Create and update keysets

This guide shows how to create and update keysets for Media CDN.

Before you begin

The EdgeCacheKeyset that you configure for verifying signed request tokens must include the correct keys for the signature algorithm that you choose.

The following table describes each of the signature algorithms and their required keys.

Signature algorithm Required keys in the keyset
Ed25519 Public keys
HMAC-SHA1 Validation shared keys
HMAC-SHA256 Validation shared keys

At a minimum, you must have either a public key or a validation shared key. You can have up to three public keys and three validation shared keys, for a total of six keys per keyset. For information on generating HMACs when using dual-token authentication, see Generate tokens.

Create a keyset

To create a new keyset, do the following:

Console

  1. In the Google Cloud console, go to the Media CDN page.

    Go to Media CDN

  2. Click the Keysets tab.
  3. Click Create keyset.
  4. For Name, enter a unique keyset name—for example, prod-vod-keyset.
  5. Optional: For Description, enter a description for your keyset.
  6. Optional: Click Add label and enter one or more key-value pairs for your keyset.
  7. Specify at least one public key or one validation key.

    To specify a public key, click Add public key and then do the following:

    1. For ID, enter an alphanumeric ID.
    2. Select Enter the value and specify the base64-encoded value of your Ed25519 public key. Alternatively, select Use Google-managed key for dual-token authentication.
  8. To specify a validation shared key, click Add validation shared key, and then do the following:
    1. For Secret, select a secret from the list, enter a secret manually by specifying its resource ID, or create a new secret and then select it.
    2. For Secret version, select a secret version from the list or create a new secret version and then select it.
  9. Click Create keyset.

gcloud

Use the gcloud edge-cache keysets create command.

gcloud edge-cache keysets create SHORT_KEYSET_NAME \
    --public-key='id=SSL_PUBLIC_KEY_NAME,value=SSL_PUBLIC_KEY_VALUE'

Replace the following:

  • SHORT_KEYSET_NAME: a unique name for the keyset—for example, prod-vod-keyset
  • SSL_PUBLIC_KEY_NAME: the name of your SSL public key
  • SSL_PUBLIC_KEY_VALUE: the value of your SSL public key

Review the keys associated with a keyset. Use the gcloud edge-cache keysets describe command.

gcloud edge-cache keysets describe prod-vod-keyset

The output is similar to the following:

name: prod-vod-keyset
description: "Keyset for prod.example.com"
publicKeys:
  - id: "key-20200918"
    value: "DThVLjhAKm3VYOvLBAwFZ5XbjVyF98Ias8NZU0WEM9w"
  - id: "key-20200808"
    value: "Lw7LDSaDUrbDdqpPA6JEmMF5BA5GPtd7sAjvsnh7uDA="

Terraform

resource "google_network_services_edge_cache_keyset" "default" {
  name        = "prod-vod-keyset"
  description = "Keyset for prod.example.com"
  public_key {
    id    = "key-20200918"
    value = "FHsTyFHNmvNpw4o7-rp-M1yqMyBF8vXSBRkZtkQ0RKY" # Update Ed25519 public key
  }
  public_key {
    id    = "key-20200808"
    value = "Lw7LDSaDUrbDdqpPA6JEmMF5BA5GPtd7sAjvsnh7uDA=" # Update Ed25519 public key
  }
}

Modify a keyset

To modify a keyset, do the following:

Console

  1. In the Google Cloud console, go to the Media CDN page.

    Go to Media CDN

  2. Click the Keysets tab.
  3. Click the keyset name.
  4. To switch to the edit mode, click the Edit button.
  5. Make the changes that you need, and then click Update keyset.

gcloud

Use the gcloud edge-cache keysets update command:

gcloud edge-cache keysets update KEYSET_NAME