Stay organized with collections
Save and categorize content based on your preferences.
This guide shows how to create and update keysets for Media CDN.
Before you begin
The EdgeCacheKeyset that you configure for verifying signed request tokens
must include the correct keys for the signature algorithm that you choose.
The following table describes each of the signature algorithms and their
required keys.
Signature algorithm
Required keys in the keyset
Ed25519
Public keys
HMAC-SHA1
Validation shared keys
HMAC-SHA256
Validation shared keys
At a minimum, you must have either a public key or a validation shared key. You
can have up to three public keys and three validation shared keys, for a
total of six keys per keyset. For information on generating HMACs when using
dual-token authentication,
see Generate tokens.
Create a keyset
To create a new keyset, do the following:
Console
In the Google Cloud console, go to the Media CDN page.
For Name, enter a unique keyset name—for example,
prod-vod-keyset.
Optional: For Description, enter a description for your keyset.
Optional: Click Add label and enter one or more key-value pairs for your keyset.
Specify at least one public key or one validation key.
To specify a public key, click Add public key and then do the following:
For ID, enter an alphanumeric ID.
Select Enter the value and specify the base64-encoded
value of your Ed25519 public key. Alternatively, select
Use Google-managed key for dual-token authentication.
To specify a validation shared key, click Add validation
shared key, and then do the following:
For Secret, select a secret from the list, enter a
secret manually by specifying its resource ID, or
create a new secret and then select it.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Create and update keysets\n\nThis guide shows how to create and update keysets for Media CDN.\n\nBefore you begin\n----------------\n\nThe `EdgeCacheKeyset` that you configure for verifying signed request tokens\nmust include the correct keys for the signature algorithm that you choose.\n\nThe following table describes each of the signature algorithms and their\nrequired keys.\n\nAt a minimum, you must have either a public key or a validation shared key. You\ncan have up to three public keys and three validation shared keys, for a\ntotal of six keys per keyset. For information on generating HMACs when using\n[dual-token authentication](/media-cdn/docs/use-dual-token-authentication),\nsee [Generate tokens](/media-cdn/docs/generate-tokens).\n\nCreate a keyset\n---------------\n\nTo create a new keyset, do the following: \n\n### Console\n\n1. In the Google Cloud console, go to the **Media CDN** page.\n\n [Go to Media CDN](https://console.cloud.google.com/net-services/media-cdn)\n2. Click the **Keysets** tab.\n3. Click add**Create keyset**.\n4. For **Name** , enter a unique keyset name---for example, `prod-vod-keyset`.\n5. Optional: For **Description**, enter a description for your keyset.\n6. Optional: Click **Add label** and enter one or more key-value pairs for your keyset.\n7. Specify at least one public key or one validation key. To specify a public key, click **Add public key** and then do the following:\n\n 1. For **ID**, enter an alphanumeric ID.\n 2. Select **Enter the value** and specify the base64-encoded value of your Ed25519 public key. Alternatively, select **Use Google-managed key for dual-token authentication**.\n8. To specify a validation shared key, click **Add validation\n shared key** , and then do the following:\n 1. For **Secret** , select a secret from the list, enter a secret manually by specifying its resource ID, or [create a new secret](/secret-manager/docs/create-secret-quickstart#create_a_secret_and_access_a_secret_version) and then select it.\n 2. For **Secret version** , select a secret version from the list or [create a new secret version](/secret-manager/docs/add-secret-version#add-secret-version) and then select it.\n9. Click **Create keyset**.\n\n### gcloud\n\nUse the [`gcloud edge-cache keysets create` command](/sdk/gcloud/reference/edge-cache/keysets/create). \n\n```\ngcloud edge-cache keysets create SHORT_KEYSET_NAME \\\n --public-key='id=SSL_PUBLIC_KEY_NAME,value=SSL_PUBLIC_KEY_VALUE'\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eSHORT_KEYSET_NAME\u003c/var\u003e: a unique name for the keyset---for example, `prod-vod-keyset`\n- \u003cvar translate=\"no\"\u003eSSL_PUBLIC_KEY_NAME\u003c/var\u003e: the name of your SSL public key\n- \u003cvar translate=\"no\"\u003eSSL_PUBLIC_KEY_VALUE\u003c/var\u003e: the value of your SSL public key\n\nReview the keys associated with a keyset. Use the\n[`gcloud edge-cache keysets describe` command](/sdk/gcloud/reference/edge-cache/keysets/describe). \n\n```\ngcloud edge-cache keysets describe prod-vod-keyset\n```\n\nThe output is similar to the following: \n\n```\nname: prod-vod-keyset\ndescription: \"Keyset for prod.example.com\"\npublicKeys:\n - id: \"key-20200918\"\n value: \"DThVLjhAKm3VYOvLBAwFZ5XbjVyF98Ias8NZU0WEM9w\"\n - id: \"key-20200808\"\n value: \"Lw7LDSaDUrbDdqpPA6JEmMF5BA5GPtd7sAjvsnh7uDA=\"\n```\n\n### Terraform\n\n resource \"google_network_services_edge_cache_keyset\" \"default\" {\n name = \"prod-vod-keyset\"\n description = \"Keyset for prod.example.com\"\n public_key {\n id = \"key-20200918\"\n value = \"FHsTyFHNmvNpw4o7-rp-M1yqMyBF8vXSBRkZtkQ0RKY\" # Update Ed25519 public key\n }\n public_key {\n id = \"key-20200808\"\n value = \"Lw7LDSaDUrbDdqpPA6JEmMF5BA5GPtd7sAjvsnh7uDA=\" # Update Ed25519 public key\n }\n }\n\nModify a keyset\n---------------\n\nTo modify a keyset, do the following: \n\n### Console\n\n1. In the Google Cloud console, go to the **Media CDN** page.\n\n [Go to Media CDN](https://console.cloud.google.com/net-services/media-cdn)\n2. Click the **Keysets** tab.\n3. Click the keyset name.\n4. To switch to the edit mode, click the **Edit** button.\n5. Make the changes that you need, and then click **Update keyset**.\n\n### gcloud\n\nUse the [`gcloud edge-cache keysets update` command](/sdk/gcloud/reference/edge-cache/keysets/update): \n\n```\ngcloud edge-cache keysets update KEYSET_NAME\n```"]]
