Configure private origin authentication

This page provides an overview of private origin authentication and instructions for using it with Cloud CDN.

Private origin authentication gives Cloud CDN long-term resource access to private Amazon S3 buckets or other compatible object stores. Using private origins prevents clients from bypassing Cloud CDN and accessing your origin directly.

This feature is supported for Cloud CDN with either a global external Application Load Balancer or a classic Application Load Balancer.

Private origin authentication is origin-facing, while signed URLs and signed cookies are client-facing. You can enable both for the same content. Private origin authentication limits non-CDN access to your origins and content. Signed URLs and cookies control which users can access Cloud CDN.

Before you begin

Create a hash-based message authentication code (HMAC) key to authenticate requests and associate it with a service account. Make a note of the access key and secret.

See Accessing AWS using your AWS credentials: Programmatic Access in AWS documentation.
Configure a load balancer with the external backend.

If your object store expects a particular value for the HTTP request's Host header, make sure that it is configured in the backend service. If you don't configure a custom request header, the backend service preserves the Host header that the client used to connect to the external Application Load Balancer.

For configuration steps, see Working with custom request headers. For a specific example, see Configuring a load balancer with an external backend.
If necessary, update to the latest version of the Google Cloud CLI:
```
gcloud components update
```

Configure authentication for private origins

To configure private origin authentication, use the following instructions:

gcloud

Export the backend configuration for your private origin into a .yaml file by using the gcloud compute backend-services export command:
```
gcloud compute backend-services export BACKEND_SERVICE_NAME \
   [--destination=DESTINATION]
```
Replace DESTINATION with the name of the .yaml file—for example, my-private-origin.yaml.

To authenticate your backend requests by using the HMAC key, specify these additional configuration options in the securitySettings section of backendServices:

securitySettings:
  awsV4Authentication:
    accessKeyId: ACCESS_KEY_ID
    accessKey: ACCESS_KEY
    [accessKeyVersion: ACCESS_KEY_VERSION]
    originRegion: REGION
…]

Replace the following:

ACCESS_KEY_ID: the HMAC access key ID
ACCESS_KEY: the HMAC access key
ACCESS_KEY_VERSION (optional): a unique name that you can set to represent the key version
REGION: a valid region for your storage provider. For Amazon S3, the value is not a Google Cloud region.

The following snippet shows the contents of a sample my-private-origin.yaml file:

 name: shopping-cart-services
 backends:
   - description: cart-backend-1
     group: 'https://www.googleapis.com/compute/v1/projects/my-project-id/global/networkEndpointGroups/my-network-origin-group'
 securitySettings:
   awsV4Authentication:
     accessKeyId: AKIDEXAMPLE
     accessKey: c4afb1cc5771d871763a393e44b703571b55cc28424d1a5e86da6ed3c154a4b9
     accessKeyVersion: prod-access-key-v1.2
     originRegion: us-east-2

To update your private origin, import the configuration to your backend service by using the gcloud compute backend-services import command:
```
gcloud compute backend-services import BACKEND_SERVICE_NAME \
   [--source=SOURCE]
```
Replace SOURCE with the name of the .yaml file.

API

To authenticate your backend requests by using the HMAC key, specify these additional configuration options in the securitySettings section of backendServices.

Use the Method: backendServices.insert or Method: backendServices.update API call.

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/backendServices
PUT https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/backendServices/BACKEND_SERVICE

Add the following snippet to the JSON request body:

securitySettings: {
  awsV4Authentication: {
    accessKeyId: ACCESS_KEY_ID,
    accessKey: ACCESS_KEY,
    [accessKeyVersion: ACCESS_KEY_VERSION],
    originRegion: REGION
  }
}

Replace the following:

ACCESS_KEY_ID: the HMAC access key ID
ACCESS_KEY: the HMAC access key
ACCESS_KEY_VERSION (optional): a unique name that you can set to represent the key version
REGION: a valid region for your storage provider. For Amazon S3, the value is not a Google Cloud region.

The following snippet shows the contents of a sample JSON request body:

securitySettings: {
  awsV4Authentication: {
    accessKeyId: "AKIDEXAMPLE",
    accessKey: "c4afb1cc5771d871763a393e44b703571b55cc28424d1a5e86da6ed3c154a4b9",
    accessKeyVersion: "prod-access-key-v1.2",
    originRegion: "us-east-2"
  }
}

The service name is automatically set to s3 for creating the signature. After these configurations are in place, Cloud CDN generates an HTTP Authorization header for all requests to your origin.

Cache privately authenticated responses

You might want to ensure that privately-authenticated content is cached by Cloud CDN.

To do this, set the cache mode to Force cache all content and specify a TTL, so that all content served from the origin is cached.

Alternatively, if you don't want to force all content to be cached the same way, change the cache mode to Use origin setting based on Cache-Control headers or Cache static content and ensure that the Cache-Control header is correctly set on content served from your origin.

What's next

Web security best practices