Stay organized with collections
Save and categorize content based on your preferences.
This page provides an overview of private origin authentication and instructions
for using it with Cloud CDN.
Private origin authentication gives Cloud CDN long-term resource access
to private Amazon S3 buckets or other compatible object stores. Using
private origins prevents clients from bypassing
Cloud CDN and accessing your origin directly.
This feature is supported for Cloud CDN with either a
global external Application Load Balancer or a classic Application Load Balancer.
Private origin authentication is origin-facing, while
signed URLs
and signed cookies are client-facing. You
can enable both for the same content. Private origin authentication limits
non-CDN access to your origins and content. Signed URLs and cookies control
which users can access Cloud CDN.
Before you begin
Create a hash-based message authentication code (HMAC) key to authenticate
requests and associate it with a service account. Make a note of the access
key and secret.
If your object store expects a particular value for the HTTP request's Host
header, make sure that it is configured in the backend service. If you don't
configure a custom request header, the backend service preserves the Host
header that the client used to connect to the external Application Load Balancer.
Click the name of the origin that you want to configure. The origin must
be of the Custom origin type.
On the Origin details page, click the Edit button.
To navigate to the Host and path rules section, click Next.
To navigate to the Cache performance section, click Next.
In the Private origin authentication section, select
Authenticate requests to this origin with AWS Signature Version 4.
Then, specify the following information:
Key ID: access key for your Amazon S3 bucket or other compatible
object store.
Key: the secret key used to authenticate to the object store.
If you're using a private Cloud Storage bucket, specify the HMAC key.
Key version: a unique name to represent the key version.
Region: the region that your object store is located in—for
example, us-east-1.
Click Done.
gcloud
Export the backend configuration for your private origin into a
YAML file by using the gcloud compute backend-services export
command:
Replace DESTINATION with the name of the YAML
file—for example, my-private-origin.yaml.
To authenticate your backend requests by using the HMAC key,
specify these additional configuration options in the
securitySettings section of backendServices:
To authenticate your backend requests by using the HMAC key, specify these
additional configuration options in the securitySettings section of
backendServices.
POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/backendServices
PUT https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/backendServices/BACKEND_SERVICE
Add the following snippet to the JSON request body:
The service name is automatically set to s3 for creating the signature.
After these configurations are in place, Cloud CDN generates an
HTTP Authorization header for all requests to your origin.
Cache privately authenticated responses
You might want to ensure that privately authenticated content is cached by
Cloud CDN.
To do this, set the cache mode
to Force cache all content and specify a TTL, so that all content served from
the origin is cached.
Alternatively, if you don't want to force all content to be cached the same way,
change the cache mode to Use origin setting based on Cache-Control headers
or Cache static content and ensure that the Cache-Control header is
correctly set on content served from your origin.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003ePrivate origin authentication enables Cloud CDN to securely access private Amazon S3 buckets or compatible object stores, preventing direct client access to the origin.\u003c/p\u003e\n"],["\u003cp\u003eThis feature is compatible with Cloud CDN using either a global external Application Load Balancer or a classic Application Load Balancer, and only supports the \u003ccode\u003eGET\u003c/code\u003e, \u003ccode\u003eHEAD\u003c/code\u003e, \u003ccode\u003eOPTIONS\u003c/code\u003e, and \u003ccode\u003eTRACE\u003c/code\u003e HTTP methods.\u003c/p\u003e\n"],["\u003cp\u003eConfiguration involves creating a hash-based message authentication code (HMAC) key, associating it with a service account, and configuring the backend service with the access key ID, access key, and region.