Console
    Contact Us Start free

    Rotate secrets

    This page describes how to update Media CDN keys used for signed requests. You can have up to three public keys and three validation shared keys, for a total of six keys per keyset. To prevent exceeding those limits during a key rotation, see the following instructions about how to delete a validation shared key and how to add a key.

    Before you begin

    1. Configure your validation shared keys in Secret Manager .

    2. Grant the Secret Manager Access role ( roles/secretmanager.secretAccessor ) to the Media CDN service account.

      Console

      1. In the Google Cloud console, go to the Secret Manager page.

        Go to Secret Manager

      2. Select the secret.
      3. In the info panel, click Add principal .

      4. For New principals , enter the Media CDN service account as follows:
        service- PROJECT_NUMBER @gcp-sa-mediaedgefill.iam.gserviceaccount.com

        Replace PROJECT_NUMBER with your project number.

      5. For Select a role , select Secret Manager , and then select Secret Manager Secret Accessor .
      6. Click Save .

      gcloud

      Use the gcloud secrets add-iam-policy-binding command :

      gcloud secrets add-iam-policy-binding projects/ PROJECT_NUMBER 
/secrets/ SECRET_ID 
\
       --member="serviceAccount:service- PROJECT_NUMBER 
@gcp-sa-mediaedgefill.iam.gserviceaccount.com" \
       --role="roles/secretmanager.secretAccessor"

      Replace the following:

      • PROJECT_NUMBER : your project number
      • SECRET_ID : the ID of the secret

    Delete a secret

    Console

    1. In the Google Cloud console, go to the Media CDNpage.

      Go to Media CDN

    2. Click the Keysetstab.

    3. Select the keyset that has the secret that you want to delete, and then click Edit.

    4. To delete a secret, in the Keys  > Validation shared keyssection, click Deletenext to the secret name.

    5. Click Update keyset.

    gcloud

    To delete a secret key from a keyset, use the gcloud edge-cache keysets update command . Omit the keyset that you want to delete and specify the keysets that you want to keep.

    In the following example, KEY_VERSION_1 isn't listed, while KEY_VERSION_2 and KEY_VERSION_3 are listed. Omitting KEY_VERSION_1 deletes it from the keyset.

    gcloud edge-cache keysets update KEYSET_NAME 
\
    --validation-shared-key='secret_version=projects/ PROJECT_NUMBER 
/secrets/ SECRET_ID 
/versions/ KEY_VERSION_2 
'
    --validation-shared-key='secret_version=projects/ PROJECT_NUMBER 
/secrets/ SECRET_ID 
/versions/ KEY_VERSION_3 
'

    Replace the following:

    • KEYSET_NAME : the name of the keyset
    • PROJECT_NUMBER : your project number
    • SECRET_ID : the ID of the secret that you're updating
    • KEY_VERSION : the key version

    text editor

    1. Export your keyset to a YAML file. Use the gcloud edge-cache keysets export command .

      gcloud edge-cache keysets export KEYSET_NAME 
\
    --destination= FILENAME 
.yaml

      Replace the following:

      • KEYSET_NAME : the name of your keyset—for example, prod-vod-keyset
      • FILENAME : the YAML filename

    2. Edit the exported keyset configuration file to remove the secret key. The following example shows how to remove the oldest secret key, which ends in KEY_VERSION_1 :

      name: projects/my-project/locations/global/edgeCacheKeysets/prod-vod-keyset
validationSharedKeys:
    - secretVersion: "projects/ PROJECT_NUMBER 
/secrets/ SECRET_ID 
/versions/ KEY_VERSION_1 
"
    - secretVersion: "projects/ PROJECT_NUMBER 
/secrets/ SECRET_ID 
/versions/ KEY_VERSION_2 
"
    - secretVersion: "projects/ PROJECT_NUMBER 
/secrets/ SECRET_ID 
/versions/ KEY_VERSION_3 
"

      Replace the following:

      • PROJECT_NUMBER : your project number
      • SECRET_ID : the ID of the secret that you're updating
      • KEY_VERSION : the key version

      The edited file looks similar to the following:

      name: projects/my-project/locations/global/edgeCacheKeysets/prod-vod-keyset
validationSharedKeys:
    - secretVersion: "projects/ PROJECT_NUMBER 
/secrets/ SECRET_ID 
/versions/ KEY_VERSION_2 
"
    - secretVersion: "projects/ PROJECT_NUMBER 
/secrets/ SECRET_ID 
/versions/ KEY_VERSION_3 
"

    3. Import the edited keyset. Use the gcloud edge-cache keysets import command :

      gcloud edge-cache keysets import KEYSET_NAME 
\
    --source= FILENAME 
.yaml

    Add a secret

    Console

    1. In the Google Cloud console, go to the Media CDNpage.

      Go to Media CDN

    2. Click the Keysetstab.

    3. Select the keyset for which you want to add a secret, and then click Edit.

    4. To add a secret, in the Keys  > Validation shared keyssection, click Secret. Then, select a secret from the list, enter a secret manually by specifying its resource ID, or create a new secret and then select it.

    5. Select a secret version from the list or create a new secret version , and then select it.

    6. Click Update keyset.

    gcloud

    To add a secret key to a keyset, use the gcloud edge-cache keysets update command . Specify the keysets that you have and the keyset that you want to add.

    In the following example, KEY_VERSION_1 was previously deleted and KEY_VERSION_4 is the keyset being added. Listing KEY_VERSION_4 in addition to KEY_VERSION_2 and KEY_VERSION_3 adds it to the keyset.

    gcloud edge-cache keysets update KEYSET_NAME 
\
    --validation-shared-key='secret_version=projects/ PROJECT_NUMBER 
/secrets/ SECRET_ID 
/versions/ KEY_VERSION_2 
'
    --validation-shared-key='secret_version=projects/ PROJECT_NUMBER 
/secrets/ SECRET_ID 
/versions/ KEY_VERSION_3 
'
    --validation-shared-key='secret_version=projects/ PROJECT_NUMBER 
/secrets/ SECRET_ID 
/versions/ KEY_VERSION_4 
'

    Replace the following:

    • KEYSET_NAME : the name of the keyset
    • PROJECT_NUMBER : your project number
    • SECRET_ID : the ID of the secret that you're updating
    • KEY_VERSION : the key version

    text editor

    1. Export your keyset to a YAML file. Use the gcloud edge-cache keysets export command .

      gcloud edge-cache keysets export KEYSET_NAME 
\
    --destination= FILENAME 
.yaml

      Replace the following:

      • KEYSET_NAME : the name of your keyset
      • FILENAME : the YAML filename

    2. In the exported keyset configuration file, add a new secretVersion line that includes a new key version, similar to the following:

      name: projects/my-project/locations/global/edgeCacheKeysets/prod-vod-keyset
validationSharedKeys:
    - secretVersion: "projects/ PROJECT_NUMBER 
/secrets/ SECRET_ID 
/versions/ KEY_VERSION_2 
"
    - secretVersion: "projects/ PROJECT_NUMBER 
/secrets/ SECRET_ID 
/versions/ KEY_VERSION_3 
"
    - secretVersion: "projects/ PROJECT_NUMBER 
/secrets/ SECRET_ID 
/versions/ KEY_VERSION_4 
"

    3. Import the edited keyset. Use the gcloud edge-cache keysets import command :

      gcloud edge-cache keysets import KEYSET_NAME 
\
    --source= FILENAME 
.yaml
    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: