Create or Import an IVS Playback Key
Amazon IVS allows a maximum of three key pairs that can be used to sign and verify playback tokens. Amazon IVS does not offer any key rotations.
Once imported, playback keys cannot be updated. Instead, you must delete the existing playback key and import a new key.
You need to generate an ECDSA
public/private key pair
Creating a New Key Pair
There are various ways to create a key pair; below, we give two examples.
To create a new key pair in the console, follow these steps. Note this process enables you to download only the private key.
-
Open the Amazon IVS console
. Choose your channel’s region if you are not already on it. -
In the left navigation menu, choose Playback security > Playback keys.
-
Choose Create playback key. A Create playback key dialog appears.
-
Follow the prompts and choose Create.
-
Amazon IVS generates a new key pair. The public key is imported as a playback key resource and the private key is immediately made available for download.
Amazon IVS generates the key on the client side and does not store the private key. Be sure you save the key; you cannot retrieve it later.:
To create a new P384 EC key pair with OpenSSL (you may have to install OpenSSL
openssl ecparam -name secp384r1 -genkey -noout -out priv.pem openssl ec -in priv.pem -pubout -out public.pem
Now import your new public key, using the instructions below.
Importing an Existing Public Key
If you already have a key pair, you can import the public key into IVS. The private key is not needed by our system but is employed by you to sign tokens.
To import an existing public key with the console:
-
Open the Amazon IVS console
. Choose your channel’s region if you are not already on it. -
In the left navigation menu, choose Playback security > Playback keys.
-
Choose Import. An Import playback key dialog appears.
-
Follow the prompts and choose Import.
-
Amazon IVS imports your public key and generates a playback key resource.
To import an existing public key with the CLI:
aws ivs import-playback-key-pair --public-key-material "`cat public.pem`" --region <aws-region>
You can omit --region <aws-region>
if the region is in your local
AWS configuration file.
Here is an example response:
{ "keyPair": { "arn": "arn:aws:ivs:us-west-2:693991300569:playback-key/f99cde61-c2b0-4df3-8941-ca7d38acca1a", "fingerprint": "98:0d:1a:a0:19:96:1e:ea:0a:0a:2c:9a:42:19:2b:e7", "tags": {} } }
API Request
POST /ImportPlaybackKeyPair HTTP/1.1 { "publicKeyMaterial": "<pem file contents>" }