Cloud origin authentication

Cloud origin providers host your applications and infrastructure, and offer different methods of securing your content. These methods often include authenticating origin requests before accepting them.

When sending a non-anonymous request to a cloud provider, you need to sign the request so that the cloud provider can establish the identity of a requesting client. You sign your requests with an access key supplied by your cloud provider which consists of an access key identifier and a secret access key.

For security reasons, cloud providers use HMAC signatures to authenticate client requests. An HMAC signature is a keyed-hash message code calculated with a supplied secret key. Combined, the access key identifier and HMAC signature are passed in the HTTP Authorization header of a request.

When receiving the request, a cloud provider calculates the signature and compares it to the one you sent. If they match, the request is considered authentic. If they don't match, the request is denied.

📘

Cloud Access Manager supports these signing processes used by cloud providers to authenticate requests:\n- The pre-release V4 signing processes for Google Cloud Storage in interoperability mode.\n- The V4 signing process for Amazon Web Services (AWS).

You can now use the Akamai Intelligent Edge Platform^TM to route requests to the origin directly to your cloud provider. This can save costs, prevent choked bandwidth, and avoid saturation of your origin during peak times.

With Cloud Access Manager managing your access keys and letting you sign ​Akamai Technologies, Inc.​ requests, you can tunnel traffic to your cloud provider instead of proxying through the origin. At runtime, edge servers inject cloud origin authentication on the forward origin path and deny direct origin requests without proper authentication.