Create or Import a Playback Key - Amazon Interactive Video Service

Create or Import a Playback Key

Amazon IVS allows a maximum of three key pairs that can be used to sign and verify playback tokens. Amazon IVS does not offer any key rotations.

Once imported, playback keys cannot be updated. Instead, you must delete the existing playback key and import a new key.

You need to generate an ECDSA public/private key pair to sign the JWTs and upload the public key to Amazon IVS as a playback-key resource. Then Amazon IVS can verify the signature in playback requests.

Console Instructions

To create a key pair:

  1. Open the Amazon IVS console. Choose your channel’s region if you are not already on it.

  2. In the left navigation menu, choose Playback keys.

  3. Choose Create playback key. A Create playback key dialog appears.

  4. Follow the prompts and choose Create.

  5. Amazon IVS generates a new key pair. The public key is imported as a playback key resource and the private key is immediately made available for download.

    Amazon IVS generates the key on the client side and does not store the private key. Be sure you save the key; you cannot retrieve it later.

To import an existing public key:

  1. Open the Amazon IVS console. Choose your channel’s region if you are not already on it.

  2. In the left navigation menu, choose Playback keys.

  3. Choose Import. An Import playback key dialog appears.

  4. Follow the prompts and choose Import.

  5. Amazon IVS imports your public key and generates a playback key resource.

CLI Instructions

There are various methods to create a key pair. For example, here is how to generate a P384 EC key with OpenSSL (you may have to install OpenSSL first):

openssl ecparam -name secp384r1 -genkey -noout -out priv.pem openssl ec -in priv.pem -pubout -out public.pem

After generating the public key, import it into Amazon IVS:

aws ivs import-playback-key-pair --public-key-material "`cat public.pem`" --region <aws-region>

You can omit --region <aws-region> if the region is in your local AWS configuration file.

Here is an example response:

{ "keyPair": { "arn": "arn:aws:ivs:us-west-2:693991300569:playback-key/f99cde61-c2b0-4df3-8941-ca7d38acca1a", "fingerprint": "98:0d:1a:a0:19:96:1e:ea:0a:0a:2c:9a:42:19:2b:e7", "tags": {} } }

API Request

POST /ImportPlaybackKeyPair HTTP/1.1 { "publicKeyMaterial": "<pem file contents>" }