\u003c/p\u003e\n"],["\u003cp\u003ePrivate origin authentication is origin-facing, contrasting with client-facing signed URLs and cookies, and it can be enabled alongside these other authentication options.\u003c/p\u003e\n"],["\u003cp\u003eTo ensure privately authenticated content is cached, you should set Cloud CDN's cache mode to "Force cache all content" or "Use origin setting based on Cache-Control headers", or "Cache static content" and verify the \u003ccode\u003eCache-Control\u003c/code\u003e header on the origin's content.\u003c/p\u003e\n"]]],[],null,["This page provides an overview of private origin authentication and instructions\nfor using it with Cloud CDN.\n\nPrivate origin authentication gives Cloud CDN long-term resource access\nto private Amazon S3 buckets or other compatible object stores. Using\nprivate origins prevents clients from bypassing\nCloud CDN and accessing your origin directly.\n\nThis feature is supported for Cloud CDN with either a\nglobal external Application Load Balancer or a classic Application Load Balancer.\n\nPrivate origin authentication is origin-facing, while\n[signed URLs](/cdn/docs/using-signed-urls)\nand [signed cookies](/cdn/docs/using-signed-cookies) are client-facing. You\ncan enable both for the same content. Private origin authentication limits\nnon-CDN access to your origins and content. Signed URLs and cookies control\nwhich users can access Cloud CDN.\n| **Note:** This feature supports only the `GET`, `HEAD`, `OPTIONS`, and `TRACE` HTTP methods.\n\nBefore you begin\n\n- Create a hash-based message authentication code (HMAC) key to authenticate\n requests and associate it with a service account. Make a note of the access\n key and secret.\n\n See [Accessing AWS using your AWS credentials: Programmatic Access](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys) in AWS documentation.\n- [Configure a load balancer with the external backend](/load-balancing/docs/https/setting-up-https-external-backend-internet-neg#config-lb-external-backend).\n\n If your object store expects a particular value for the HTTP request's `Host`\n header, make sure that it is configured in the backend service. If you don't\n configure a custom request header, the backend service preserves the `Host`\n header that the client used to connect to the external Application Load Balancer.\n\n For configuration steps, see\n [Working with custom request headers](/load-balancing/docs/https/custom-headers#working-with-request).\n For a specific example, see\n [Configuring a load balancer with an external backend](/load-balancing/docs/https/setting-up-https-external-backend-internet-neg#config-lb-external-backend).\n- If necessary, update to the latest version of the Google Cloud CLI:\n\n ```\n gcloud components update\n ```\n\nConfigure authentication for private origins\n\nTo configure private origin authentication, use the following instructions: \n\nConsole\n\n1. In the Google Cloud console, go to the **Cloud CDN** page.\n\n [Go to Cloud CDN](https://console.cloud.google.com/networking/cdn/list)\n2. Click the name of the origin that you want to configure. The origin must\n be of the **Custom origin** type.\n\n3. On the **Origin details** page, click the **Edit** button.\n\n4. To navigate to the **Host and path rules** section, click **Next**.\n\n5. To navigate to the **Cache performance** section, click **Next**.\n\n6. In the **Private origin authentication** section, select\n **Authenticate requests to this origin with AWS Signature Version 4**.\n Then, specify the following information:\n\n - **Key ID**: access key for your Amazon S3 bucket or other compatible object store.\n - **Key**: the secret key used to authenticate to the object store. If you're using a private Cloud Storage bucket, specify the HMAC key.\n - **Key version**: a unique name to represent the key version.\n - **Region** : the region that your object store is located in---for example, `us-east-1`.\n7. Click **Done**.\n\ngcloud\n\n1. Export the backend configuration for your private origin into a\n YAML file by using the `gcloud compute backend-services export`\n command:\n\n ```\n gcloud compute backend-services export BACKEND_SERVICE_NAME \\\n [--destination=DESTINATION]\n ```\n\n Replace \u003cvar translate=\"no\"\u003eDESTINATION\u003c/var\u003e with the name of the YAML\n file---for example, `my-private-origin.yaml`.