Enable Playback Authorization


In this step, you will enable playback authorization on your IVS channel. Playback authorization allows you to create private channels, and only viewers with valid playback token can watch your channel.

Live Streaming Enable Playback Authorization

  1. Edit An IVS Channel in AWS Console
  2. Generate and Sign Playback Tokens
  3. Module Summary

Edit An IVS Channel in AWS Console

  1. On the AWS console, navigate to Interactive Video Service via the following link.

    https://us-west-2.console.aws.amazon.com/ivs/home

  2. Locate and click the Channel link from the left menu.

  3. Select the IVS channel you want to enable playback authorization, and click Edit button on the top. Find Playback authorization in the bottom of page, click to Enable token-authorization requirement for video playback. Click Save changes button to finish.

  4. On the same page, select Playback keys from the left menu. Locate Create playback key button to create a key. Enter a key name and click Create. Notice that a private-key.pem file is automatically downloaded.

Note: Amazon IVS generates the key on the client side and does not store the private key. Be sure you save the key; you cannot retrieve it later.

Note: Amazon IVS allows a maximum of three key pairs that can be used to sign and verify playback tokens. Amazon IVS does not offer any key rotations.


Generate and Sign Playback Tokens

Now you have created a private key that is associated with your channel and downloaded to your local computer, we will use this key to get a signed token for playback.

Note: Do you have AWS Command Line Interface installed locally on your computer? If not, you can use the following steps to create a broswer based IDE using AWS Cloud9 service to use AWS command tools natively.

Click here for instructions how to create AWS CLoud9 IDE


  1. First, let’s store the private key in a safe place - AWS Secrets Manager.

    1.1 If you can use AWS command locally, Locate the private-key.pem file stored in your computer, and open a terminal windows or command prompt, and change to the directory where private-key.pem is located.

    1.2 If you use Cloud9 environment just created, go to the Cloud9 console, select File menu, and select Upload local files….. Select your private-key.pem file and upload into Cloud9. Once file is uploaded, it will shown in your console. Upload lambda a new secret

  2. Use the following commmand to check your AWS CLI version.

$ aws --version
aws-cli/1.18.157 Python/3.7.4 Darwin/18.7.0 botocore/1.18.16
$ aws --version
aws-cli/2.0.57 Python/3.7.4 Darwin/18.7.0 exe/x86_64
  1. In the command line window of your choice, use one of the following command based on your AWS CLI version to store the private key in AWS Secret Manager with name ivs-playauth-key
$ # AWS CLI Version 1.x
$ aws secretsmanager create-secret --name ivs-playauth-key --secret-binary file://private-key.pem
$ 
$ # AWS CLI Version 2.x
$ aws secretsmanager create-secret --name ivs-playauth-key --cli-binary-format raw-in-base64-out --secret-binary file://private-key.pem
  1. The command execution will return information like the following.
{
    "ARN": "arn:aws:secretsmanager:us-west-2:xxxxxx:secret:ivs-playauth-key-hq5Aa5",
    "Name": "ivs-playauth-key",
    "VersionId": "408abaa9-4dfa-429b-b1a3-8f5348a358ba"
}

Note down the ARN value which we will use in later steps.

  1. Now we will create a Lambda function to help generate the playback token. First, click the Lambda function package link below to download the ivs-playauth.zip file. lambda function package

  2. In AWS console, go to Lambda service, locate and click Create function button.

  3. In Create function section, select the default Author from scratch, In Function name, enter ivs-token-generator, select Node.js 12.x as the Runtime, note down the execution role name created, click Create function.

  4. Scroll down to Function code section, click the Action button, and select Upload a .zip file. Upload the previously downloaded ivs-playauth.zip file and click Save. Upload lambda a new secret

  5. Once the zip file is uploaded, select index.js from the left menu, and locate getPemKey function. Replace the function value with the secret ARN. Locate the playload variable, and replace the aws:channel-arn value with your IVS channel’s ARN. Once finished, click Save. Modify lambda function

  6. Scroll up to the Designer section of the lambda function, click + Add trigger. In Trigger configuration, select API Gateway, then select Create an API in the next dropdown box. Select REST API, select Security Open, and click Add. Create API Gateway trigger

Note: Select Open security here is only for the purpose of token generation function demonstration. In production environment, customer should implement authentication and authorization mechanism to protect this REST API.

