Setting up access via a secure token
Using secure tokens, you can restrict access to CDN resource files. Files will be accessed via signed URLs with the limited validity period.
You can also use secure tokens to specify a trusted IP address to access a CDN resource from.
Enabling access
To enable access via a secure token:
-
Come up with a secret key that is an arbitrary string of 6 to 32 characters. It will be saved in the CDN resource settings and used to generate signed URLs.
-
On your website, set up generation of signed URLs with secure tokens.
-
Enable access to the CDN resource via a secure token:
Management consoleCLITerraformAPI-
In the management console
, select the folder where your resource is located. -
Select Cloud CDN.
-
Click the resource name.
-
In the top-right corner, click
Edit. -
Enable Access via secure token:
-
Specify a Secret key that is a string of 6 to 32 characters. You will need a secret key to generate pre-signed URLs.
You can view the secret key you saved in the management console or using the
yc cdn resource list
CLI command. -
Use the Limit access by IP address field to restrict access to content by IP address:
Only trusted IP addresses
: Access to files will be allowed only from a specific IP address of the content recipient. The IP address is specified as a parameter outside a CDN resource when generating an MD5 hash for a pre-signed URL.No restrictions
: Access to files will be allowed from any IP address.
-
-
Click Save.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the
--folder-name
or--folder-id
parameter.-
View the description of the CLI update resource command:
yc cdn resource update --help
-
Get a list of all resources in the default folder:
yc cdn resource list --format yaml
Result:
id: bc8br5k6iohx******** folder_id: b1gt6g8ht345******** cname: testexample.com created_at: "2022-01-19T09:23:57.921365Z" updated_at: "2022-01-19T10:55:30.305141Z" active: true options: edge_cache_settings: enabled: true default value: "345600" cache_http_headers: enabled: true value: - content-type - content-length - connection - server - date - test stale: enabled: true value: - error - updating allowed_http_methods: value: - GET - POST - HEAD - OPTIONS origin_group_id: "89783" origin_group_name: My origins group origin_protocol: HTTP ssl_certificate: type: DONT_USE status: READY
Save the
id
of the resource you want to set up access for via a secure token. -
Enable access via a secure token:
yc cdn resource update \ --id <resource_ID> \ --secure-key <secret_key> \ --enable-ip-url-signing
Where:
--id
: ID of the CDN resource you want to enable access for via a secure token.--secure-key
: Previously created secret key.--enable-ip-url-signing
(optional): Parameter that restricts access to the CDN resource by IP address. The trusted IP address itself is provided outside the CDN resource and specified as a parameter when generating an MD5 hash for a signed URL. If the parameter is not set, file access will be allowed from any IP address.
If you don't have Terraform, install it and configure the Yandex Cloud provider.
-
Open the Terraform configuration file and add the following parameters to the section with the CDN resource description:
resource "yandex_cdn_resource" "my_resource" { ... options { ... secure_key = "<secret_key>" enable_ip_url_signing = true } }
Where:
secure_key
: Previously created secret key.enable_ip_url_signing
: Optional parameter,true
orfalse
. It restricts access to the CDN resource by IP address. The trusted IP address itself is provided outside the CDN resource and specified as a parameter when generating an MD5 hash for a signed URL. If the parameter is not set, file access will be allowed from any IP address.
For more information about the
yandex_cdn_resource
parameters in Terraform, see the provider documentation . -
Apply the changes:
-
In the terminal, change to the folder where you edited the configuration file.
-
Make sure the configuration file is correct using the command:
terraform validate
If the configuration is correct, the following message is returned:
Success! The configuration is valid.
-
Run the command:
terraform plan
The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
in the terminal and press Enter.
-
You can check the updated CDN resource parameters using the management console
or this CLI command:yc cdn resource get <resource_ID>
Use the update REST API method for the Resource resource or the ResourceService/Update gRPC API call.
It may take up to 15 minutes for the new settings of the existing resource to apply to CDN servers. After that, we recommend purging the resource cache.
Enabling access to CDN resource content via a secure token disables access to it via regular links.
-
Disabling access
To disable access to a CDN resource via a secure token:
- In the management console
, select the folder where your resource is located. - Select Cloud CDN.
- Click the resource name.
- In the top-right corner, click
Edit. - Enable Access via secure token.
- Click Save.
Run this command:
yc cdn resource update \
--id <resource_ID> \
--clear-secure-key
Where:
--id
: ID of the CDN resource you want to disable secure token access for.--clear-secure-key
: Parameter for disabling secure token access.
-
Open the Terraform configuration file and delete the
secure_key
andenable_ip_url_signing
parameters from the section with the CDN resource description:resource "yandex_cdn_resource" "my_resource" { ... options { ... secure_key = "<secret_key>" enable_ip_url_signing = true } }
For more information about the
yandex_cdn_resource
parameters in Terraform, see the provider documentation . -
Apply the changes:
-
In the terminal, change to the folder where you edited the configuration file.
-
Make sure the configuration file is correct using the command:
terraform validate
If the configuration is correct, the following message is returned:
Success! The configuration is valid.
-
Run the command:
terraform plan
The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
in the terminal and press Enter.
-
You can check the updated CDN resource parameters using the management console
yc cdn resource get <resource_ID>
Use the update REST API method for the Resource resource or the ResourceService/Update gRPC API call.
It may take up to 15 minutes for the new settings of the existing resource to apply to CDN servers. After that, we recommend purging the resource cache.