Contact UsGet started

Setting up access via a secure token

Written by
Updated at June 3, 2025

Using secure tokens, you can restrict access to CDN resource files to only via pre-signed URLs with the limited validity period.

You can also use secure tokens to specify a trusted IP address to access a CDN resource from.

Enabling access

To enable access via a secure token:

  1. Come up with a secret key that is a string of 6 to 32 characters. It will be saved in the CDN resource settings for generating pre-signed URLs.

  2. On your website, set up generation of pre-signed URLs with secure tokens.

  3. Enable access to the CDN resource via a secure token:

    1. In the management console, select the folder where your resource is located.

    2. Select Cloud CDN.

    3. Click the resource name.

    4. In the top-right corner, click Edit.

    5. Enable Access via secure token:

      • Specify a Secret key that is a string of 6 to 32 characters. You will need a secret key to generate pre-signed URLs.

        You can view the secret key you saved in the management console or using the yc cdn resource list CLI command.

      • Use the Limit access by IP address field to restrict access to content by IP address:

        • Only trusted IP addresses: Access to files will be allowed only from a specific IP address of the content recipient. The IP address itself is provided outside the CDN resource and specified as a parameter when generating an MD5 hash for a pre-signed URL.
        • No restrictions: Access to files will be allowed from any IP address.

    6. Click Save.

    If you do not have the Yandex Cloud CLI yet, install and initialize it.

    By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

    1. View the description of the CLI command to update a resource:

      yc cdn resource update --help

    2. Get a list of all resources in the default folder:

      yc cdn resource list --format yaml

      Result:

      id: bc8br5k6iohx********
folder_id: b1gt6g8ht345********
cname: testexample.com
created_at: "2022-01-19T09:23:57.921365Z"
updated_at: "2022-01-19T10:55:30.305141Z"
active: true
options:
  edge_cache_settings:
    enabled: true
    default value: "345600"
  cache_http_headers:
    enabled: true
    value:
    - content-type
    - content-length
    - connection
    - server
    - date
    - test
  stale:
    enabled: true
    value:
    - error
    - updating
  allowed_http_methods:
    value:
    - GET
    - POST
    - HEAD
    - OPTIONS
origin_group_id: "89783"
origin_group_name: My origins group
origin_protocol: HTTP
ssl_certificate:
  type: DONT_USE
  status: READY

      Save the id of the resource you want to set up access for via a secure token.

    3. Enable access via a secure token:

      yc cdn resource update \
  --id <resource_ID> \
  --secure-key <secret_key> \
  --enable-ip-url-signing

      Where:

      • --id: ID of the CDN resource you want to enable access for via a secure token.
      • --secure-key: Secret key you created.
      • --enable-ip-url-signing: Optional parameter that restricts access to the CDN resource by IP address. The trusted IP address itself is provided outside the CDN resource and specified as a parameter when generating an MD5 hash for a pre-signed URL. If the parameter is not set, file access will be allowed from any IP address.

    If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

    1. Open the Terraform configuration file and add the following parameters to the section with the CDN resource description:

      resource "yandex_cdn_resource" "my_resource" {
  ...
  options {
    ...
    secure_key = "<secret_key>"
    enable_ip_url_signing = true
  }
}

      Where:

      • secure_key: Secret key you created.
      • enable_ip_url_signing: Optional parameter, true or false. It restricts access to the CDN resource by IP address. The trusted IP address itself is provided outside the CDN resource and specified as a parameter when generating an MD5 hash for a pre-signed URL. If the parameter is not set, file access will be allowed from any IP address.

      For more information about the yandex_cdn_resource properties in Terraform, see the provider documentation.

    2. Apply the changes:

      1. In the terminal, go to the directory where you edited the configuration file.

      2. Make sure the configuration file is correct using this command:

        terraform validate

        If the configuration is correct, you will get this message:

        Success! The configuration is valid.

      3. Run this command:

        terraform plan

        You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.

      4. Apply the changes:

        terraform apply

      5. Type yes and press Enter to confirm the changes.

    You can check the updated CDN resource parameters using the management console or this CLI command:

    yc cdn resource get <resource_ID>

    Use the update REST API method for the Resource resource or the ResourceService/Update gRPC API call.

    It may take up to 15 minutes for the new settings of the existing resource to apply to the CDN servers. After that, we recommend purging the resource cache.

    Enabling access to CDN resource content via a secure token disables access to it via regular links.

Disabling access

To disable access to a CDN resource via a secure token:

  1. In the management console, select the folder where your resource is located.
  2. Select Cloud CDN.
  3. Click the resource name.
  4. In the top-right corner, click Edit.
  5. Disable Access via secure token.
  6. Click Save.

Run this command:

yc cdn resource update \
  --id <resource_ID> \
  --clear-secure-key

Where:

  • --id: ID of the CDN resource you want to disable secure token access for.
  • --clear-secure-key: Parameter for disabling secure token access.

  1. Open the Terraform configuration file and delete the secure_key and enable_ip_url_signing properties from the section with the CDN resource description:

    resource "yandex_cdn_resource" "my_resource" {
  ...
  options {
    ...
    secure_key = "<secret_key>"
    enable_ip_url_signing = true
  }
}

    For more information about the yandex_cdn_resource properties in Terraform, see the provider documentation.

  2. Apply the changes:

    1. In the terminal, go to the directory where you edited the configuration file.

    2. Make sure the configuration file is correct using this command:

      terraform validate

      If the configuration is correct, you will get this message:

      Success! The configuration is valid.

    3. Run this command:

      terraform plan

      You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.

    4. Apply the changes:

      terraform apply

    5. Type yes and press Enter to confirm the changes.

You can check the updated CDN resource parameters using the management console or this CLI command:

yc cdn resource get <resource_ID>

Use the update REST API method for the Resource resource or the ResourceService/Update gRPC API call.

It may take up to 15 minutes for the new settings of the existing resource to apply to the CDN servers. After that, we recommend purging the resource cache.

Previous
Configuring request redirection
Next
Managing additional resource settings