Changing access keys on a regular schedule is a security best practice. Key rotation reduces the chances that a compromised access key is used without your knowledge to gain access to your cloud origin.

Cloud Access Manager enables you to create versions of access keys to update access key identifiers and the secrets they store without changing other details such as their names, contracts, or authentication methods. Creating a version activates the authentication credentials stored on the staging and production networks. Once you have created additional versions of an access key, you can decide which version to use in your properties to authenticate client requests

📘

You can only provide new authentication credentials when adding versions of access keys. You can't edit authentication credentials for existing versions.

Before you begin

• Rotate access keys in your cloud provider account and make sure that your applications are still working as expected:

  • For Google Cloud Storage, see Manage HMC keys in GCS.

  • For Amazon Web Services (AWS), see Rotate access keys for AWS users.

• Make note of the new access key identifier and its secret. See Get authentication details.

How to

Update the access key in Cloud Access Manager.

1. In Cloud Access Manager, click on the access key that you want to rotate. The details for the key are displayed.

2. In the Key Versions table, click Add version.

   📘

   Each key can only have two versions

   If the key has two versions already, you can't add another version until one of the versions is deleted. Before deleting a version, click on the arrow next to the version number to check if the key is used by a property.

3. For Access key ID, enter the new access key identifier.

4. For Secret access key, enter the secret paired with the new access key identifier.

5. Click Activate.

   Activating a version takes up to 10 minutes, after which your access key is active on the staging and production networks. When this is done, you are ready to update your property with the new version of the access key.

   Reference the new version of the access key in Property Manager.

6. Access Property Manager configurations associated with the selected Control Center account. Go to ☰ > CDN > Properties (or just enter Properties in the search box).

   The Property Groups page opens.

7. In the Origin Characteristics behavior, make sure that Encrypted Storage is set to yes.

   If you disable this option, the Origin Characteristics behavior stores the authentication details unencrypted.

8. For Access Key, select the relevant access key version.

   This field lists only active access keys that you created in Cloud Access Manager and that match the property's authentication method selected in the Origin Characteristics behavior.

9. Optional: Activate your property on the staging environment and make sure that edge servers properly authenticate requests to your cloud origin. See Activate on staging.

10. Activate you property on the production environment. See Activate on production.

🚧

Activating a property takes up to 30 minutes. Don't delete or disable the old access key in your cloud provider account during this time.