When an OSS private bucket cannot use OSS authentication mode, you can configure S3-compatible mode as the origin authentication method for to access resources in the private bucket securely.
Overview
Alibaba Cloud OSS private buckets support two authentication modes for back-to-origin access: OSS authentication mode and S3-compatible authentication mode. The two modes differ at the protocol level — OSS authentication mode uses Alibaba Cloud's native signing protocol, while S3-compatible mode uses the AWS S3 signing protocol. If your OSS origin is in a region that does not support OSS authentication, or if your application requires S3-compatible API endpoints, you can use S3-compatible mode for back-to-origin authentication.
When using ESA to back-to-origin from Alibaba Cloud OSS, the OSS service recognizes the back-to-origin traffic as "CDN back-to-origin outbound traffic" and offers a discounted rate. If you use S3-compatible mode, you will not be eligible for the discounted origin traffic pricing. OSS will charge the back-to-origin traffic as "outbound traffic over the Internet", which is higher than the CDN back-to-origin rate.
Note: When you switch the origin authentication mode between OSS and S3-compatible mode, propagation delay of ESA nodes across the network (within 10 seconds) may cause a brief period of back-to-origin failure. We recommend switching the authentication mode only when the domain name has no production traffic.
Configuration method
Prerequisites
Create a RAM role and grant the
AliyunOSSFullAccessorAliyunOSSReadOnlyAccesspolicy.
Procedure
In the ESA console, select Websites, and in the Website column, click the target site.
In the left navigation pane, select DNS > Records, and click Add Record.
Configure the following parameters:
Parameter
Setting
Description
Record Type
CNAMESelect
CNAMEas the record type.Hostname
Enter the prefix of the business subdomain.
The prefix portion of the business subdomain.
Record Value
S3-compatible
Select S3-compatible as the record value type.
Access Type
Private Access
Select Private Access for origin access.
Origin Address
Enter the transfer acceleration domain name of the bucket, such as
bucket-name.oss-accelerate.aliyuncs.com.The transfer acceleration domain name corresponding to the OSS bucket.
Region
Select the region where the bucket is located, such as
cn-north-1.The Alibaba Cloud region where the OSS bucket resides.
Access Key ID
Enter the AccessKey ID of the RAM user or RAM role that has been granted access to the OSS bucket.
The AccessKey ID used for S3-compatible authentication.
Secret Access Key
Enter the AccessKey Secret corresponding to the AccessKey ID.
The AccessKey Secret used for S3-compatible authentication.
Verification
After the configuration is complete, verify that back-to-origin access is working:
Open a browser and navigate to
http://<business-subdomain>.<primary-domain>/<path-to-test-object>, replacing the placeholders with your actual domain name and the path to a test file in the OSS bucket.Verify that the page returns a 200 status code and displays the file content from the OSS private bucket.
If the page returns a 403 or 404 error, check that the configuration parameters and the transfer acceleration domain name are correct.