diff --git a/src/backend/boot-assembly/src/main/kotlin/com/tencent/bkrepo/config/BootAssemblyHandlerMapping.kt b/src/backend/boot-assembly/src/main/kotlin/com/tencent/bkrepo/config/BootAssemblyHandlerMapping.kt
index 0f1eb8a4c1..e8b11d7cb8 100644
--- a/src/backend/boot-assembly/src/main/kotlin/com/tencent/bkrepo/config/BootAssemblyHandlerMapping.kt
+++ b/src/backend/boot-assembly/src/main/kotlin/com/tencent/bkrepo/config/BootAssemblyHandlerMapping.kt
@@ -64,6 +64,9 @@ class BootAssemblyHandlerMapping : RequestMappingHandlerMapping() {
     @Suppress("SpreadOperator")
     private fun updateMapping(mapping: RequestMappingInfo, method: Method): RequestMappingInfo? {
         val serviceName = ServiceCommonUtils.getServiceName(method.declaringClass)
+        if (serviceName == "common") {
+            return mapping
+        }
         val newPatterns = updatePatterns(mapping.patternsCondition?.patterns.orEmpty(), serviceName)
         if (newPatterns.isEmpty()) {
             return null
diff --git a/src/backend/boot-assembly/src/main/resources/application.yml b/src/backend/boot-assembly/src/main/resources/application.yml
index 423eb844db..f5044b313d 100644
--- a/src/backend/boot-assembly/src/main/resources/application.yml
+++ b/src/backend/boot-assembly/src/main/resources/application.yml
@@ -38,6 +38,9 @@ spring:
   main:
     allow-bean-definition-overriding: true
 
+cns:
+  enabled: true
+
 logging:
   config: classpath:logback-config.xml
   path: /data/logs
diff --git a/src/backend/common/common-artifact/artifact-service/src/main/kotlin/com/tencent/bkrepo/common/artifact/cns/CnsController.kt b/src/backend/common/common-artifact/artifact-service/src/main/kotlin/com/tencent/bkrepo/common/artifact/cns/CnsController.kt
index d10314e478..7962202353 100644
--- a/src/backend/common/common-artifact/artifact-service/src/main/kotlin/com/tencent/bkrepo/common/artifact/cns/CnsController.kt
+++ b/src/backend/common/common-artifact/artifact-service/src/main/kotlin/com/tencent/bkrepo/common/artifact/cns/CnsController.kt
@@ -39,7 +39,7 @@ import org.springframework.web.bind.annotation.RestController
 
 @Principal(type = PrincipalType.ADMIN)
 @RestController
-@RequestMapping("cns")
+@RequestMapping("/service/cns")
 class CnsController(
     private val cnsService: CnsService
 ) {
diff --git a/src/backend/common/common-artifact/artifact-service/src/main/kotlin/com/tencent/bkrepo/common/artifact/cns/impl/CnsServiceImpl.kt b/src/backend/common/common-artifact/artifact-service/src/main/kotlin/com/tencent/bkrepo/common/artifact/cns/impl/CnsServiceImpl.kt
index 3137830919..1e115b2e62 100644
--- a/src/backend/common/common-artifact/artifact-service/src/main/kotlin/com/tencent/bkrepo/common/artifact/cns/impl/CnsServiceImpl.kt
+++ b/src/backend/common/common-artifact/artifact-service/src/main/kotlin/com/tencent/bkrepo/common/artifact/cns/impl/CnsServiceImpl.kt
@@ -28,15 +28,20 @@
 package com.tencent.bkrepo.common.artifact.cns.impl
 
