Rotate an access key

Changing access keys on a regular schedule is a security best practice. Key rotation reduces the chances that a compromised access key is used without your knowledge to gain access to your cloud origin.

Cloud Access Manager enables you to create versions of access keys to update access key identifiers and the secrets they store without changing other details such as their names, contracts, or authentication methods. Creating a version activates the authentication credentials stored on the staging and production networks. Once you have created additional versions of an access key, you can decide which version to use in your properties to authenticate client requests


You can only provide new authentication credentials when adding versions of access keys. You can't edit authentication credentials for existing versions.

Before you begin

How to

Update the access key in Cloud Access Manager.

  1. In Cloud Access Manager, find the access key that you want to rotate.

  2. In the Access key versions table, click Add version.

  3. For Access key ID, enter the new access key identifier.

  4. For Secret access key, enter the secret paired with the new access key identifier.

  5. Click Activate.

    Activating a version takes up to 10 minutes, after which your access key is active on the staging and production networks. When this is done, you are ready to update your property with the new version of the access key.

    Reference the new version of the access key in Property Manager.

  6. Access Property Manager configurations associated with the selected Control Center account. Go to > CDN > Properties (or just enter Properties in the search box).

    The Property Groups page opens.

  7. In the Origin Characteristics behavior, make sure that Encrypted Storage is set to yes.

    If you disable this option, the Origin Characteristics behavior stores the authentication details unencrypted.

  8. For Access Key, select the relevant access key version.

    This field lists only active access keys that you created in Cloud Access Manager and that match the property's authentication method selected in the Origin Characteristics behavior.

  9. Optional: Activate your property on the staging environment and make sure that edge servers properly authenticate requests to your cloud origin. See Activate on staging.

  10. Activate you property on the production environment. See Activate on production.


Activating a property takes up to 30 minutes. Don't delete or disable the old access key in your cloud provider account during this time.