This page describes how to update Media CDN keys used for signed requests. You can have up to three public keys and three validation shared keys, for a total of six keys per keyset. To prevent exceeding those limits during a key rotation, see the following instructions about how to delete a validation shared key and how to add a key.
Before you begin
Grant the Secret Manager Access role (
roles/secretmanager.secretAccessor
) to the Media CDN service account.Console
In the Google Cloud console, go to the Secret Manager page.
- Select the secret.
- In the info panel, click Add principal.
For New principals, enter the Media CDN service account as follows:
service-PROJECT_NUMBER@gcp-sa-mediaedgefill.iam.gserviceaccount.com
Replace
PROJECT_NUMBER
with your project number.- For Select a role, select Secret Manager, and then select Secret Manager Secret Accessor.
- Click Save.
gcloud
Use the
gcloud secrets add-iam-policy-binding
command:gcloud secrets add-iam-policy-binding projects/PROJECT_NUMBER/secrets/SECRET_ID \ --member="serviceAccount:service-PROJECT_NUMBER@gcp-sa-mediaedgefill.iam.gserviceaccount.com" \ --role="roles/secretmanager.secretAccessor"
Replace the following:
PROJECT_NUMBER
: your project numberSECRET_ID
: the ID of the secret
Delete a secret
gcloud
To delete a secret key from a keyset, use the gcloud edge-cache keysets
update
command. Omit the keyset that you want to delete and specify the
keysets that you want to keep.
In the following example, KEY_VERSION_1
isn't listed, while KEY_VERSION_2
and
KEY_VERSION_3
are listed. Omitting
KEY_VERSION_1
deletes it from the keyset.
gcloud edge-cache keysets update KEYSET_NAME \ --validation-shared-key='secret_version=projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_2' --validation-shared-key='secret_version=projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_3'
Replace the following:
KEYSET_NAME
: the name of the keysetPROJECT_NUMBER
: your project numberSECRET_ID
: the ID of the secret that you are updatingKEY_VERSION
: the key version
The output is similar to the following:
Updated keyset [KEYSET_NAME].
text editor
Export the keyset:
gcloud edge-cache keysets export KEYSET_NAME \ --destination=FILENAME.yaml
Replace the following:
KEYSET_NAME
: the name of your keysetFILENAME
: the filename that you want
The output is similar to the following:
[exported KEYSET_NAME]
Edit the exported keyset configuration file to remove the secret key. The following example shows how to remove the oldest secret key, which ends in KEY_VERSION_1:
name: projects/my-project/locations/global/edgeCacheKeysets/prod-vod-keyset validationSharedKeys: - secretVersion: "projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_1" - secretVersion: "projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_2" - secretVersion: "projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_3"
Replace the following:
PROJECT_NUMBER
: your project numberSECRET_ID
: the ID of the secret that you are updatingKEY_VERSION
: the key version
The edited file looks similar to the following:
name: projects/my-project/locations/global/edgeCacheKeysets/prod-vod-keyset validationSharedKeys: - secretVersion: "projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_2" - secretVersion: "projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_3"
Run the following command to import the edited keyset:
gcloud edge-cache keysets import KEYSET_NAME \ --source=FILENAME.yaml
The output is similar to the following:
[imported KEYSET_NAME]
Add a secret
gcloud
To add a secret key to a keyset, use the gcloud edge-cache keysets update
command. Specify the keysets
that you currently have and the keyset that you want to add.
In the following example, KEY_VERSION_1
was
previously deleted and KEY_VERSION_4
is the
keyset being added. Listing KEY_VERSION_4
in
addition to KEY_VERSION_2
and
KEY_VERSION_3
adds it to the keyset.
gcloud edge-cache keysets update KEYSET_NAME \ --validation-shared-key='secret_version=projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_2' --validation-shared-key='secret_version=projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_3' --validation-shared-key='secret_version=projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_4'
Replace the following:
KEYSET_NAME
: the name of the keysetPROJECT_NUMBER
: your project numberSECRET_ID
: the ID of the secret that you are updatingKEY_VERSION
: the key version
The output is similar to the following:
Updated keyset [KEYSET_NAME].
text editor
Export the keyset:
gcloud edge-cache keysets export KEYSET_NAME \ --destination=FILENAME.yaml
Replace the following:
KEYSET_NAME
: the name of your keysetFILENAME
: the filename that you want
The output is similar to the following:
[exported KEYSET_NAME]
Edit the exported keyset configuration file to add the secret key. To add a secret key, add a new
secretVersion
line that includes a new key version, similar to the following:name: projects/my-project/locations/global/edgeCacheKeysets/prod-vod-keyset validationSharedKeys: - secretVersion: "projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_2" - secretVersion: "projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_3" - secretVersion: "projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_4"
Use the following command to import the new keyset:
gcloud edge-cache keysets import KEYSET_NAME \ --source=FILENAME.yaml
The output is similar to the following:
[imported KEYSET_NAME]