This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Cloud CDN

Posted on 01-18-2024 12:00 AM
chandrakumar
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

 

I am working on implementing GCP Cloud CDN and I have a question below

  1. Managing the Cloud CDN backend bucket per key 
  2. How to rotate the key value using KMS

According to your documentation, the suggestion is to store the private key file in KMS. However, the challenge is that Cloud CDN requires both the key and the actual value (password) using a Java library. Storing the key in KMS and then reading it back to obtain the key value seems a bit challenging.

Why doesn't Cloud CDN support KMS key references? Also, when creating a signed password, it needs to be decoded by default before creating the signed URL.

 

https://cloud.google.com/cdn/docs/using-signed-urls

Important: Keep the generated key file private, and do not expose it to users or store it directly in source code. Consider using a secrets storage mechanism such as Cloud Key Management Service to encrypt the key and provide access to only trusted applications.

chandrakumar_0-1705395801849.png

 

Solved Solved
2 1 170
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
Marvin_Lucero
Staff
Reply posted on --/--/---- --:-- AM

Hi @chandrakumar ,

Storing private key files in Cloud KMS is recommended for securing sensitive information, such as API keys. However, when dealing with Cloud CDN and signed URLs, there are some factors to consider.

As of now, Cloud CDN doesn't directly support referencing keys stored in Cloud KMS for generating signed URLs. Instead, the common practice, according to the documentation, involves creating signed URLs by using the private key file directly, without utilizing KMS key references. While using KMS for key management is considered good practice, it might not be suitable in scenarios where the service, like Cloud CDN, doesn't support direct key references.

When working with Java to create signed URLs, it's true that the process often requires reading the private key from a file. If you choose to use KMS to store the key, it introduces additional complexity, but it provides added security.

Hope this answers your question.

View solution in original post

Jump to Solution
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
Marvin_Lucero
Staff
Reply posted on --/--/---- --:-- AM

Hi @chandrakumar ,

Storing private key files in Cloud KMS is recommended for securing sensitive information, such as API keys. However, when dealing with Cloud CDN and signed URLs, there are some factors to consider.

As of now, Cloud CDN doesn't directly support referencing keys stored in Cloud KMS for generating signed URLs. Instead, the common practice, according to the documentation, involves creating signed URLs by using the private key file directly, without utilizing KMS key references. While using KMS for key management is considered good practice, it might not be suitable in scenarios where the service, like Cloud CDN, doesn't support direct key references.

When working with Java to create signed URLs, it's true that the process often requires reading the private key from a file. If you choose to use KMS to store the key, it introduces additional complexity, but it provides added security.

Hope this answers your question.

Jump to Solution
0 Likes