To enforce dual-token authentication when viewers access a streaming resource, you configure separate routes. A route is a configuration that matches requests for Media CDN and directs HTTP traffic to an origin. Media CDN supports routes for either HTTP live streaming (HLS) or Dynamic Adaptive Streaming over HTTP (DASH) resources. For more information about routes in Media CDN, see Configure service routes.
For HLS streams, Media CDN supports dual-token authentication through cookies and URL query parameters (cookieless). For DASH streams, Media CDN supports only cookie-based dual-token authentication.
This page describes how to configure Media CDN routes to help protect content by using dual-token authentication.
Before you begin
Do the following:
For short-duration tokens, choose one of the following signature algorithms:
- Ed25519 signatures
- Symmetric-key hash-based message authentication codes (HMACs)
You can enable symmetric HMAC signing algorithms only for routes configured to generate new long-duration tokens. We recommend that you use Ed25519 signatures for optimal performance and security and symmetric-key HMACs only when necessary for compatibility with other CDNs.
Include the required keys in an
EdgeCacheKeyset
resource.Tokens must be signed or verified with keys in an
EdgeCacheKeyset
resource. The keyset must include the correct keys for the selected signature algorithm. The following table describes each of the signature algorithms and their required keys.Signature algorithm Required keys in the keyset Ed25519 Public keys HMAC-SHA1 Validation shared keys HMAC-SHA256 Validation shared keys As a best practice, make two separate keysets, one for short-duration tokens and another for long-duration tokens.
However, if you're using DASH and dynamic media presentation description (MPD) files, you must use the same keyset for both long-duration and short-duration tokens.
For long-duration tokens, choose one of the following token formats:
- Cookies
- URL query parameters
Set up short-duration tokens
Depending on the signature algorithm that you want to use, set up short-duration tokens by using one of the following options.
Ed25519 signature
Generate a private key:
openssl genpkey -algorithm ed25519 -outform PEM -out SSL_KEY_NAME.private.key
Replace
SSL_KEY_NAME
with a key name.Generate a public key from the private key:
openssl pkey -outform DER -pubout -in SSL_KEY_NAME.private.key |\ tail -c +13 |\ python3 -c "import base64, sys; print(('%s' % base64.urlsafe_b64encode(sys.stdin.buffer.read()))[2:-1])"
Create a new keyset with a single public key:
Console
In the Google Cloud console, go to the Media CDN page.
Click the Keysets tab.
Click
Create keyset.For Name, enter a unique keyset name.
Optional: For Description, enter a description for your keyset.
Optional: Click Add label, and then enter one or more key-value pairs for your keyset.
Click Add public key, and then do the following:
- For ID, enter an alphanumeric ID.
- Select Enter the value, and then specify the base64-encoded value of your Ed25519 public key.
Click Create keyset.
gcloud
Use the
gcloud edge-cache keysets create
command.gcloud edge-cache keysets create SHORT_KEYSET_NAME \ --public-key='id=SSL_PUBLIC_KEY_NAME,value=SSL_PUBLIC_KEY_VALUE'
Replace the following:
SHORT_KEYSET_NAME
: a unique keyset name—for example,prod-vod-keyset
SSL_PUBLIC_KEY_NAME
: the name of your SSL public keySSL_PUBLIC_KEY_VALUE
: the value of your SSL public key
To review the keys associated with the keyset, use the
gcloud edge-cache keysets describe
command.gcloud edge-cache keysets describe prod-vod-keyset
The output is similar to the following:
name: prod-vod-keyset description: "Keyset for prod.example.com" publicKeys: - id: "key-20200918" value: "DThVLjhAKm3VYOvLBAwFZ5XbjVyF98Ias8NZU0WEM9w" - id: "key-20200808" value: "Lw7LDSaDUrbDdqpPA6JEmMF5BA5GPtd7sAjvsnh7uDA="
Terraform
Symmetric-key HMAC
If you haven't used Secret Manager before, configure Secret Manager.
Add a secret version in binary format.
Grant the Secret Manager Access role (
roles/secretmanager.secretAccessor
) to the Media CDN service account:Console
In the Google Cloud console, go to the Secret Manager page.
Select the checkbox next to the name of the secret.
Click Show Info Panel.
In the info panel, click Add principal.
For New principals, enter the Media CDN service account in this format:
service-PROJECT_NUMBER@gcp-sa-mediaedgefill.iam.gserviceaccount.com
Replace
PROJECT_NUMBER
with your project number.For Select a role, select Secret Manager, and then select Secret Manager Secret Accessor.
gcloud
Use the
gcloud secrets add-iam-policy-binding
command.gcloud secrets add-iam-policy-binding projects/PROJECT_NUMBER/secrets/SECRET_ID \ --member="serviceAccount:service-PROJECT_NUMBER@gcp-sa-mediaedgefill.iam.gserviceaccount.com" \ --role="roles/secretmanager.secretAccessor"
Replace the following:
PROJECT_NUMBER
: your project numberSECRET_ID
: the ID of the secret
Access your secret versions and copy the secret paths, including version numbers.
Create a new keyset with the shared secrets in a validation shared key:
Console
In the Google Cloud console, go to the Media CDN page.
Click the Keysets tab.
Click
Create keyset.For Name, enter a unique keyset name.
Optional: For Description, enter a description for your keyset.
Optional: Click Add label, and then enter one or more key-value pairs for your keyset.
To specify a validation shared key, click Add validation shared key, and then do the following:
For Secret, select a secret from the list, enter a secret manually by specifying its resource ID, or create a new secret and then select it.
For Secret version, select a version from the list or create a new secret version and then select it.
Click Create keyset.
gcloud
Use the
gcloud edge-cache keysets create
command.gcloud edge-cache keysets create SHORT_KEYSET_NAME \ --validation-shared-key='secret_version=projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION'
Replace the following:
SHORT_KEYSET_NAME
: a unique name for the keyset—for example,prod-vod-keyset
PROJECT_NUMBER
: your project IDSECRET_ID
: the resource ID of the secretKEY_VERSION
: the secret version that you want to use
Set up long-duration tokens
Google-owned and managed keys are scoped by keyset. That means that two different keysets have different Google-owned and managed keys. Google-owned and managed keys are rotated regularly.
Set up long-duration tokens by using one of the following options:
Console
In the Keys section, select Use Google-owned and managed key for dual-token authentication.
gcloud and YAML
Use either of the following options:
Create a Google-managed signing key:
gcloud edge-cache keysets create LONG_KEYSET_NAME \ --public-key='id=google-managed-key,managed=true'
Replace
LONG_KEYSET_NAME
with a key name—for example,prod-vod-keyset-long
.Modify an existing keyset:
Export your keyset to a YAML file. Use the
gcloud edge-cache keysets export
command.gcloud edge-cache keysets export LONG_KEYSET_NAME \ --destination=prod-vod-keyset-long.yaml
In a text editor or in your configuration management tooling, edit your keyset configuration so that it looks similar to the following:
name: projects/my-project/locations/global/edgeCacheKeysets/LONG_KEYSET_NAME publicKeys: - id: some-key value: MC4CAQAwBQYDK2VwBCIEINV2iYugIWBuvGBJUQ_Ab69E4v4zcVqvgYHw-iZxGzcd - id: google-managed-key managed: true
Import the edited keyset. Use the
gcloud edge-cache keysets import
command:gcloud edge-cache keysets import LONG_KEYSET_NAME \ --source=prod-vod-keyset-long.yaml
You can include additional public keys in the long-duration token keyset. The keyset may have at most three public keys. In practice, this means that the keyset can have two user-managed keys and one Google-owned and managed key.
Media CDN always uses the Google-owned and managed key to generate tokens. The user-managed keys can be used only for verification.
Including additional public keys is useful to let your player application access media playlists and media segments by using signed requests that are generated by your own private keys.
