Stay organized with collections
Save and categorize content based on your preferences.
This page describes how to update Media CDN keys used for signed
requests. You can have up to three public keys and three validation shared keys,
for a total of six keys per keyset. To prevent exceeding those limits during a
key rotation, see the following instructions about how to delete a validation
shared key and how to add a key.
Select the keyset that has the secret that you want to delete, and then
click Edit.
To delete a secret, in the Keys > Validation shared keys section,
click deleteDelete next to the secret name.
Click Update keyset.
gcloud
To delete a secret key from a keyset, use the gcloud edge-cache keysets
update command. Omit the
keyset that you want to delete and specify the keysets that you want to keep.
In the following example, KEY_VERSION_1
isn't listed, while KEY_VERSION_2 and
KEY_VERSION_3 are listed. Omitting
KEY_VERSION_1 deletes it from the keyset.
KEYSET_NAME: the name of your
keyset—for example, prod-vod-keyset
FILENAME: the YAML filename
Edit the exported keyset configuration file to remove the secret key.
The following example shows how to remove the oldest secret key,
which ends in KEY_VERSION_1:
Select the keyset for which you want to add a secret, and then click
Edit.
To add a secret, in the Keys > Validation shared keys section,
click Secret. Then, select a secret from the list,
enter a secret manually by specifying its resource ID, or
create a new secret
and then select it.
In the following example, KEY_VERSION_1 was
previously deleted and KEY_VERSION_4 is the
keyset being added. Listing KEY_VERSION_4 in
addition to KEY_VERSION_2 and
KEY_VERSION_3 adds it to the keyset.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Rotate secrets\n\nThis page describes how to update Media CDN keys used for signed\nrequests. You can have up to three public keys and three validation shared keys,\nfor a total of six keys per keyset. To prevent exceeding those limits during a\nkey rotation, see the following instructions about how to delete a validation\nshared key and how to add a key.\n\nBefore you begin\n----------------\n\n1. [Configure your validation shared keys in Secret Manager](/secret-manager/docs/configuring-secret-manager).\n\n2. Grant the [Secret Manager Access role](/iam/docs/understanding-roles#secret-manager-roles)\n (`roles/secretmanager.secretAccessor`) to the Media CDN\n service account.\n\n ### Console\n\n 1. In the Google Cloud console,\n go to the **Secret Manager** page.\n\n [Go to Secret Manager](https://console.cloud.google.com/security/secret-manager)\n 2. Select the secret.\n 3. In the info panel, click **Add principal**.\n 4. For **New principals** , enter the Media CDN\n service account as follows: \n\n `service-`\u003cvar translate=\"no\"\u003ePROJECT_NUMBER\u003c/var\u003e`@gcp-sa-mediaedgefill.iam.gserviceaccount.com`\n\n Replace \u003cvar translate=\"no\"\u003ePROJECT_NUMBER\u003c/var\u003e with your\n project number.\n 5. For **Select a role** , select **Secret Manager** , and then select **Secret Manager Secret Accessor**.\n 6. Click **Save**.\n\n ### gcloud\n\n Use the [`gcloud secrets add-iam-policy-binding` command](/sdk/gcloud/reference/secrets/add-iam-policy-binding): \n\n ```\n gcloud secrets add-iam-policy-binding projects/PROJECT_NUMBER/secrets/SECRET_ID \\\n --member=\"serviceAccount:service-PROJECT_NUMBER@gcp-sa-mediaedgefill.iam.gserviceaccount.com\" \\\n --role=\"roles/secretmanager.secretAccessor\"\n \n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003ePROJECT_NUMBER\u003c/var\u003e: your project number\n - \u003cvar translate=\"no\"\u003eSECRET_ID\u003c/var\u003e: the ID of the secret\n\nDelete a secret\n---------------\n\n### Console\n\n1. In the Google Cloud console, go to the **Media CDN** page.\n\n [Go to Media CDN](https://console.cloud.google.com/net-services/media-cdn)\n2. Click the **Keysets** tab.\n\n3. Select the keyset that has the secret that you want to delete, and then\n click **Edit**.\n\n4. To delete a secret, in the **Keys \\\u003e Validation shared keys** section,\n click delete\n **Delete** next to the secret name.\n\n5. Click **Update keyset**.\n\n### gcloud\n\nTo delete a secret key from a keyset, use the [`gcloud edge-cache keysets\nupdate` command](/sdk/gcloud/reference/edge-cache/keysets/update). Omit the\nkeyset that you want to delete and specify the keysets that you want to keep.\n\nIn the following example, \u003cvar translate=\"no\"\u003eKEY_VERSION_1\u003c/var\u003e\nisn't listed, while \u003cvar translate=\"no\"\u003eKEY_VERSION_2\u003c/var\u003e and\n\u003cvar translate=\"no\"\u003eKEY_VERSION_3\u003c/var\u003e are listed. Omitting\n\u003cvar translate=\"no\"\u003eKEY_VERSION_1\u003c/var\u003e deletes it from the keyset. \n\n```\ngcloud edge-cache keysets update KEYSET_NAME \\\n --validation-shared-key='secret_version=projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_2'\n --validation-shared-key='secret_version=projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_3'\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eKEYSET_NAME\u003c/var\u003e: the name of the keyset\n- \u003cvar translate=\"no\"\u003ePROJECT_NUMBER\u003c/var\u003e: your project number\n- \u003cvar translate=\"no\"\u003eSECRET_ID\u003c/var\u003e: the ID of the secret that you're updating\n- \u003cvar translate=\"no\"\u003eKEY_VERSION\u003c/var\u003e: the key version\n\n### text editor\n\n1. Export your keyset to a YAML file. Use the\n [`gcloud edge-cache keysets export` command](/sdk/gcloud/reference/edge-cache/keysets/export).