BillingCDN resources overviewOrigin groupPurgePrefetchReports
Chosen image
Home/CDN/CDN resource options/General/Private origin

Use a private bucket as an origin


We have introduced a feature that allows the use of a private bucket inside S3-compatible storage (such as Amazon or others) as a CDN resource origin. To grant CDN servers access to content stored in the private bucket, you must specify authentication data (Access Key ID, Secret access key, Hostname, Region). Otherwise, they won’t be able to access the content.

Authentication data

You can access the necessary authentication data in the personal S3 storage account.

Amazon AWS storage

You can find the Access Key ID and Secret access key according to the "AWS Account and Access Keys" guide.

Gcore S3 storage

You can find the Hostname and Region in the "Details" section under the Storages tab.

Gcore S3 storage

Note: We don’t store the Access Key ID and Secret access key for S3 storage. It is your responsibility to save them after creating the storage. If you forget them, click Generate new keys under the "Details" section.

Configure a private bucket as an origin

Configure a private origin in the control panel

There are two options for configuring a private bucket as an origin:

  1. Create an origin group during the CDN resource creation process;
  2. Add a group in the "Origins groups" tab and specify this group in the CDN resource setting.

The instructions below are relevant to the first option. The process for the second option is slightly different.

To configure a private origin:

1. Go to the CDN resource creation page, select "Accelerate and protect only static assets", and click Confirm.

CDN resource creation page

A new page will open. Complete the remaining steps of the manual in the "Origin" section on this page.

In the example below, we use the private bucket test-private in S3 Gcore storage with the Hostname s-ed1.cloud.gcore.lu and configure an origin group as follows:

Origin section

2. Select the Specify content origin option.

3. Select AWS signature V4 in the "Type of origin authentication" field.

4. Select the type of S3 storage: Amazon or Other.

5. Specify the needed authentication data. It depends on the type of storage selected in the previous step.

  • For Amazon storage: Access Key ID, Secret access key, and AWS region
  • For Other: Hostname (there's a bucket at the beginning), Access Key ID, Secret access key, and Region

More information about where to find the keys can be found in the "Authentication data" section.

6. Enter the Bucket name.

7. Continue the CDN resource creation according to the "Create CDN resource for only static files" guide (steps #3–6).

Note: If you selected Amazon S3 storage in step #4, the configuration is now complete. If you selected Other and specified the Hostname after the CDN resource creation, go to the resource settings and open the Host header option in the "HTTP headers" section. Specify the URL of your storage Hostname (the URL depends on your S3 provider) in the following format:

  • For Gcore S3 storage: {bucket-name}.s-ed1.cloud.gcore.lu
  • For most other storages: {bucket-name}.s3.{region-code}.{storage-hostname}

Note: The bucket in the "Host header" is very important to specify for the security of the storage data outside the bucket.

Click Save changes.

Save changes

Configure a private origin via the API

Next, we will explain in detail how to specify Private origin via API calls.

Method POST
Header Bearer {{access_token}}

"name": "YourOriginGroup",
"useNext": true,
"auth_type": "awsSignatureV4",
"auth": {
"s3_type": "amazon",
"s3_access_key_id": "EXAMPLEFODNN7EXAMPLE",
"s3_bucket_name": "bucket_name",
"s3_region": "us-east-2"
Request parameter For more information, see Gcore’s API documentation
Response 201 Successful

400 Request for creation origin group is failed

403 Group creation is forbidden

To access the API and make authenticated requests, generate an access token. You can use a REST tool like cURL or Postman to send the requests. For this guide, we used Postman.

To specify private origin by URL request:

1. In Postman, open a new request tab.

a. Set the request method to POST.

b. Enter the API URL in the request URL field.


2. Go to the Auth tab.

a. Select Bearer Token from the "Type dropdown".

b. Copy the generated access token and paste it into the "Token" field.


3. Go to the Body tab.

a. Select raw as the data type.

b. Select JSON from the format dropdown.

c. Enter the payload in the text area. Replace the sample values indicated by {{ }} with your actual values.

4. Click Send.


Was this article helpful?

Not a Gcore user yet?

Learn more about our next-gen CDN

Go to the product page