\n2. To authenticate your backend requests by using the HMAC key,\n specify these additional configuration options in the\n `securitySettings` section of `backendServices`:\n\n ```\n securitySettings:\n awsV4Authentication:\n accessKeyId: ACCESS_KEY_ID\n accessKey: ACCESS_KEY\n [accessKeyVersion: ACCESS_KEY_VERSION]\n originRegion: REGION\n …]\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eACCESS_KEY_ID\u003c/var\u003e: the HMAC access key ID\n - \u003cvar translate=\"no\"\u003eACCESS_KEY\u003c/var\u003e: the HMAC access key\n - \u003cvar translate=\"no\"\u003eACCESS_KEY_VERSION\u003c/var\u003e (optional): a unique name that you can set to represent the key version\n - \u003cvar translate=\"no\"\u003eREGION\u003c/var\u003e: a valid region for your storage provider. For Amazon S3, the value is not a Google Cloud region.\n\n The following snippet shows the contents of a sample\n `my-private-origin.yaml` file: \n\n name: shopping-cart-services\n backends:\n - description: cart-backend-1\n group: 'https://www.googleapis.com/compute/v1/projects/my-project-id/global/networkEndpointGroups/my-network-origin-group'\n securitySettings:\n awsV4Authentication:\n accessKeyId: AKIDEXAMPLE\n accessKey: c4afb1cc5771d871763a393e44b703571b55cc28424d1a5e86da6ed3c154a4b9\n accessKeyVersion: prod-access-key-v1.2\n originRegion: us-east-2\n\n3. To update your private origin, import the configuration to your\n backend service by using the\n `gcloud compute backend-services import` command:\n\n ```\n gcloud compute backend-services import BACKEND_SERVICE_NAME \\\n [--source=SOURCE]\n ```\n\n Replace \u003cvar translate=\"no\"\u003eSOURCE\u003c/var\u003e with the name of the YAML file.\n\nAPI\n\nTo authenticate your backend requests by using the HMAC key, specify these\nadditional configuration options in the `securitySettings` section of\n`backendServices`.\n\nUse the\n[`Method: backendServices.insert`](/compute/docs/reference/rest/v1/backendServices/insert) or\n[`Method: backendServices.update`](/compute/docs/reference/rest/v1/backendServices/update)\nAPI call. \n\n```\nPOST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/backendServices\nPUT https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/backendServices/BACKEND_SERVICE\n```\n\nAdd the following snippet to the JSON request body: \n\n```\nsecuritySettings: {\n awsV4Authentication: {\n accessKeyId: ACCESS_KEY_ID,\n accessKey: ACCESS_KEY,\n [accessKeyVersion: ACCESS_KEY_VERSION],\n originRegion: REGION\n }\n}\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eACCESS_KEY_ID\u003c/var\u003e: the HMAC access key ID\n- \u003cvar translate=\"no\"\u003eACCESS_KEY\u003c/var\u003e: the HMAC access key\n- \u003cvar translate=\"no\"\u003eACCESS_KEY_VERSION\u003c/var\u003e (optional): a unique name that you can set to represent the key version\n- \u003cvar translate=\"no\"\u003eREGION\u003c/var\u003e: a valid region for your storage provider. For Amazon S3, the value is not a Google Cloud region.\n\nThe following snippet shows the contents of a sample\nJSON request body: \n\n```\nsecuritySettings: {\n awsV4Authentication: {\n accessKeyId: \"AKIDEXAMPLE\",\n accessKey: \"c4afb1cc5771d871763a393e44b703571b55cc28424d1a5e86da6ed3c154a4b9\",\n accessKeyVersion: \"prod-access-key-v1.2\",\n originRegion: \"us-east-2\"\n }\n}\n```\n\nThe service name is automatically set to `s3` for creating the signature.\nAfter these configurations are in place, Cloud CDN generates an\nHTTP Authorization header for all requests to your origin.\n\nCache privately authenticated responses\n\nYou might want to ensure that privately authenticated content is cached by\nCloud CDN.\n\nTo do this, set the [cache mode](/cdn/docs/using-cache-modes#cache-mode)\nto **Force cache all content** and specify a TTL, so that all content served from\nthe origin is cached.\n\nAlternatively, if you don't want to force all content to be cached the same way,\nchange the cache mode to **Use origin setting based on Cache-Control headers**\nor **Cache static content** and ensure that the `Cache-Control` header is\ncorrectly set on content served from your origin.\n\nWhat's next\n\n- [Web security best practices](/cdn/docs/web-security-best-practices)"]]
