All Products
Search
Document Center

Edge Security Acceleration:Use S3-Compatible Mode to Back-to-Origin from OSS Private Bucket

Last Updated:Jun 25, 2026

When an OSS private bucket cannot use OSS authentication mode, you can configure S3-compatible mode as the origin authentication method for to access resources in the private bucket securely.

Overview

Alibaba Cloud OSS private buckets support two authentication modes for back-to-origin access: OSS authentication mode and S3-compatible authentication mode. The two modes differ at the protocol level — OSS authentication mode uses Alibaba Cloud's native signing protocol, while S3-compatible mode uses the AWS S3 signing protocol. If your OSS origin is in a region that does not support OSS authentication, or if your application requires S3-compatible API endpoints, you can use S3-compatible mode for back-to-origin authentication.

Important

When using ESA to back-to-origin from Alibaba Cloud OSS, the OSS service recognizes the back-to-origin traffic as "CDN back-to-origin outbound traffic" and offers a discounted rate. If you use S3-compatible mode, you will not be eligible for the discounted origin traffic pricing. OSS will charge the back-to-origin traffic as "outbound traffic over the Internet", which is higher than the CDN back-to-origin rate.

Note: When you switch the origin authentication mode between OSS and S3-compatible mode, propagation delay of ESA nodes across the network (within 10 seconds) may cause a brief period of back-to-origin failure. We recommend switching the authentication mode only when the domain name has no production traffic.

Configuration method

Prerequisites

Procedure

  1. In the ESA console, select Websites, and in the Website column, click the target site.

  2. In the left navigation pane, select DNS > Records, and click Add Record.

  3. Configure the following parameters:

    Parameter

    Setting

    Description

    Record Type

    CNAME

    Select CNAME as the record type.

    Hostname

    Enter the prefix of the business subdomain.

    The prefix portion of the business subdomain.

    Record Value

    S3-compatible

    Select S3-compatible as the record value type.

    Access Type

    Private Access

    Select Private Access for origin access.

    Origin Address

    Enter the transfer acceleration domain name of the bucket, such as bucket-name.oss-accelerate.aliyuncs.com.

    The transfer acceleration domain name corresponding to the OSS bucket.

    Region

    Select the region where the bucket is located, such as cn-north-1.

    The Alibaba Cloud region where the OSS bucket resides.

    Access Key ID

    Enter the AccessKey ID of the RAM user or RAM role that has been granted access to the OSS bucket.

    The AccessKey ID used for S3-compatible authentication.

    Secret Access Key

    Enter the AccessKey Secret corresponding to the AccessKey ID.

    The AccessKey Secret used for S3-compatible authentication.

Verification

After the configuration is complete, verify that back-to-origin access is working:

  1. Open a browser and navigate to http://<business-subdomain>.<primary-domain>/<path-to-test-object>, replacing the placeholders with your actual domain name and the path to a test file in the OSS bucket.

  2. Verify that the page returns a 200 status code and displays the file content from the OSS private bucket.

  3. If the page returns a 403 or 404 error, check that the configuration parameters and the transfer acceleration domain name are correct.