  1. In AWS console, go to API Gateway service, select ivs-token-generator-API and click the highlighted name to view details. Select ANY under /ivs-token-generator to bring up the Method Execution flow. Edit API Gateway

  2. Click Integration Request, and uncheck the Use Lambda Proxy Integration option, click OK, and then click OK to add permission to lambda function.

  3. Click <- Method Execution on the top to return to prior UI, and click Method Response. Click Add Response Model, input application/json in Content Type, and Empty in Models, click the Check mark to save it. Edit API Gateway

  4. In Resources, click the Action button on the top, select Deploy API. In Deployment stage, select default, and enter optional Deployment description, click Deploy when finished. Deploy API Gateway

  5. Once deployed, in Stages, expand default, select GET method under /ivs-token-generator, note down the Invoke URL shown on top of the page. Deploy API Gateway - Invoke URL

  6. Remember this Lambda function need to access private key information from AWS Secret Manager, we need to provide proper permissions to the automatically created Lambda role.

  7. Go to IAM service, select Roles and search ivs-token in the search box, the auto generated lambda role ivs-token-generator-role-xxxxx should shown. Click the role name, in Permissions tab, click the highlighted Policy name, and click Edit policy button. Next select JSON tab in the policy editor.

  8. Refer to the following policy sample, and modify your policy to include permission to secrete manager. Be sure to replace <ARN_SECRET> with your secret’s ARN. Once finished, click Review policy and click Save changes.

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Action": [
                    "logs:CreateLogGroup",
                    "logs:CreateLogStream",
                    "logs:PutLogEvents"
                ],
                "Resource": [
                    "arn:aws:logs:us-west-2:582048091268:log-group:/aws/lambda/*"
                ],
                "Effect": "Allow"
            },
            {
                "Action": [
                    "secretsmanager:GetSecretValue"
                ],
                "Resource": [
                    "<ARN_SECRET>"
                ],
                "Effect": "Allow"
            }
        ]
    }
    
  9. Now, let’s invoke the API gateway’s URL to trigger the token generation lambda function. You can click the GET method link in API gateway console, or directly use the URL from a new broswer window. Once executed, you will see an output similar to the following.

{"statusCode":200,"body":"{\"token\":\"eyJhbGciOiJFUzM4NCIsInR5cCI6IkpXVCJ9.eyJhd3M6Y2hhbm5lbC1hcm4iOiJhcm46YXdzOml2czp1cy13ZXN0LTI6MjM4MDIyODc0OTkyOmNoYW5uZWwvZm1qdjh2cXRJMmk0IiwiYXdzOmFjY2Vzcy1jb250cm9sLWFsbG93LW9yaWdpbiI6IioiLCJpYXQiOjE1OTk3OTkwNzQsImV4cCI6MTU5OTk3MTg3NH0.3r669EJg8r0lOr24WKYReWTmmO1_WuXzBXVyuM79wxXnHMcaC9u1hcUmHOxIi10ZC_SQ79BCFm6NhCMNNaX0FBwr4GnxJUbQmbzwZ3jp6fEUKVZTAWS8HQ2LvEeYye3K\"}","headers":{"Access-Control-Allow-Origin":"*"}}
  1. Now let’s use the token to playback your channel. Manually construct a URL using the following format, and play your channel. Notice that if you do not have ?token=<token> query parameter at the end of URL, you will not be able to playback your channel. https://<ivs_channel_url>?token=<token>


Module Summary

In this module, you learnt how to create a private IVS channel by enabling playback authorization, and generate playback tokens for channel playback. This function enables customers to put their private channel behind paywall and protect the private channels.