Skip to main content

Ga set up and manage key rotation

DRAFT - WIP

Regarding the one-time setup for automated key rotation, the way a CP configures to support key rotation is to create a keyset, link it to the site configuration, and set the siteRepublish "keys" attribute to true. If I can't associate a keyset with an S3 origin, how will this work? (Same question for Discovery URL signing.) Is Key Rotation not a GA feature, just currently something we support for iTV? Or can we add a section to URL Signing about key rotation. Is there another supported GA use case besides URL signing?

A Media Delivery site configuration may define components that use secret keys, such as an ~~s3 origin or ~~a URL signing rule. If your use-case requires rotating secret keys, you can configure the site configuration to support automated key rotation.

One-Time Setup for Automated Key Rotation:
1. Create a keyset.
2. Associate the keyset with the site configuration component (e.g. with the URL signing rule ~~or with the S3 origin configuration~~).

Manage the Key Rotation
After the one-time setup, to rotate a key, follow this procedure:
1. Use the keys-manager API to upload a new key the keyset.
Make sure to assign the key to the keyset that is associated with the relevant site configuration component.

For example:

```
curl --request POST \
        --url https://keys-manager.cqloud.com/keys \
        --header 'Content-Type: application/json' \
         --header 'X-Api-Key: <your API token>' \
         --data '{
           "type": "S3",
           "name": "Example Key",
           "description": "Example key.",
           "key": "U0VDUkVUX0hFQURFUl9LZXk2N2tmYWxmZ2hqanJvMTIzNDU2Nzg5MHl6QUJDREVGR0hpSjJKbHRNYm5vPQ==",
           "base64Encoded": true,
           "tags": {
             "someKey": ""
           },
           "keySetId": 1
      }'
```

  1. Use the sites API to republish the site in order to activate the new key.

    The keys attribute within the publishedResources object must be set to true.
    For example:

    curl --request POST \ --url https://media-sites.cqloud.com/api/v2/sites/<siteId>/publishing-operations/actions/republish \ --header 'Content-Type: application/json' \ --header 'X-Api-Key: <your API token>' \ --data '{ "republishedResources": { "keys": true }, "target": "" }'

## Some notes from Arnon:
For the S3 origin auth we are using the svta structure MI.AWSv4Auth where we use its existing field "secret-store-id" in order to map to the keySetId we select in the UI.
This is relevant only for the s3 origin authentication.

The keySet Used for Discovery is for client authentication and is selected from the Discovery UrlSigning UI feature which is meant to be visible in the UI only to the Discovery customer

iTV or anyone who wants to implement key rotation for URL signing must use the key type Qsec.

Back to top