Rotate secrets

This page describes how to update Media CDN keys used for signed requests. You can have up to three public keys and three validation shared keys, for a total of six keys per keyset. To prevent exceeding those limits during a key rotation, see the following instructions about how to delete a validation shared key and how to add a key.

Before you begin

  1. Configure your validation shared keys in Secret Manager.

  2. Grant the Secret Manager Access role (roles/secretmanager.secretAccessor) to the Media CDN service account.

    Console

    1. In the Google Cloud console, go to the Secret Manager page.

      Go to Secret Manager

    2. Select the secret.
    3. In the info panel, click Add principal.

    4. For New principals, enter the Media CDN service account as follows:
      service-PROJECT_NUMBER@gcp-sa-mediaedgefill.iam.gserviceaccount.com

      Replace PROJECT_NUMBER with your project number.

    5. For Select a role, select Secret Manager, and then select Secret Manager Secret Accessor.
    6. Click Save.

    gcloud

    Use the gcloud secrets add-iam-policy-binding command:

       gcloud secrets add-iam-policy-binding projects/PROJECT_NUMBER/secrets/SECRET_ID \
       --member="serviceAccount:service-PROJECT_NUMBER@gcp-sa-mediaedgefill.iam.gserviceaccount.com" \
       --role="roles/secretmanager.secretAccessor"

    Replace the following:

    • PROJECT_NUMBER: your project number
    • SECRET_ID: the ID of the secret

Delete a secret

gcloud

To delete a secret key from a keyset, use the gcloud edge-cache keysets update command. Omit the keyset that you want to delete and specify the keysets that you want to keep.

In the following example, KEY_VERSION_1 isn't listed, while KEY_VERSION_2 and KEY_VERSION_3 are listed. Omitting KEY_VERSION_1 deletes it from the keyset.

gcloud edge-cache keysets update KEYSET_NAME \
    --validation-shared-key='secret_version=projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_2'
    --validation-shared-key='secret_version=projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_3'

Replace the following:

  • KEYSET_NAME: the name of the keyset
  • PROJECT_NUMBER: your project number
  • SECRET_ID: the ID of the secret that you are updating
  • KEY_VERSION: the key version

The output is similar to the following:

Updated keyset [KEYSET_NAME].

text editor

  1. Export the keyset:

    gcloud edge-cache keysets export KEYSET_NAME \
    --destination=FILENAME.yaml

    Replace the following:

    • KEYSET_NAME: the name of your keyset
    • FILENAME: the filename that you want

    The output is similar to the following:

    [exported KEYSET_NAME]

  2. Edit the exported keyset configuration file to remove the secret key. The following example shows how to remove the oldest secret key, which ends in KEY_VERSION_1:

    name: projects/my-project/locations/global/edgeCacheKeysets/prod-vod-keyset
validationSharedKeys:
    - secretVersion: "projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_1"
    - secretVersion: "projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_2"
    - secretVersion: "projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_3"

    Replace the following:

    • PROJECT_NUMBER: your project number
    • SECRET_ID: the ID of the secret that you are updating
    • KEY_VERSION: the key version

    The edited file looks similar to the following:

    name: projects/my-project/locations/global/edgeCacheKeysets/prod-vod-keyset
validationSharedKeys:
    - secretVersion: "projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_2"
    - secretVersion: "projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_3"

  3. Run the following command to import the edited keyset:

    gcloud edge-cache keysets import KEYSET_NAME \
    --source=FILENAME.yaml

    The output is similar to the following:

    [imported KEYSET_NAME]

Add a secret

gcloud

To add a secret key to a keyset, use the gcloud edge-cache keysets update command. Specify the keysets that you currently have and the keyset that you want to add.

In the following example, KEY_VERSION_1 was previously deleted and KEY_VERSION_4 is the keyset being added. Listing KEY_VERSION_4 in addition to KEY_VERSION_2 and KEY_VERSION_3 adds it to the keyset.

gcloud edge-cache keysets update KEYSET_NAME \
    --validation-shared-key='secret_version=projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_2'
    --validation-shared-key='secret_version=projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_3'
    --validation-shared-key='secret_version=projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_4'

Replace the following:

  • KEYSET_NAME: the name of the keyset
  • PROJECT_NUMBER: your project number
  • SECRET_ID: the ID of the secret that you are updating
  • KEY_VERSION: the key version

The output is similar to the following:

Updated keyset [KEYSET_NAME].

text editor

  1. Export the keyset:

    gcloud edge-cache keysets export KEYSET_NAME \
    --destination=FILENAME.yaml

    Replace the following:

    • KEYSET_NAME: the name of your keyset
    • FILENAME: the filename that you want

    The output is similar to the following:

    [exported KEYSET_NAME]

  2. Edit the exported keyset configuration file to add the secret key. To add a secret key, add a new secretVersion line that includes a new key version, similar to the following:

    name: projects/my-project/locations/global/edgeCacheKeysets/prod-vod-keyset
validationSharedKeys:
    - secretVersion: "projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_2"
    - secretVersion: "projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_3"
    - secretVersion: "projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_4"

  3. Use the following command to import the new keyset:

    gcloud edge-cache keysets import KEYSET_NAME \
    --source=FILENAME.yaml

    The output is similar to the following:

    [imported KEYSET_NAME]