Create or Import a Playback Key - Amazon Interactive Video Service

Create or Import a Playback Key

Amazon IVS allows a maximum of three key pairs that can be used to sign and verify playback tokens. Amazon IVS does not offer any key rotations.

Once imported, playback keys cannot be updated. Instead, you must delete the existing playback key and import a new key.

You need to generate an ECDSA public/private key pair to sign the JWTs and upload the public key to Amazon IVS as a playback-key resource. Then Amazon IVS can verify the signature in playback requests.

Creating a New Key Pair

There are various ways to create a key pair; below, we give two examples.

To create a new key pair in the console, follow these steps. Note this process enables you to download only the private key.

  1. Open the Amazon IVS console. Choose your channel’s region if you are not already on it.

  2. In the left navigation menu, choose Playback security > Playback keys.

  3. Choose Create playback key. A Create playback key dialog appears.

  4. Follow the prompts and choose Create.

  5. Amazon IVS generates a new key pair. The public key is imported as a playback key resource and the private key is immediately made available for download.

    Amazon IVS generates the key on the client side and does not store the private key. Be sure you save the key; you cannot retrieve it later.:

To create a new P384 EC key pair with OpenSSL (you may have to install OpenSSL first), follow these steps. This process enables you to access both the private and public keys. You need the public key only if you want to test verification of your tokens.

openssl ecparam -name secp384r1 -genkey -noout -out priv.pem openssl ec -in priv.pem -pubout -out public.pem

Now import your new public key, using the instructions below.

Importing an Existing Public Key

If you already have a key pair, you can import the public key into IVS. The private key is not needed by our system but is employed by you to sign tokens.

To import an existing public key with the console:

  1. Open the Amazon IVS console. Choose your channel’s region if you are not already on it.

  2. In the left navigation menu, choose Playback security > Playback keys.

  3. Choose Import. An Import playback key dialog appears.

  4. Follow the prompts and choose Import.

  5. Amazon IVS imports your public key and generates a playback key resource.

To import an existing public key with the CLI:

aws ivs import-playback-key-pair --public-key-material "`cat public.pem`" --region <aws-region>

You can omit --region <aws-region> if the region is in your local AWS configuration file.

Here is an example response:

{ "keyPair": { "arn": "arn:aws:ivs:us-west-2:693991300569:playback-key/f99cde61-c2b0-4df3-8941-ca7d38acca1a", "fingerprint": "98:0d:1a:a0:19:96:1e:ea:0a:0a:2c:9a:42:19:2b:e7", "tags": {} } }

API Request

POST /ImportPlaybackKeyPair HTTP/1.1 { "publicKeyMaterial": "<pem file contents>" }