 import com.google.common.util.concurrent.ThreadFactoryBuilder
+import com.tencent.bkrepo.common.api.constant.MS_AUTH_HEADER_UID
+import com.tencent.bkrepo.common.api.constant.USER_KEY
 import com.tencent.bkrepo.common.api.pojo.Response
 import com.tencent.bkrepo.common.artifact.cns.CnsProperties
 import com.tencent.bkrepo.common.artifact.cns.CnsService
 import com.tencent.bkrepo.common.artifact.pojo.RepositoryType
+import com.tencent.bkrepo.common.security.constant.MS_AUTH_HEADER_SECURITY_TOKEN
+import com.tencent.bkrepo.common.security.service.ServiceAuthManager
 import com.tencent.bkrepo.common.service.otel.util.AsyncUtils.trace
 import com.tencent.bkrepo.common.service.util.HttpContextHolder
 import com.tencent.bkrepo.common.storage.core.StorageProperties
 import com.tencent.bkrepo.common.storage.core.StorageService
 import com.tencent.bkrepo.repository.api.StorageCredentialsClient
+import com.tencent.bkrepo.repository.constant.SYSTEM_USER
 import org.slf4j.LoggerFactory
 import org.springframework.beans.factory.annotation.Value
 import org.springframework.cloud.client.DefaultServiceInstance
@@ -59,7 +64,8 @@ class CnsServiceImpl(
     private val storageService: StorageService,
     private val storageCredentialsClient: StorageCredentialsClient,
     private val storageProperties: StorageProperties,
-    private val cnsProperties: CnsProperties
+    private val cnsProperties: CnsProperties,
+    private val serviceAuthManager: ServiceAuthManager
 ) : CnsService {
     @Value("\${service.prefix:}")
     private val servicePrefix: String = ""
@@ -67,12 +73,12 @@ class CnsServiceImpl(
     @Value("\${service.suffix:}")
     private val serviceSuffix: String = ""
 
-    private val restTemplate = RestTemplate()
-
     private var services = mutableMapOf<String, Set<ServiceInstance>>()
 
     private var lastUpdatedTime = -1L
 
+    private val restTemplate = RestTemplate()
+
     override fun exist(key: String?, sha256: String): Boolean {
         val storageCredentials = storageCredentialsClient.findByKey(key).data
             ?: storageProperties.defaultStorageCredentials()
@@ -96,21 +102,22 @@ class CnsServiceImpl(
             logger.info("Not found any match service.")
             return false
         }
-        val token = HttpContextHolder.getRequest().getHeader(HttpHeaders.AUTHORIZATION)
+        val uid = HttpContextHolder.getRequestOrNull()?.getAttribute(USER_KEY)?.toString() ?: SYSTEM_USER
         val tasks = targetServices.map {
-            Callable { sendExistRequest(key, sha256, it, token) }.trace()
+            Callable { sendExistRequest(key, sha256, it, uid) }.trace()
         }
         val futures = threadPool.invokeAll(tasks)
         return futures.firstOrNull { it.get() == false } == null
     }
 
-    private fun sendExistRequest(key: String?, sha256: String, instance: ServiceInstance, token: String): Boolean {
+    private fun sendExistRequest(key: String?, sha256: String, instance: ServiceInstance, uid: String): Boolean {
         with(instance) {
             val target = instance.uri
-            val url = "$target/cns/exist?key=$key&sha256=$sha256"
+            val url = "$target/service/cns/exist?key=$key&sha256=$sha256"
             try {
                 val headers = HttpHeaders()
-                headers.add(HttpHeaders.AUTHORIZATION, token)
+                headers.add(MS_AUTH_HEADER_SECURITY_TOKEN, serviceAuthManager.getSecurityToken())
+                headers.add(MS_AUTH_HEADER_UID, uid)
                 val httpEntity = HttpEntity<Any>(headers)
                 val response = restTemplate.exchange(url, HttpMethod.GET, httpEntity, Response::class.java).body
                 if (logger.isDebugEnabled) {
@@ -153,6 +160,7 @@ class CnsServiceImpl(
                 serviceIds.add(dockerServiceId)
                 serviceIds.add(ociServiceId)
             }
+
             else -> {
                 serviceIds.add(formatServiceId(type.name.toLowerCase()))
             }
@@ -164,7 +172,7 @@ class CnsServiceImpl(
         return "$servicePrefix$name$serviceSuffix"
     }
 
-    companion object {
+    private companion object {
         private val logger = LoggerFactory.getLogger(CnsServiceImpl::class.java)
         private val threadFactory = ThreadFactoryBuilder().setNameFormat("cns-%d").build()
         private val threadPool =