\n\n ```\n gcloud edge-cache keysets export KEYSET_NAME \\\n --destination=FILENAME.yaml\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eKEYSET_NAME\u003c/var\u003e: the name of your keyset---for example, `prod-vod-keyset`\n - \u003cvar translate=\"no\"\u003eFILENAME\u003c/var\u003e: the YAML filename\n2. Edit the exported keyset configuration file to remove the secret key.\n The following example shows how to remove the oldest secret key,\n which ends in \u003cvar translate=\"no\"\u003eKEY_VERSION_1\u003c/var\u003e:\n\n ```\n name: projects/my-project/locations/global/edgeCacheKeysets/prod-vod-keyset\n validationSharedKeys:\n - secretVersion: \"projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_1\"\n - secretVersion: \"projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_2\"\n - secretVersion: \"projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_3\"\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003ePROJECT_NUMBER\u003c/var\u003e: your project number\n - \u003cvar translate=\"no\"\u003eSECRET_ID\u003c/var\u003e: the ID of the secret that you're updating\n - \u003cvar translate=\"no\"\u003eKEY_VERSION\u003c/var\u003e: the key version\n\n The edited file looks similar to the following: \n\n ```\n name: projects/my-project/locations/global/edgeCacheKeysets/prod-vod-keyset\n validationSharedKeys:\n - secretVersion: \"projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_2\"\n - secretVersion: \"projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_3\"\n ```\n3. Import the edited keyset. Use the\n [`gcloud edge-cache keysets import` command](/sdk/gcloud/reference/edge-cache/keysets/import):\n\n ```\n gcloud edge-cache keysets import KEYSET_NAME \\\n --source=FILENAME.yaml\n ```\n\nAdd a secret\n------------\n\n### Console\n\n1. In the Google Cloud console, go to the **Media CDN** page.\n\n [Go to Media CDN](https://console.cloud.google.com/net-services/media-cdn)\n2. Click the **Keysets** tab.\n\n3. Select the keyset for which you want to add a secret, and then click\n **Edit**.\n\n4. To add a secret, in the **Keys \\\u003e Validation shared keys** section,\n click **Secret** . Then, select a secret from the list,\n enter a secret manually by specifying its resource ID, or\n [create a new secret](/secret-manager/docs/create-secret-quickstart#create_a_secret_and_access_a_secret_version)\n and then select it.\n\n5. Select a secret version from the list or [create a new secret version](/secret-manager/docs/add-secret-version#add-secret-version),\n and then select it.\n\n6. Click **Update keyset**.\n\n### gcloud\n\nTo add a secret key to a keyset, use the [`gcloud edge-cache keysets update`\ncommand](/sdk/gcloud/reference/edge-cache/keysets/update). Specify the\nkeysets that you have and the keyset that you want to add.\n\nIn the following example, \u003cvar translate=\"no\"\u003eKEY_VERSION_1\u003c/var\u003e was\npreviously deleted and \u003cvar translate=\"no\"\u003eKEY_VERSION_4\u003c/var\u003e is the\nkeyset being added. Listing \u003cvar translate=\"no\"\u003eKEY_VERSION_4\u003c/var\u003e in\naddition to \u003cvar translate=\"no\"\u003eKEY_VERSION_2\u003c/var\u003e and\n\u003cvar translate=\"no\"\u003eKEY_VERSION_3\u003c/var\u003e adds it to the keyset. \n\n```\ngcloud edge-cache keysets update KEYSET_NAME \\\n --validation-shared-key='secret_version=projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_2'\n --validation-shared-key='secret_version=projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_3'\n --validation-shared-key='secret_version=projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_4'\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eKEYSET_NAME\u003c/var\u003e: the name of the keyset\n- \u003cvar translate=\"no\"\u003ePROJECT_NUMBER\u003c/var\u003e: your project number\n- \u003cvar translate=\"no\"\u003eSECRET_ID\u003c/var\u003e: the ID of the secret that you're updating\n- \u003cvar translate=\"no\"\u003eKEY_VERSION\u003c/var\u003e: the key version\n\n### text editor\n\n1. Export your keyset to a YAML file. Use the\n [`gcloud edge-cache keysets export` command](/sdk/gcloud/reference/edge-cache/keysets/export).\n\n ```\n gcloud edge-cache keysets export KEYSET_NAME \\\n --destination=FILENAME.yaml\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eKEYSET_NAME\u003c/var\u003e: the name of your keyset\n - \u003cvar translate=\"no\"\u003eFILENAME\u003c/var\u003e: the YAML filename\n2. In the exported keyset configuration file, add a new `secretVersion`\n line that includes a new key version, similar to the following:\n\n ```\n name: projects/my-project/locations/global/edgeCacheKeysets/prod-vod-keyset\n validationSharedKeys:\n - secretVersion: \"projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_2\"\n - secretVersion: \"projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_3\"\n - secretVersion: \"projects/PROJECT_NUMBER/secrets/SECRET_ID/versions/KEY_VERSION_4\"\n ```\n3. Import the edited keyset. Use the\n [`gcloud edge-cache keysets import` command](/sdk/gcloud/reference/edge-cache/keysets/import):\n\n ```\n gcloud edge-cache keysets import KEYSET_NAME \\\n --source=FILENAME.yaml\n ```"]]
