Setting Up CDN Authorization - AWS Elemental MediaPackage

Setting Up CDN Authorization

Complete the following steps to set up CDN authorization.

Step 1: Configure a CDN custom origin HTTP header

In your CDN, configure a custom origin HTTP header that contains the header X-MediaPackage-CDNIdentifier and a value. For the value, we recommend that you use the UUID version 4 format, which produces a 36 character string. If you aren't using the UUID version 4 format, the value must be 8-128 characters long.

Important

The value you choose should be a static value. There isn't native integration between your CDN and AWS Secrets Manager, so the value should be static both in your CDN and in AWS Secrets Manager. If you change this value after you configure your CDN and your secret, youhave to manually rotate the value. For more information, see Rotating the CDN header value.

Example header and value

X-MediaPackage-CDNIdentifier: 9ceebbe7-9607-4552-8764-876e47032660

To create a custom header in Amazon CloudFront

  1. Sign in to the AWS Management Console and open the CloudFront console at https://console.aws.amazon.com/cloudfront/.

  2. Create or edit a distribution.

  3. In Origin Settings, complete the fields. You will use this same value for your secret in Secrets Manager.

    • For Header Name, enter X-MediaPackage-CDNIdentifier.

    • For Value, enter a value. We recommend that you use UUID version 4 format, which produces a 36 character string. If you aren't using the UUID version 4 format, the value must be 8-128 characters long.

  4. Complete the rest of the fields and save the distribution.

For more information about custom headers in CloudFront, see Forwarding Customer Headers to Your Origin in the Amazon CloudFront Developer Guide.

Step 2: Store the value as a secret in AWS Secrets Manager

Store the same value that you use in your custom origin HTTP header as a secret in AWS Secrets Manager. The secret must use the same AWS account and Region settings as your AWS Elemental MediaPackage resources. AWS Elemental MediaPackage doesn't support sharing secrets across accounts or Regions. However, you can use the same secret across multiple endpoints in the same Region and on the same account.

To store a secret in Secrets Manager

  1. Sign in to the AWS Secrets Manager console at https://console.aws.amazon.com/secretsmanager/.

  2. Choose Store a new secret. For Select secret type, choose Other type of secrets.

  3. For Specify the key/value pairs to be stored in this secret, choose Secret key/pair.

  4. Enter the key and value information.

    • In the box on the left, enter MediaPackageCDNIdentifier.

    • In the box on the right, enter the value that you configured for your custom origin HTTP header. For example, 9ceebbe7-9607-4552-8764-876e47032660.

  5. For Select the encryption key, you can keep the default value as DefaultEncryptionKey.

  6. Choose Next.

  7. For Secret name, we recommend that you prefix it with MediaPackage/ so that you know it's a secret used for MediaPackage. For example, MediaPackage/cdn_auth_us-west-2.

  8. Choose Next.

  9. For Configure automatic rotation, keep the default Disable automatic rotation setting.

    If you need to rotate the authorization code later, see Rotating the CDN header value.

  10. Choose Next, and then choose Store.

    This takes you to the list of your secrets.

  11. Select your secret name to view the Secret ARN. The ARN has a value similar to arn:aws:secretsmanager:us-west-2:123456789012:secret:MediaPackage/cdn_auth_test-xxxxxx. You use the Secret ARN when you configure CDN authorization for MediaPackage in Step 4: Enable CDN Authorization in MediaPackage.

Step 3: Create an IAM policy and role for MediaPackage access to Secrets Manager

Create an IAM policy and role to give MediaPackage read access to Secrets Manager. When MediaPackage receives a playback request from the CDN, it verifies that the stored secret value matches the value in the custom HTTP header. Follow the steps in Allowing AWS Elemental MediaPackage to Access Other AWS Services to set up the policy and role.

Step 4: Enable CDN Authorization in MediaPackage

You can enable CDN authorization for your endpoints or video on demand (VOD) packaging groups via the console, AWS CLI, or MediaPackage API. You use the Amazon Resource Numbers (ARN) for the IAM policy and role that you create in Step 3: Create an IAM policy and role for MediaPackage access to Secrets Manager above.

Tip

Use the same secret across multiple endpoints in the same Region and on the same account. Reduce costs by creating a new secret only when necessary for your workflow.

To enable CDN authorization for live content via the console

  1. Open the MediaPackage console at https://console.aws.amazon.com/mediapackage/.

  2. If you don't already have a channel, create one. For help, see Creating a Channel.

  3. Create or edit an endpoint.

  4. In Access control settings, select Use authorization. Complete the fields:

  5. Complete the remaining fields as needed and save the endpoint.

To enable CDN authorization for VOD content via the console

  1. Open the MediaPackage console at https://console.aws.amazon.com/mediapackage/.

  2. If you don't already have a VOD packaging group, create one. For help, see Creating a Packaging Group.

  3. Create or edit a packaging group.

  4. In Access control settings, select Use authorization. Complete the fields:

  5. Complete the remaining fields as needed and save the packaging group.

You have now completed the setup for CDN authorization. Requests to this endpoint must contain the same authorization code that you saved in Secrets Manager.

To enable CDN authorization via the MediaPackage API

For information about enabling CDN authorization with the MediaPackage API, see the following API references: