If your origin server is a private Object Storage Service (OSS) bucket, you must enable the private bucket origin feature and grant Dynamic Route for CDN (DCDN) permissions to access the OSS bucket. This feature can be used for access authentication and protect origin servers from unauthorized access. This topic describes how to enable and disable access to private OSS buckets.

Background information

After you grant DCDN permissions to access private OSS buckets, you can also use features such as hotlink protection and URL authentication provided by DCDN to protect resources from unauthorized access. For more information, see Configure a referer whitelist or blacklist to enable hotlink protection and Configure URL authentication.

Notice
  • After you grant DCDN permissions to access private OSS buckets, DCDN is granted read-only permissions on all your OSS buckets.
  • After you enable the private bucket origin feature and grant DCDN permissions to access private OSS buckets, DCDN can access all resources in your private OSS buckets by using the accelerated domain names. Proceed with caution when you use this feature. Do not enable the private bucket origin feature or grant DCDN permissions to access private OSS buckets if your private bucket is unsuitable as an origin for your domain name.
  • If your website is vulnerable to attacks, we recommend that you purchase the Anti-DDoS service. Do not enable the private bucket origin feature or grant DCDN permissions to access private OSS buckets.
  • The private bucket origin feature conflicts with the settings of the default homepage of the static website that is hosted on OSS. For more information about how to use the private bucket origin feature and the static website hosting feature at the same time, see Why do requests destined for my accelerated domain name trigger the error message "You are forbidden to list buckets" after access to private Object Storage Service (OSS) is enabled?

Enable access to private OSS buckets

  1. Log on to the DCDN console.
  2. In the left-side navigation pane, click Domain Names.
  3. On the Domain Names page, find the domain name that you want to manage, and click Configure in the Actions column.
  4. In the left-side navigation pane on the details page of the specified domain name, click Origin Fetch.
  5. Optional: The first time you grant DCDN permissions to access private OSS buckets, this step is required. In the Alibaba Cloud OSS Private Bucket Access section, click Authorize, and then click Confirm Authorization Policy.
    Confirm the authorization policy
  6. In the Alibaba Cloud OSS Private Bucket Access section, turn on Alibaba Cloud OSS Private Bucket Access.
    Note You need only to perform the preceding steps if you want to authorize DCDN to access unencrypted files in a private OSS bucket. If you want DCDN to access OSS objects that are encrypted by using Key Management Service (KMS), you must first attach the AliyunKMSCryptoUserAccess policy to the RAM role AliyunCDNAccessingPrivateOSSRole.
  7. Attach the AliyunKMSCryptoUserAccess policy to the RAM role AliyunCDNAccessingPrivateOSSRole.
    1. Log on to the RAM console.
    2. In the left-side navigation pane, choose Identities > Roles.
    3. In the Role Name column, find the RAM role AliyunCDNAccessingPrivateOSSRole.
    4. Click Add Permissions in the Actions column. In the Add Permissions panel, the value of the Principal field is automatically specified.
    5. Click System Policy and enter AliyunKMSCryptoUserAccess in the search box to search for the AliyunKMSCryptoUserAccess permission policy. Click the permission policy to add it to the Selected list.
    6. Click OK.
    7. Click Complete.

Disable access to private OSS buckets

If you no longer need an accelerated domain name to access your private OSS buckets, you can log on to the RAM console and revoke the access permissions that are granted to DCDN.

  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Identities > Roles.
  3. In the Role Name column, find the RAM role AliyunCDNAccessingPrivateOSSRole.
    RAM roles
  4. Revoke all permissions that are granted to the RAM role AliyunCDNAccessingPrivateOSSRole.
    1. Click Remove Permission in the Actions column.
    2. In the Remove Permission message, click OK.
  5. Choose Identities > Roles and delete AliyunCDNAccessingPrivateOSSRole.
    1. Find the RAM role AliyunCDNAccessingPrivateOSSRole and click Delete in the Actions column.
    2. In the Delete Role message, click OK.