Authenticating requests to Amazon S3 with SigV4
Signature Version 4 (SigV4) for Amazon S3 is a signing protocol used to authenticate requests to Amazon S3 over HTTPS. When you use SigV4 for Amazon S3, MediaTailor includes a signed authorization header in the HTTPS request to the Amazon S3 bucket used as your origin. If the signed authorization header is valid, your origin fulfills the request. If it isn't valid, the request fails.
For general information about SigV4 for AWS Key Management Service, see the Authenticating Requests (AWS Signature Version 4) topic in the Amazon S3 API reference.
Note
MediaTailor always signs requests to these origins with SigV4.
Requirements
If you activate SigV4 for Amazon S3 authentication for your source location, you must meet these requirements:
-
You must allow MediaTailor to access your Amazon S3 bucket by granting mediatailor.amazonaws.com principal access in IAM. For information about configuring access in IAM, see Access management in the AWS Identity and Access Management User Guide.
-
The mediatailor.amazonaws.com service principal must have permissions to read all top-level manifests referenced by the VOD source package configurations.
-
The caller of the API must have s3:GetObject IAM permissions to read all top-level manifests referenced by your MediaTailor VOD source package configurations.
-
Your MediaTailor source location base URL must follow the Amazon S3 virtual hosted-style request URL format. For example, https://
bucket-name
.s3.Region
.amazonaws.com/key-name
. For information about Amazon S3 hosted virtual-style access, see Virtual Hosted-Style Requests.
MediaTailor SigV4 Signing Origin Requests
You can use SigV4 signing to requests made by MediaTailor to valid AWS origins including Amazon S3, Channel Assembly, and MediaPackage V2. This allows the origins to know the requests are being made by MediaTailor, and you can limit access to only MediaTailor requests. If you do not limit access to just MediaTailor requests, other MediaTailor customers would be able to access your origin through their own MediaTailor playback configuration.
The origins that we will sign requests to are AWS Key Management Service, Channel Assembly, and MediaPackage V2. The origin URLs must look like the following:,
mediapackagev2.<
region
>.amazonaws.com
channel-assembly.mediatailor.<
region
>.amazonaws.com
s3.<
region
>.amazonaws.com
Important
Use https to sign requests to origin URLs. If your Origin is not configured to use HTTPS, MediaTailor will not sign origin requests with SigV4.
Example IAM policies for origins to limit access to MediaTailor
The following IAM policies show examples of how to limit access to MediaTailor.
Amazon S3
Scoped to the account:
{ "Effect": "Allow", "Principal": {"Service": "mediatailor.amazonaws.com"}, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::mybucket/*", "Condition": { "StringEquals": {"AWS:SourceAccount": "123456789012"} } }
Scoped to the playback-configuration ARN:
{ "Effect": "Allow", "Principal": { "Service": "mediatailor.amazonaws.com" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::mybucket/*", "Condition": { "StringEquals": { "AWS:SourceArn”: “arn:aws:mediatailor:us-west-2:123456789012:playbackConfiguration/test” } } }
MediaPackage V2
Scoped to the account:
{ "Effect": "Allow", "Principal": { "Service": "mediatailor.amazonaws.com" }, "Action": “mediapackagev2:GetObject", "Resource": "arn:aws:mediapackagev2:us-west-2:123456789012:channelGroup/emp-origin-channel-group/channel/emp-origin-channel/originEndpoint/emp-origin-endpoint", "Condition": { "StringEquals": { "AWS:SourceAccount": "123456789012" } } }
Scoped to the playback-configuration ARN:
{ "Effect": "Allow", "Principal": { "Service": "mediatailor.amazonaws.com" }, "Action": “mediapackagev2:GetObject", "Resource": "arn:aws:mediapackagev2:us-west-2:123456789012:channelGroup/emp-origin-channel-group/channel/emp-origin-channel/originEndpoint/emp-origin-endpoint", "Condition": { "StringEquals": { "AWS:SourceArn”: “arn:aws:mediatailor:us-west-2:123456789012:playbackConfiguration/test” } } }
Channel Assembly
Scoped to the account:
{ "Effect": "Allow", "Principal": { "Service": "mediatailor.amazonaws.com" }, "Action": “mediatailor:GetManifest", "Resource": "arn:aws:mediatailor:us-west-2:123456789012:channel/ca-origin-channel", "Condition": { "StringEquals": { "AWS:SourceAccount": "123456789012" } } }
Scoped to the playback-configuration ARN:
{ "Effect": "Allow", "Principal": { "Service": "mediatailor.amazonaws.com" }, "Action": “mediatailor:GetManifest", "Resource": "arn:aws:mediatailor:us-west-2:123456789012:channel/ca-origin-channel", "Condition": { "StringEquals": { "AWS:SourceArn”: “arn:aws:mediatailor:us-west-2:123456789012:playbackConfiguration/test” } } }