This page describes how to update Media CDN keys used for signed requests. You can have up to three public keys and three validation shared keys, for a total of six keys per keyset. To prevent exceeding those limits during a key rotation, see the following instructions about how to delete a validation shared key and how to add a key.
Before you begin
Grant the Secret Manager Access role (
roles/secretmanager.secretAccessor) to the Media CDN service account.Console
In the Google Cloud console, go to the Secret Manager page.
- Select the secret.
- In the info panel, click Add principal.
For New principals, enter the Media CDN service account as follows:
service-PROJECT_NUMBER@gcp-sa-mediaedgefill.iam.gserviceaccount.comReplace
PROJECT_NUMBERwith your project number.- For Select a role, select Secret Manager, and then select Secret Manager Secret Accessor.
- Click Save.
gcloud
Use the
gcloud secrets add-iam-policy-bindingcommand:gcloud secrets add-iam-policy-binding projects/PROJECT_NUMBER/secrets/SECRET_ID \ --member="serviceAccount:service-PROJECT_NUMBER@gcp-sa-mediaedgefill.iam.gserviceaccount.com" \ --role="roles/secretmanager.secretAccessor"Replace the following:
PROJECT_NUMBER: your project numberSECRET_ID: the ID of the secret
Delete a secret
Console
In the Google Cloud console, go to the Media CDN page.
Click the Keysets tab.
Select the keyset that has the secret that you want to delete, and then click Edit.
To delete a secret, in the Keys > Validation shared keys section, click Delete next to the secret name.
Click Update keyset.
gcloud
To delete a secret key from a keyset, use the gcloud edge-cache keysets
update command. Omit the
keyset that you want to delete and specify the keysets that you want to keep.
In the following example, KEY_VERSION_1
isn't listed, while KEY_VERSION_2 and
KEY_VERSION_3 are listed. Omitting
KEY_VERSION_1 deletes it from the keyset.
gcloud edge-cache keysets update KEYSET_NAME \
--validation-shared-key='secret_version=projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_2'
--validation-shared-key='secret_version=projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_3'
Replace the following:
KEYSET_NAME: the name of the keysetPROJECT_NUMBER: your project numberSECRET_ID: the ID of the secret that you're updatingKEY_VERSION: the key version
text editor
Export your keyset to a YAML file. Use the
gcloud edge-cache keysets exportcommand.gcloud edge-cache keysets export KEYSET_NAME \ --destination=FILENAME.yamlReplace the following:
KEYSET_NAME: the name of your keyset—for example,prod-vod-keysetFILENAME: the YAML filename
Edit the exported keyset configuration file to remove the secret key. The following example shows how to remove the oldest secret key, which ends in KEY_VERSION_1:
name: projects/my-project/locations/global/edgeCacheKeysets/prod-vod-keyset validationSharedKeys: - secretVersion: "projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_1" - secretVersion: "projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_2" - secretVersion: "projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_3"Replace the following:
PROJECT_NUMBER: your project numberSECRET_ID: the ID of the secret that you're updatingKEY_VERSION: the key version
The edited file looks similar to the following:
name: projects/my-project/locations/global/edgeCacheKeysets/prod-vod-keyset validationSharedKeys: - secretVersion: "projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_2" - secretVersion: "projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_3"Import the edited keyset. Use the
gcloud edge-cache keysets importcommand:gcloud edge-cache keysets import KEYSET_NAME \ --source=FILENAME.yaml
Add a secret
Console
In the Google Cloud console, go to the Media CDN page.
Click the Keysets tab.
Select the keyset for which you want to add a secret, and then click Edit.
To add a secret, in the Keys > Validation shared keys section, click Secret. Then, select a secret from the list, enter a secret manually by specifying its resource ID, or create a new secret and then select it.
Select a secret version from the list or create a new secret version, and then select it.
Click Update keyset.
gcloud
To add a secret key to a keyset, use the gcloud edge-cache keysets update
command. Specify the
keysets that you have and the keyset that you want to add.
In the following example, KEY_VERSION_1 was
previously deleted and KEY_VERSION_4 is the
keyset being added. Listing KEY_VERSION_4 in
addition to KEY_VERSION_2 and
KEY_VERSION_3 adds it to the keyset.
gcloud edge-cache keysets update KEYSET_NAME \
--validation-shared-key='secret_version=projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_2'
--validation-shared-key='secret_version=projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_3'
--validation-shared-key='secret_version=projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_4'
Replace the following:
KEYSET_NAME: the name of the keysetPROJECT_NUMBER: your project numberSECRET_ID: the ID of the secret that you're updatingKEY_VERSION: the key version
text editor
Export your keyset to a YAML file. Use the
gcloud edge-cache keysets exportcommand.gcloud edge-cache keysets export KEYSET_NAME \ --destination=FILENAME.yamlReplace the following:
KEYSET_NAME: the name of your keysetFILENAME: the YAML filename
In the exported keyset configuration file, add a new
secretVersionline that includes a new key version, similar to the following:name: projects/my-project/locations/global/edgeCacheKeysets/prod-vod-keyset validationSharedKeys: - secretVersion: "projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_2" - secretVersion: "projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_3" - secretVersion: "projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_4"Import the edited keyset. Use the
gcloud edge-cache keysets importcommand:gcloud edge-cache keysets import KEYSET_NAME \ --source=FILENAME.yaml