Skip to main content

Setting up BunnyCDN for use with Amazon S3

Step 1: Create an IAM user with permissions to read from the S3 Bucket

Create an IAM user which will be used by BunnyCDN to access the buckets it serves from. Make sure this user has permissions to use s3::GetObject on the buckets in question. Example IAM policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": [
                "arn:aws:s3:::bucket-name/*",
                "arn:aws:s3:::another-bucket-name/*"
            ]
        }
    ]
}
Step 2: Create access credentials for the IAM user you created in step 1

Go to the IAM Console -> Users -> <the IAM user you created> -> Security Credentials -> Create Access Key. Select “other use case” and note the access and secret keys; you’ll need to add them to BunnyCDN later so it can access the bucket properly.

Step 3: Ensure your S3 bucket policy allows this user to access the bucket

Go to S3 -> <your bucket> -> Permissions. Add, or modify, your bucket policy to allow the IAM user you created earlier to access the bucket.

Example bucket policy:

{
    "Version": "2012-10-17",
    "Id": "Policy1234567890",
    "Statement": [
        {
            "Sid": "Stmt1234567890",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<your-account-number>:user/<the name of the IAM user you created in step 1>"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::<the name of this s3 bucket>/*"
        }
    ]
}

Be aware: if your bucket currently has some other access policy, you might want to add this statement to it instead of replacing the whole policy, or it might cause parts of your application to be denied access.

Step 4: Create a Pull Zone in BunnyCDN

After making your Bunny account, go to Delivery -> CDN in the dashboard, and then click Add Pull Zone at the top.

  • Pull zone name: not relevant per se, but I would suggest naming it the same as your S3 bucket name to avoid confusion later.
  • Origin URL: This is the S3 URL to your bucket, which is always in this form: https://<your bucket name>.s3.<AWS region, e.g. eu-west-1>.amazonaws.com . You do not need static website hosting enabled on your S3 bucket for this (and it shouldn’t be enabled).
  • Choose Tier: Up to you. I’d suggest the high volume tier ($0.005 per GB, 10 CDN nodes) rather than the $0.01 per GB standard tier that has a lot more nodes.
  • Pricing Zones: This only applies if using the Standard tier, I would suggest only using Europe and US as the other zones are significantly more expensive.
Step 5: Configure the pull zone

Click the pull zone name to go into the dashboard for it. The bolded headers below refer to sections of the dashboard to go to.

Caching -> General:

Enable “Smart Cache”, “Query String Sort” and “Cache Error Response”.

If you are hosting videos, enabling “Optimise For Video Delivery” is a good idea.

Caching -> Request Coalescing:

Enable this, UNLESS you are serving dynamic content from your CDN, in which case you should not enable it, or there may be security implications (as the website warning states). If you don’t know if you are serving dynamic content from your CDN… don’t enable this setting.

Security -> General:

Enable “Block Root Path Access” and “Block POST Requests”.

Security -> 502/504 Error Pages (optional):

If you want, you can enable “Whitelabel Error Pages”, if you don’t want Bunny’s branding on CDN error pages.

Security -> S3 Authentication:

Enable AWS S3 Authentication. Enter the AWS Access Key and AWS Secret Key of the IAM user you created in Step 1, and the region of the bucket for this pull zone, e.g. “eu-west-1”. Without this, BunnyCDN will not be able to access your S3 bucket and thus won't be able to function.

Headers:

Enable “Add CORS Headers”. I don’t remember if it auto-fills out a default value for this setting, but I have it set to “eot, ttf, woff, woff2, css”, which enables CSS stylesheets and font files to be served without issues.

Bunny Optimizer (not recommended):

For art websites: I don’t recommend this. The image optimizer is likely to mess with your image files, as most CDN use cases aren’t art websites; I suspect the optimiser likely uses chroma subsampling, i.e. reducing the range of colours in the image, and it does not say. WebP is also an unpopular format among artists as it is not fully supported by various art software packages.

The CSS and JS minifying you can do yourself, and even if you didn’t, the cost savings of minifying your JS and CSS aren’t going to get close to the $9.50 a month price tag unless your website is absolutely gigantic.

For non-art websites: If you are not using an image optimizer of your own, the image optimizer may be useful if you are not serving images where quality is crucial, and where the WebP format isn’t an issue.

Deserted Chateau does not use this feature.

Edge Rules (optional):

If you have existing edge rules on your current CDN provider, you can add them here.

Bunny AI (fuck right off):

Nope. No sir. Fuck right off with that crap.

General -> Hostname:

You can add a custom hostname URL for your CDN here; as the instructions say, you also need to add a CNAME record to your DNS provider for this to work, pointing your custom hostname URL to the provided BunnyCDN url. Be aware that if you’re currently already using a CDN, you likely already have a CNAME record for this purpose in your DNS provider; changing it will make your current CDN unable to serve requests. If your DNS provider propagates the record change quickly, you might have a brief period of downtime if you didn’t configure BunnyCDN correctly at this point.

Enable Force SSL. Bunny can create the certificate for you provided the CNAME record above is present; the three-dot options menu on the far right -> Add SSL certificate.

General -> Origin:

Enable “Verify Origin SSL Certificate”.

Back to top