This document explains how to use STS temporary security tokens to enable cross-account back-to-origin for a private OSS bucket. Compared with the complex configuration of permanent AccessKey credentials, STS provides a more flexible and secure alternative. It helps you simplify permission management and improve the security of resource access.
By default, ESA uses STS to support back-to-origin only for private OSS buckets in the same Alibaba Cloud account. To enable cross-account back-to-origin for a private OSS bucket using STS, you can manually add a bucket authorization policy in OSS. Follow these steps:
Log on to the Alibaba Cloud account that owns the private bucket. Then open the OSS console.
In the left navigation pane, click . On the Permission Control Bucket Policy tab, click Authorize.
For Authorized User, select Other Account. Enter
arn:sts:uid, whereuidis the account ID of the Alibaba Cloud account that hosts ES. For Authorized Operation, choose . Then click OK.
After you successfully add the policy, view the authorization details on the Bucket Policy tab.
