin fetch from a private OSS bucket using the RAM service.

    6. In the Alibaba Cloud OSS Private Bucket Access section, turn on the Alibaba Cloud OSS Private Bucket Access switch.

      Note

      When DCDN performs origin fetch from a private OSS bucket to access unencrypted files, the preceding configurations are sufficient for normal access. However, if you have files in OSS that are encrypted using KMS, you cannot directly access them. To access the encrypted files, you must add the AliyunKMSCryptoUserAccess permission to the AliyunCDNAccessingPrivateOSSRole role. For more information, see Add the AliyunKMSCryptoUserAccess permission to the AliyunCDNAccessingPrivateOSSRole role.

    7. In the Alibaba Cloud OSS Private Bucket Access dialog box, select an Origin Fetch Type and click OK.

      回源类型

      Parameter

      Description

      Origin Fetch Type

      • Origin Fetch From The Same Account: The system automatically configures an STS token. This simplifies the configuration but only supports origin fetch by a CDN domain name to a private OSS bucket under the same Alibaba Cloud account.

      • Origin Fetch From A Different Account Or The Same Account: You must configure a permanent security token. This supports origin fetch by a CDN domain name to a private OSS bucket under the same Alibaba Cloud account and also to a private OSS bucket under a different Alibaba Cloud account.

      AccessKey ID

      The AccessKey ID of the Alibaba Cloud account to which the destination private OSS bucket belongs. For more information, see Create an AccessKey pair.

      AccessKey secret

      The AccessKey secret of the Alibaba Cloud account to which the destination private OSS bucket belongs.

    8. Optional: Add the AliyunKMSCryptoUserAccess permission to the AliyunCDNAccessingPrivateOSSRole role.

      1. Log on to the RAM console.

      2. In the navigation pane on the left, choose Identity > Roles.

      3. In the Role Name list, find the AliyunCDNAccessingPrivateOSSRole role.

      4. Click Add Permissions. The Principal is automatically filled in.

      5. Under Authorization Policy, select System Policy. Search for and click AliyunKMSCryptoUserAccess to add it to the Selected box.

      6. Click OK. A message indicates that the operation is Complete.

      7. Click Close.

        image

    Grant permissions for CDN to perform origin fetch from a private OSS bucket using the RAM service

    If you cannot enable authorization with a single click in the CDN console, you can also use the RAM service to grant CDN permission to perform origin fetch from a private OSS bucket.

    1. Log on to the RAM console.

    2. In the navigation pane on the left, click Permission Management > Policies.

    3. On the Policies page, click Create Policy.

      1. On the Script Editor tab, enter the following policy content.

        {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "oss:List*",
                "oss:Get*"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

      2. Click OK. On the Create Policy page, enter the following information and click OK.

        Name: AliyunCDNAccessingPrivateOSSRolePolicy

        Note: This authorization policy is for the role that is used by DCDN to perform origin fetch from a private OSS bucket. It includes read-only permissions for OSS.

    4. In the navigation pane on the left, click Identity > Roles.

      1. On the Roles page, click Create Role.

      2. Set Select Trusted Entity to Alibaba Cloud Account and click Next.

      3. In the Configure Role step, enter the following information.

        Role Name: AliyunCDNAccessingPrivateOSSRole

        Note: DCDN uses this role by default to perform origin fetch from a private OSS bucket.

      4. Set Select Trusted Alibaba Cloud Account to Current Alibaba Cloud Account and click OK.

    5. After the role is created, click AliyunCDNAccessingPrivateOSSRole in the role list on the Roles page to go to the role details page.

      1. On the Trust Policy tab, click Edit Trust Policy. Enter the following information and click Save Trust Policy.

        {
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "cdn.aliyuncs.com"
        ]
      }
    }
  ],
  "Version": "1"
}

      2. Switch to the Permissions tab and click Add Permissions.

        Resource Scope: Account Level

        Authorization Policy: Select Custom Policy, select the AliyunCDNAccessingPrivateOSSRolePolicy that you created, and click OK.

    6. After you click Add Authorization, return to the Origin Fetch page in the CDN console. The authorization for the Alibaba Cloud OSS Private Bucket Origin Fetch feature is now complete.

    Revoke permissions for CDN to perform origin fetch from a private OSS bucket

    If you no longer want an accelerated domain name to access resources in a private bucket that belongs to your account, you can revoke the authorization for the corresponding role in the Resource Access Management (RAM) console. This action revokes the permissions for CDN to perform origin fetch from the private OSS bucket.

    1. Log on to the RAM console.

    2. In the navigation pane on the left, click Identity > Roles.

    3. In the Role Name list, click the AliyunCDNAccessingPrivateOSSRole role.

      image

    4. Remove all permissions from the AliyunCDNAccessingPrivateOSSRole role.

      1. Click Revoke for the permission.

      2. In the confirmation dialog box that appears, click Revoke.

    5. Return to the Identity > Roles page and delete the AliyunCDNAccessingPrivateOSSRole role.

      1. In the row that contains the AliyunCDNAccessingPrivateOSSRole role, click Delete.

      2. In the Delete Role confirmation dialog box, click Delete Role.

    References