How MediaTailor Secrets Manager access token authentication works

After you create or update a source location to use access token authentication, MediaTailor includes the access token in an HTTP header when requesting source content manifests from your origin.

Here's an overview of how MediaTailor uses Secrets Manager access token authentication for source location origin authentication:

When you create or update a MediaTailor source location that uses access token authentication, MediaTailor sends a DescribeSecret request to Secrets Manager to determine the AWS KMS key associated with the secret. You include the secret ARN in your source location access configuration.
MediaTailor creates a grant for the customer managed key, so that MediaTailor can use the key to access and decrypt the access token stored in the SecretString. The grant name will be MediaTailor-SourceLocation-your AWS account ID-source location name.

You can revoke access to the grant, or remove MediaTailor's access to the customer managed key at any time. For more information, see RevokeGrant in the AWS Key Management Service API Reference.
When a VOD source is created or updated, or used in a program, MediaTailor makes HTTP requests to the source locations to retrieve the source content manifests associated with the VOD sources in the source location. If the VOD source is associated with a source location that has an access token configured, the requests include the access token as an HTTP header value.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Integrating with MediaPackage endpoints that use CDN authorization

Working with VOD sources