Configure token exchange
This section shows how to configure token exchange by creating multiple routes. A route lets you optimize behavior based on the type of content, client attributes, and your freshness requirements. In the following examples, we use routes to configure token exchange for each part of a media request.
Configure the primary manifest route to require short-duration tokens
Configure Media CDN to require short-duration tokens on the primary manifest route.
Console
Enable short-duration token authentication on the primary manifest route:
In the Google Cloud console, go to the Media CDN page.
To open the Details page of a service, click the service name.
To switch to the edit mode, click the Edit button.
To navigate to the Routing section, click Next.
Expand the host rule to which you'd like to add the primary manifest route rule.
Click Add route rule.
Alternatively, to edit a route rule, click
Edit on the respective row.In the Edit route rule pane, for Priority, set a value—for example,
1
.For Description, provide a brief description that can help identify the rule in the list of rules.
In the Match section, click Add a match condition. Then, do the following:
- For Match type, select Path template match.
- For Path match, specify the names or path templates for the HLS primary playlist (M3U8) or DASH manifest (MPD) file. For more information, see Path matching.
Click Advanced configurations.
In the Route action section, click Add an item.
For Type, select CDN policy.
In the Signed request section, for Signed request mode, select Require tokens.
In the Signed request keyset section, do the following:
To specify the keyset for short-duration tokens, click Select a keyset and select your short-duration token keyset.
Alternatively, to create a new keyset that has the keys that you need, click Create new keyset. Then, select it.
For Signature algorithm, select Ed25519 using public keys.
For Token query parameter, retain the default value,
edge-cache-token
.Alternatively, if you plan to use HLS manifest URL query parameters rather than cookies for authentication, specify the parameter in which to store the request tokens.
For Max time to live, specify, in seconds, the maximum lifespan of incoming request tokens.
To save the changes in the Route action section, click Done.
To save the changes in the route rule, click Save.
gcloud and YAML
Export your Media CDN configuration into a YAML file. Use the
gcloud edge-cache services export
command.gcloud edge-cache services export SERVICE_NAME \ --destination=FILENAME.yaml
Replace the following:
SERVICE_NAME
: the name of your serviceFILENAME
: the name of your YAML file
To enable short-duration token authentication in the primary manifest route rule, in the route's
cdnPolicy
section of the YAML file, specify asignedTokensOptions
configuration.pathMatchers: - name: "ROUTE_NAME" routeRules: - priority: 1 description: "ROUTE_DESCRIPTION" origin: "ORIGIN_NAME" matchRules: - pathTemplateMatch: "/MANIFEST_OR_PLAYLIST" routeAction: cdnPolicy: cacheMode: CACHE_ALL_STATIC signedRequestMode: REQUIRE_TOKENS signedRequestKeyset: SHORT_KEYSET_NAME signedRequestMaximumExpirationTtl: SIGNED_REQUEST_MAXIMUM_EXPIRATION_TIME signedTokenOptions: tokenQueryParameter: SHORT_TOKEN_NAME
Replace the following:
ROUTE_NAME
: the name of the route ruleROUTE_DESCRIPTION
: a description of the route ruleORIGIN_NAME
: the origin nameMANIFEST_OR_PLAYLIST
: the name of the HLS primary playlist (M3U8) or DASH manifest (MPD) file. For more information, see Path matching.SHORT_KEYSET_NAME
: the keyset name to use for short-duration tokensSIGNED_REQUEST_MAXIMUM_EXPIRATION_TIME
: the expiration time for signed requests—for example,600s
. For more information, seesignedRequestMaximumExpirationTtl
.- Optional:
SHORT_TOKEN_NAME
: the query parameter in which to find the short token. The default value isedge-cache-token
. For more information, seeSignedTokenOptions
.
When using symmetric-key HMACs, in the
signedTokenOptions
section, appendallowedSignatureAlgorithms
with its value asHMAC_SHA_256
:allowedSignatureAlgorithms: - HMAC_SHA_256
To update the service, import your Media CDN configuration from the YAML file. Use the
gcloud edge-cache services import
command.gcloud edge-cache services import SERVICE_NAME \ --source=FILENAME.yaml
This completes the process of enabling single-token authentication.
To configure dual-token authentication, proceed to the following sections.
Configure the primary manifest route rule to generate long-duration tokens
Configure Media CDN to generate long-duration tokens on the primary manifest route. Choose either cookies or URL query parameters to generate these tokens.
Console
Modify the primary manifest route rule so that Media CDN can generate long-duration tokens on the route:
- On the Edit route rule page, click Advanced configurations.
- For Type, select CDN policy.
- Expand Dual-token authentication.
- For Signature action, select Generate new long-duration token.
For Signature type, select either of the following options:
- via cookies (for HLS and DASH streaming): configures
Media CDN to return an
Edge-Cache-Cookie
with the primary manifest response. - via HLS manifest URL query parameters (cookieless): configures Media CDN to manipulate the HLS primary manifest by appending a long-duration token to each URL.
- via cookies (for HLS and DASH streaming): configures
Media CDN to return an
In the Generate new long-duration token section, do the following:
To specify a keyset for long-duration tokens, click Select a keyset and select your long-duration token keyset.
Alternatively, click Create new keyset to create a new keyset that has the keys that you need. Then, select it.
For Token TTL, specify, in seconds, the maximum lifespan of the long-duration token.
For Signature type, if you selected the via cookies option, then, in the Copied parameters section, select the parameters that you want Media CDN to copy from the short-duration token to the long-duration token. To use dual-token authentication, you must select either
PathGlobs
(or either of its aliases,acl
orpaths
) orURLPrefix
.If you selected the via HLS manifest URL query parameters option, for Token query parameter, retain the default value,
edge-cache-token
.
To save the changes in the Route action section, click Done.
To save the changes in the route rule, click Save.
A message appears asking if you'd like to create the routes for media playlists and segments automatically or manually. If you select the automatic option, a single new route is created for the cookies signature and two routes for the cookieless signature. If you select the manual option, proceed to the next section.
gcloud and YAML
Modify the addSignatures
section of the primary manifest route rule so that
Media CDN can generate long-duration tokens on the route:
Cookies
addSignatures:
actions:
- GENERATE_COOKIE
keyset: LONG_KEYSET_NAME
tokenTtl: TOKEN_EXPIRATION_TIME
copiedParameters:
- PathGlobs
- SessionID
Replace the following:
LONG_KEYSET_NAME
: the name of your long-duration token keysetTOKEN_EXPIRATION_TIME
: the expiration time of the long-duration token—for example,86400s
for a one-day expiration time
This code example implements the following changes:
addSignatures.actions: GENERATE_COOKIE
: configures Media CDN to return anEdge-Cache-Cookie
with the primary manifest responsecopiedParameters.PathGlobs
: configures Media CDN to copy thePathGlobs
from the short-duration token to the long-duration token. To use dual-token authentication, you must use eithercopiedParameters.PathGlobs
orcopiedParameters.URLPrefix
. For more information, seecopiedParameters
.Optional:
copiedParameters.SessionID
: configures Media CDN to copy theSessionID
from the short-duration token to the long-duration token
When the GENERATE_COOKIE
action is applied, Media CDN
returns a Set-Cookie
header similar to the following with the primary
manifest response:
Set-Cookie: Edge-Cache-Cookie=PathGlobs=PATHS~SessionID=SESSION_ID~Expires=EXPIRATION~_GO=Generated~Signature=SIGNATURE
URL query parameters
addSignatures:
actions:
- GENERATE_TOKEN_HLS_COOKIELESS
keyset: LONG_KEYSET_NAME
tokenTtl: TOKEN_EXPIRATION_TIME
copiedParameters:
- PathGlobs
- SessionID
tokenQueryParameter: LONG_TOKEN_NAME
Replace the following:
LONG_KEYSET_NAME
: the name of your long-duration keysetTOKEN_EXPIRATION_TIME
: the expiration time of the long-duration token—for example,86400s
for a one-day expiration time
This code example implements the following changes:
addSignatures.actions: GENERATE_TOKEN_HLS_COOKIELESS
: configures Media CDN to manipulate the HLS primary manifest by appending a long-duration token to each URI present.copiedParameters.PathGlobs
: configures Media CDN to copy thePathGlobs
from the short-duration token to the long-duration token. To use dual-token authentication, you must use one ofcopiedParameters.PathGlobs
orcopiedParameters.URLPrefix
. For more information, seecopiedParameters
.Optional:
copiedParameters.SessionID
: configures Media CDN to copy theSessionID
from the short-duration token to the long-duration token.Optional:
LONG_TOKEN_NAME
: the query parameter in which to put the generated long token. The default value isedge-cache-token
. For more information, seetokenQueryParameter
.
The following manifest file shows the GENERATE_TOKEN_HLS_COOKIELESS
action applied:
#EXTM3U #EXT-X-STREAM-INF:BANDWIDTH=1280000,AVERAGE-BANDWIDTH=1000000 http://example.com/HLS_PRIMARY_PLAYLIST.m3u8?LONG_TOKEN_NAME=PathGlobs=PATHS~SessionID=SESSION_ID~Expires=EXPIRATION~_GO=Generated~Signature=SIGNATURE
Media CDN verifies the short-duration token and then
generates and stores the long-duration token in the
LONG_TOKEN_NAME
query parameter.
Configure the media playlist and segments routes to require long-duration tokens
Configure the media playlist and segments routes to require long-duration tokens.
Console
Cookies
Create a route rule for the media playlist and segments route:
- On the Edit Edge Cache service page, in the Routing section, click the host rule that has the primary manifest route.
- Click Add route rule.
- In the Edit route rule pane, for Priority, set a value that's
greater than that of the primary manifest route—for example,
2
. Higher values indicate lower priority. - For Description, provide a brief description that can help identify the rule in the list of rules.
Set the following fields as suggested:
- Select an origin: same as for the primary manifest route rule
- Add a match condition: same as for the primary manifest route rule
- Type: CDN policy
- Signed request mode: Require tokens
- Select a keyset: same as for long-duration tokens
- Signature algorithm: same as for the primary manifest route rule
Expand Dual-token authentication.
For Signature action, retain the default value None.
Click Done, and then click Save.
URL query parameters
Create a route rule for the media playlist.
- On the Edit Edge Cache service page, in the Routing section, click the host rule that has the primary manifest route.
- Click Add route rule.
- In the Edit route rule pane, for Priority, set a value
that's greater than that of the primary manifest route—for
example,
2
. Higher values indicate lower priority. - For Description, provide a brief description that can help identify the rule in the list of rules.
Set the following fields as suggested:
- Select an origin: the same as for the primary manifest route rule
- Add a match condition: the same as for the primary manifest route rule
- Type: CDN policy
- Signed request mode: Require tokens
- Select a keyset: the same as for long-duration tokens
- Signature algorithm: the same as for the primary manifest route rule
- Token query parameter: the same as for long-duration tokens
Expand Dual-token authentication.
For Signature action, select Propagate existing long-duration token.
This option is enabled only after Media CDN verifies that the long-duration token was generated by using the via HLS manifest URL query parameters (cookieless) signature type.
For Token query parameter, retain the default value,
edge-cache-token
.Click Done, and then click Save.
Create a route rule for media segments.
This route is like the route for media playlists, with the following key differences:
- For Priority, set a value that's greater than that of the media
playlist route rule—for example,
3
. - For Description, provide a brief description that can help identify the rule in the list of rules.
- In the Dual-token authentication section, for Signature action, retain the default value None.
- For Priority, set a value that's greater than that of the media
playlist route rule—for example,
gcloud and YAML
Edit the YAML file:
Cookies
Configure the media playlist and segments to require long-duration cookies:
- priority: 2
description: "SEGMENTS_ROUTE_DESCRIPTION"
origin: "ORIGIN_NAME"
matchRules:
- pathTemplateMatch: "/**.m3u8" # HLS media playlists
- pathTemplateMatch: "/**.ts" # HLS segments
- pathTemplateMatch: "/**.m4s" # DASH / CMAF segments
routeAction:
cdnPolicy:
cacheMode: CACHE_ALL_STATIC
signedRequestMode: REQUIRE_TOKENS
signedRequestKeyset: LONG_KEYSET_NAME
Replace SEGMENTS_ROUTE_DESCRIPTION with a description of the route.
This code example implements the following changes:
priority: 2
: the priority of the route. Higher values indicate lower priority. Because the route for your media playlists and media segments matches any filename ending in.m3u8
, the priority for the route must be lower than the route you previously created for the primary manifest.signedRequestMode: REQUIRE_TOKENS
: enforces tokens for media playlists and media segments. If you're using static media presentation description (MPD) files, then the long and short keysets may be different. If you're using dynamic MPD files, then the long and short keysets must be the same.signedRequestKeyset: LONG_KEYSET_NAME
: Media CDN uses the long-duration keyset to validate the long-duration cookie supplied by a user agent for media playlist and media segment requests.
URL query parameters
Add two route configurations:
Configure the HLS media manifest routes to propagate long-duration tokens:
- priority: 2 description: "PLAYLIST_ROUTE_DESCRIPTION" origin: "ORIGIN_NAME" matchRules: - pathTemplateMatch: "/**.m3u8" # HLS media playlists routeAction: cdnPolicy: cacheMode: CACHE_ALL_STATIC signedRequestMode: REQUIRE_TOKENS signedRequestKeyset: LONG_KEYSET_NAME addSignatures: actions: - PROPAGATE_TOKEN_HLS_COOKIELESS
Replace PLAYLIST_ROUTE_DESCRIPTION with a description of the route.
This code example implements the following changes:
priority: 2
: the priority of the route. Higher values indicate lower priority. Because the route for your media playlists matches any filename ending in.m3u8
, the priority for the route must be lower than the route you previously created for the primary manifest.signedRequestMode: REQUIRE_TOKENS
: enforces tokens for media playlists and media segments. If you're using static media presentation description (MPD) files, the long and short keysets may be different. If you're using dynamic MPD files, then the long and short keysets must be the same.signedRequestKeyset: LONG_KEYSET_NAME
: Media CDN uses the long-duration keyset to validate the long-duration cookie supplied by a user agent for media playlist and media segment requests.addSignatures.actions: PROPAGATE_TOKEN_HLS_COOKIELESS
: configures Media CDN to copy the long-duration token to media segment URIs in the media playlists.
Configure the segment routes to require long-duration tokens:
- priority: 3 description: "SEGMENTS_ROUTE_DESCRIPTION" origin: "ORIGIN_NAME" matchRules: - pathTemplateMatch: "/**.ts" # HLS segments routeAction: cdnPolicy: cacheMode: CACHE_ALL_STATIC signedRequestMode: REQUIRE_TOKENS signedRequestKeyset: LONG_KEYSET_NAME
Replace SEGMENTS_ROUTE_DESCRIPTION with a description of the route.
This code example implements the following changes:
priority: 3
: the priority of the route. Higher values indicate lower priority. The priority for this route must be lower than the route you previously created for the media playlists.signedRequestMode: REQUIRE_TOKENS
: enforces tokens for media playlists and media segments.signedRequestKeyset: LONG_KEYSET_NAME
: Media CDN uses the long-duration keyset to validate the long-duration signed token supplied by a user agent for media playlist and media segment requests.
Example configuration file
The following code sample shows a completed configuration file:
Cookies
name: SERVICE_NAME
routing:
hostRules:
- hosts:
- DOMAIN_NAME
pathMatcher: routes
pathMatchers:
- name: "ROUTE_NAME"
routeRules:
- priority: 1
description: "ROUTE_DESCRIPTION"
origin: "ORIGIN_NAME"
matchRules:
- pathTemplateMatch: "/HLS_MASTER_PLAYLIST.m3u8" # HLS primary playlists
- pathTemplateMatch: "/DASH_MANIFESTS.mpd" # DASH manifests
routeAction:
cdnPolicy:
cacheMode: CACHE_ALL_STATIC
signedRequestMode: REQUIRE_TOKENS
signedRequestKeyset: SHORT_KEYSET_NAME
signedRequestMaximumExpirationTtl: SIGNED_REQUEST_MAXIMUM_EXPIRATION_TIME
addSignatures:
actions:
- GENERATE_COOKIE
keyset: LONG_KEYSET_NAME
tokenTtl: TOKEN_EXPIRATION_TIME
copiedParameters:
- PathGlobs
- SessionID
- priority: 2
description: "SEGMENTS_ROUTE_DESCRIPTION"
origin: "ORIGN_NAME"
matchRules:
- pathTemplateMatch: "/**.m3u8" # HLS media playlists
- pathTemplateMatch: "/**.ts" # HLS segments
- pathTemplateMatch: "/**.m4s" # DASH / CMAF segments
routeAction:
cdnPolicy:
cacheMode: CACHE_ALL_STATIC
signedRequestMode: REQUIRE_TOKENS
signedRequestKeyset: LONG_KEYSET_NAME
URL query parameters
name: SERVICE_NAME
routing:
hostRules:
- hosts:
- DOMAIN_NAME
pathMatcher: routes
pathMatchers:
- name: "ROUTE_NAME"
routeRules:
- priority: 1
description: "ROUTE_DESCRIPTION"
origin: "ORIGIN_NAME"
matchRules:
- pathTemplateMatch: "/HLS_PRIMARY_PLAYLIST.m3u8" # HLS primary playlists
routeAction:
cdnPolicy:
cacheMode: CACHE_ALL_STATIC
signedRequestMode: REQUIRE_TOKENS
signedRequestKeyset: SHORT_KEYSET_NAME
signedRequestMaximumExpirationTtl: SIGNED_REQUEST_MAXIMUM_EXPIRATION_TIME
signedTokenOptions:
tokenQueryParameter: SHORT_TOKEN_NAME
addSignatures:
actions:
- GENERATE_TOKEN_HLS_COOKIELESS
keyset: LONG_KEYSET_NAME
tokenTtl: TOKEN_EXPIRATION_TIME
tokenQueryParameter: LONG_TOKEN_NAME
copiedParameters:
- PathGlobs
- SessionID
- priority: 2
description: "PLAYLIST_ROUTE_DESCRIPTION"
origin: "ORIGIN_NAME"
matchRules:
- pathTemplateMatch: "/**.m3u8" # HLS media playlists
routeAction:
cdnPolicy:
cacheMode: CACHE_ALL_STATIC
signedRequestMode: REQUIRE_TOKENS
signedRequestKeyset: LONG_KEYSET_NAME
addSignatures:
actions:
- PROPAGATE_TOKEN_HLS_COOKIELESS
- priority: 3
description: "SEGMENTS_ROUTE_DESCRIPTION"
origin: "ORIGIN_NAME"
matchRules:
- pathTemplateMatch: "/**.ts" # HLS segments
routeAction:
cdnPolicy:
cacheMode: CACHE_ALL_STATIC
signedRequestMode: REQUIRE_TOKENS
signedRequestKeyset: LONG_KEYSET_NAME
Generate short-duration tokens at your application server
For information about generating tokens, see Generate tokens.
Apply defense-in-depth content protections
As a best practice, enable origin authentication as follows:
For Cloud Storage, use Identity and Access Management permissions with private Cloud Storage buckets.
For AWS-compatible storage providers, use AWS Signature Version 4. Using origin authentication blocks requests that attempt to circumvent Media CDN and access your origin directly.