OBS Authorization
If you use a Huawei Cloud OBS private bucket as the origin server, enable OBS authorization so that CDN can pull content from your private bucket.
Do not delete the agency for authorizing CDN to access OBS. Otherwise, CDN cannot pull resources from OBS private buckets.
Constraints
By default, an account administrator has all permissions. You do not need to add permissions when configuring an agency as an account administrator. IAM users can enable OBS authorization only when they have the following permissions:
IAM permissions
- Listing agencies: iam:agencies:listAgencies
- Creating an agency: iam:agencies:createAgency
- Granting permissions to an agency for a region-specific project: iam:permissions:grantRoleToAgencyOnProject
CDN permissions
- Changing the billing option: cdn:configuration:modifyChargeMode
- Granting CDN read-only permissions: CDN ReadOnlyAccess
Precautions
- CDN depends on other cloud services. Therefore, after enabling OBS authorization, configure related policies to make the OBS private bucket available for CDN acceleration by referring to Dependencies Between CDN and Other Services.
- Since April 2, 2025 (Beijing time), Huawei Cloud CDN has enabled the new OBS agency. It has fewer permissions than the old one. If you have enabled the OBS agency of the old version, you can reduce permissions by referring to How Do I Replace the Old OBS Agency Permissions with New Ones?
Procedure
- Log in to Huawei Cloud console. Choose .
The CDN console is displayed.
- In the navigation pane, choose .
- In the upper right corner of the Domains page, click Enable OBS Authorization.
- Click Authorize. The system creates an agency named CDNAccessPrivateOBS for you on the IAM console. CDN now has the read-only permission to access your private OBS buckets.
If files in your OBS bucket are encrypted using KMS, assign the kms:cmk:get and kms:dek:crypto policies to the CDNAccessPrivateOBS agency so that CDN can read and accelerate delivery of the encrypted files.
- (Optional) Assign the kms:cmk:get and kms:dek:crypto policies to the CDNAccessPrivateOBS agency.
- Log in to Huawei Cloud console. Choose Service List > Management & Government > Identity and Access Management to access the IAM console.
- In the navigation pane, choose .
-
On the Agencies page, click Authorize in the Operation column of the row containing CDNAccessPrivateOBS.
The Select Policy/Role page is displayed.
- Click Create Policy in the upper right corner and set the parameters as follows:
- Policy Name: Enter a custom name.
- Policy View: Select Visual editor.
- Policy Content:
- Select Allow.
- Service: Select Key Management Service.
- Actions: Select kms:cmk:get and kms:dek:crypto.
- Resources: Select All.
- Click Next.
- Select the policy created in the previous step and click Next.
- Set Scope to Region-specific projects and select the region based on the region of the OBS bucket.
- Click OK.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
