Rotate secrets

This page describes how to update Media CDN keys used for signed requests. You can have up to three public keys and three validation shared keys, for a total of six keys per keyset. To prevent exceeding those limits during a key rotation, see the following instructions about how to delete a validation shared key and how to add a key.

Before you begin

  1. Configure your validation shared keys in Secret Manager.

  2. Grant the Secret Manager Access role (roles/secretmanager.secretAccessor) to the Media CDN service account.

    1. In the Google Cloud console, go to the Secret Manager page.

      Go to Secret Manager

    2. Select the secret.
    3. In the info panel, click Add principal.
    4. For New principals, enter the Media CDN service account as follows:
      service-PROJECT_NUMBER@gcp-sa-mediaedgefill.iam.gserviceaccount.com

      Replace PROJECT_NUMBER with your project number.

    5. For Select a role, select Secret Manager, and then select Secret Manager Secret Accessor.
    6. Click Save.

    Use the gcloud secrets add-iam-policy-binding command:

       gcloud secrets add-iam-policy-binding projects/PROJECT_NUMBER/secrets/SECRET_ID \
           --member="serviceAccount:service-PROJECT_NUMBER@gcp-sa-mediaedgefill.iam.gserviceaccount.com" \
           --role="roles/secretmanager.secretAccessor"
        

    Replace the following:

    • PROJECT_NUMBER: your project number
    • SECRET_ID: the ID of the secret

Delete a secret

  1. In the Google Cloud console, go to the Media CDN page.

    Go to Media CDN

  2. Click the Keysets tab.

  3. Select the keyset that has the secret that you want to delete, and then click Edit.

  4. To delete a secret, in the Keys > Validation shared keys section, click Delete next to the secret name.

  5. Click Update keyset.

To delete a secret key from a keyset, use the gcloud edge-cache keysets update command. Omit the keyset that you want to delete and specify the keysets that you want to keep.

In the following example, KEY_VERSION_1 isn't listed, while KEY_VERSION_2 and KEY_VERSION_3 are listed. Omitting KEY_VERSION_1 deletes it from the keyset.

gcloud edge-cache keysets update KEYSET_NAME \
    --validation-shared-key='secret_version=projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_2'
    --validation-shared-key='secret_version=projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_3'

Replace the following:

  • KEYSET_NAME: the name of the keyset
  • PROJECT_NUMBER: your project number
  • SECRET_ID: the ID of the secret that you're updating
  • KEY_VERSION: the key version
  1. Export your keyset to a YAML file. Use the gcloud edge-cache keysets export command.

    gcloud edge-cache keysets export KEYSET_NAME \
        --destination=FILENAME.yaml
    

    Replace the following:

    • KEYSET_NAME: the name of your keyset—for example, prod-vod-keyset
    • FILENAME: the YAML filename
  2. Edit the exported keyset configuration file to remove the secret key. The following example shows how to remove the oldest secret key, which ends in KEY_VERSION_1:

    name: projects/my-project/locations/global/edgeCacheKeysets/prod-vod-keyset
    validationSharedKeys:
        - secretVersion: "projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_1"
        - secretVersion: "projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_2"
        - secretVersion: "projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_3"
    

    Replace the following:

    • PROJECT_NUMBER: your project number
    • SECRET_ID: the ID of the secret that you're updating
    • KEY_VERSION: the key version

    The edited file looks similar to the following:

    name: projects/my-project/locations/global/edgeCacheKeysets/prod-vod-keyset
    validationSharedKeys:
        - secretVersion: "projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_2"
        - secretVersion: "projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_3"
    
  3. Import the edited keyset. Use the gcloud edge-cache keysets import command:

    gcloud edge-cache keysets import KEYSET_NAME \
        --source=FILENAME.yaml
    

Add a secret

  1. In the Google Cloud console, go to the Media CDN page.

    Go to Media CDN

  2. Click the Keysets tab.

  3. Select the keyset for which you want to add a secret, and then click Edit.

  4. To add a secret, in the Keys > Validation shared keys section, click Secret. Then, select a secret from the list, enter a secret manually by specifying its resource ID, or create a new secret and then select it.

  5. Select a secret version from the list or create a new secret version, and then select it.

  6. Click Update keyset.

To add a secret key to a keyset, use the gcloud edge-cache keysets update command. Specify the keysets that you have and the keyset that you want to add.

In the following example, KEY_VERSION_1 was previously deleted and KEY_VERSION_4 is the keyset being added. Listing KEY_VERSION_4 in addition to KEY_VERSION_2 and KEY_VERSION_3 adds it to the keyset.

gcloud edge-cache keysets update KEYSET_NAME \
    --validation-shared-key='secret_version=projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_2'
    --validation-shared-key='secret_version=projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_3'
    --validation-shared-key='secret_version=projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_4'

Replace the following:

  • KEYSET_NAME: the name of the keyset
  • PROJECT_NUMBER: your project number
  • SECRET_ID: the ID of the secret that you're updating
  • KEY_VERSION: the key version
  1. Export your keyset to a YAML file. Use the gcloud edge-cache keysets export command.

    gcloud edge-cache keysets export KEYSET_NAME \
        --destination=FILENAME.yaml
    

    Replace the following:

    • KEYSET_NAME: the name of your keyset
    • FILENAME: the YAML filename
  2. In the exported keyset configuration file, add a new secretVersion line that includes a new key version, similar to the following:

    name: projects/my-project/locations/global/edgeCacheKeysets/prod-vod-keyset
    validationSharedKeys:
        - secretVersion: "projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_2"
        - secretVersion: "projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_3"
        - secretVersion: "projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_4"
    
  3. Import the edited keyset. Use the gcloud edge-cache keysets import command:

    gcloud edge-cache keysets import KEYSET_NAME \
        --source=FILENAME.yaml