A third-party origin involves a separate, cloud-based storage service outside Akamai, such as Amazon Web Services or Interoperability Google Cloud Storage. You'll work with your cloud provider to configure your storage space, upload your deliverable content to it, then configure your Property Manager property so that Akamai can contact it to get your content. There are some prerequisites you need to meet before you can add a third-party origin to your property.

Determine the level of security

When working with your third-party cloud provider, you'll need to decide what level of security you should apply for access. Akamai recommends that you use the same level of security you've selected for your edge certificate—what you've set for the first phase of the request flow between the end user and the Akamai edge network.

Get your origin server name

In a traditional web server environment, your end users would reach your content through your primary domain. When you include a third-party origin, you'll work with your provider to create a unique name for your origin server on their storage network. You'll also need to update your DNS to redirect requests for your content to this unique name. This is what we refer to as your "origin hostname," and you'll need this full value to set up your origin in your property.

Get authentication details from your cloud provider

When you set up storage with your cloud provider, you'll define specific authentication details for access. When using the standard method to set up a third-party origin, Akamai needs these values to access your storage when requests come in for it.

📘
If you're using Cloud Access Manager, you won't need these values here. See Consider using Cloud Access manager for more information.

Amazon Web Services (AWS)

Edge servers use the signature version 4 signing process to authenticate your requests to this cloud provider. See V4 signing process in AWS. You'll need these values:

Access Key ID. The identifier of the access key that's used to authenticate requests to your AWS service.
Secret Access Key. Enter the secret key that's used to compute the signature.
Region. The AWS-specific region that houses your AWS service.
Endpoint Service. The code of your AWS service. This is the segment or part of the segment that precedes amazonaws.com or the region code in the AWS hostname. For example, s3 is the endpoint service for both https://<account-id>.s3-control.eu-north-1.amazonaws.com and https://s3.us-east-2.amazonaws.com hostnames. For more information, see Service endpoints and quotas in AWS.

Interoperability Google Cloud Storage (GCS)

Edge servers use the signature version 4 signing process to authenticate your requests to this cloud provider. See V4 signing process in Google Cloud Storage. You'll need these values:

Access ID. The identifier of the access key that's used to authenticate requests to your GCS service.
Secret. The secret key that's used to compute the signature.

Consider using Cloud Access Manager

When you set up a third-party origin and supply your authentication details in the traditional way, you need to include a signature in the request that includes these values. When receiving the request, a cloud provider calculates the signature and compares it to the one sent in the client request. If they match, the request is considered authentic. If they don't match, the request is denied. While this method works, it has some drawbacks:

You need to set up the mechanism to inject the signature into a client request.
This requires that you proxy through your origin, which can delay the request.
You include the authentication details in your property, where they're openly visible to anyone that can see it in Akamai Control Center.

Cloud Access Manager lets you privately create your access keys and protects them. You add them to your property using a name you define, and the access identifier and secret key are hidden. Cloud Access Manager uses the Akamai Intelligent Platform to route origin requests directly to your cloud provider. Akamai edge servers inject access key authentication on the forward origin path for you. This can decrease cost, bandwidth requirements, and the number of hits to your origin during peak times.

Check out the Cloud Access Manager documentation for more details. If you do decide to use it, you'll need to:

Create an access key in Cloud Access Manager.

Make note of the following, based on your cloud provider:

Amazon Web Services Google Cloud Storage

Amazon Web Services	Google Cloud Storage
The access key name. In Cloud Access Manager, you'll set a Name for your access key. The AWS region code. This is the location where your bucket exists. You should establish this value when you set up AWS as your cloud provider. Contact your AWS representative to get this value. The Endpoint Service. This is the code for your AWS service. It precedes `amazonaws.com` or the region code in your AWS hostname. The default for this value is `s3`. You should establish this value when you set up AWS as your cloud provider. Contact your AWS representative to get this value.	The access key name. In Cloud Access Manager, you'll set a Name for your access key.

The access key name. In Cloud Access Manager, you'll set a Name for your access key.
The AWS region code. This is the location where your bucket exists. You should establish this value when you set up AWS as your cloud provider. Contact your AWS representative to get this value.
The Endpoint Service. This is the code for your AWS service. It precedes amazonaws.com or the region code in your AWS hostname. The default for this value is s3. You should establish this value when you set up AWS as your cloud provider. Contact your AWS representative to get this value.

The access key name. In Cloud Access Manager, you'll set a Name for your access key.

Other considerations

These are less likely to apply, but knowing these settings could help with the delivery of your content when configuring the Origin Server behavior in your property.

Does your origin need to be accessed via a specific port? When configuring your Origin Server in your property, you can define specific ports for use. The default of 443 for HTTPS is automatically applied. Check to see if your cloud provider requires that you use a specific port.
Is your third-party origin in a specific geographic region? When configuring Origin Characteristics, you can help optimize the delivery of your content by specifying the geographic region that contains your origin server. Check with your cloud provider to see if your origin is in a specific geographic region.

Configure your origin in Property Manager

Later on, you'll use a combination of the Origin Server and Origin Characteristics behaviors to add your third-party origin to your property.