Deliver private content with AWS CloudFront

This article is a continuation of Video Streams on AWS S3 + CloudFront.

Purpose

Connect with a time-limited URL. (One-time URL) I want to restrict viewing to a video stream and distribute it. (I tried it with an image this time) Ultimately, I want to distribute the video using Plone authentication. (Challenge after next time)

S3 and CloudFront settings

Create a new bucket and place a trial image. Try to distribute this image privately.

S3

--Create a new bucket (c2-video-test-private)

• Set the log

• Upload

• Upload image file "terada_pythonbr.jpg "

CloundFront

--Get CloudFront Access ID

• Go to the IAM web management console
• Get "Create New Key Pair" in "CloudFront Key Pair" in Details
• Download private and public keys

• CloudFront Origin On the CloudFront web management screen, go from "Private Content" to "Origin Access Identity" (you can also create it later)

• Click Create OAI
• Created by putting "OAI for c2-video-test-private" in the comment --Create a new "Private Distribution" (for the Web) --Set
• Restrict Bucket Access: Yes
• Origin Access Identity: Use an Existing Identity
• Select the one you created in advance for Your Identities: (or you can create a new one here)
• Grant Read Permissions on Bucket: Yes
• HTTPS Only:Yes
• Restrict Viewer Access: Yes
• Trusted Signers
• Logging: On
• Other Logging settings (bucket and Path) --Domain Name: dn045wcqv2fv4.cloudfront.net

Create a Signed URL

Refer to the following boto item and try to make it in the local Python environment.

The unrestricted URL should be:

https://dn045wcqv2fv4.cloudfront.net/terada_pythonbr.jpg Not surprisingly, the error is back.

error.xml

<Error>
  <Code>MissingKey</Code>
  <Message>Missing Key-Pair-Id query parameter</Message>
</Error>

Create a restricted URL

(Details of boto relations are described at the bottom)

sample.py

ACCESS_KEY_ID = "xxxxxxxxxxxxxxxxx"
SECRET_ACCESS_KEY = "xxxxxxxxxxxxxxxxxxxxxxxxxx"
YOUR_KEYPAIR_ID = "xxxxxxxxxxxxxx"
YOUR_PRIVATE_KEY_FILE_LOCATION = "xxxxxxxxxxxxxxxxxxxxx.pem"
url = "https://dn045wcqv2fv4.cloudfront.net/terada_pythonbr.jpg "
expire_time = int(time.time() +3600)

conn = CloudFrontConnection(ACCESS_KEY_ID, SECRET_ACCESS_KEY)
distribution = Distribution(connection=conn, config=None, domain_name='', id='', last_modified_time=None, status='')

signed_url = distribution.create_signed_url(url=url, keypair_id=YOUR_KEYPAIR_ID, expire_time=expire_time, private_key_file=YOUR_PRIVATE_KEY_FILE_LOCATION)

>>> print signed_url
https://dn045wcqv2fv4.cloudfront.net/terada_pythonbr.jpg?Expires=1406023941&Signature=Ihps3u0~jQ-Twkghg2tqQ-dTMEZoRC-Jb13F4FgNe~1MVAsXQ-yAbXtEKSTsIhN6OLZmuUii6E1xs7nWfe-76SGk26Jmx5edd35EgwQ8mH~2XlY4QOqP1Fgza93q02oQNhJWte1mef4tc8p3fJO6yzebpTEh4MqvQOt9s5bcKq9ad8EGSmfXfUlgL6b87z6TOAXVFQuIotttu6ajlfbCpplIUD-~r-6W~SB6n2dyB8SaoKgJBTkEKJwFiBWx2S5M20-06hsLOeV23UBJcuq6~C-pE1r1ViE8Ia-tM8L6v7zcbtLfOdw9lgFzYoMoh-KiWOAdz7pc-koYMVPXZ-9DuQ__&Key-Pair-Id=APKAJAJZQHPKZI6OK5UQ

Access test in browser

https://dn045wcqv2fv4.cloudfront.net/terada_pythonbr.jpg?Expires=1406023941&Signature=Ihps3u0~jQ-Twkghg2tqQ-dTMEZoRC-Jb13F4FgNe~1MVAsXQ-yAbXtEKSTsIhN6OLZmuUii6E1xs7nWfe-76SGk26Jmx5edd35EgwQ8mH~2XlY4QOqP1Fgza93q02oQNhJWte1mef4tc8p3fJO6yzebpTEh4MqvQOt9s5bcKq9ad8EGSmfXfUlgL6b87z6TOAXVFQuIotttu6ajlfbCpplIUD-~r-6W~SB6n2dyB8SaoKgJBTkEKJwFiBWx2S5M20-06hsLOeV23UBJcuq6~C-pE1r1ViE8Ia-tM8L6v7zcbtLfOdw9lgFzYoMoh-KiWOAdz7pc-koYMVPXZ-9DuQ__&Key-Pair-Id=APKAJAJZQHPKZI6OK5UQ

I was able to access 2014/07/22 18:14. 2014/07/22 It should not be accessible at 19:15

boto

boto is a Python module that manipulates AWS APIs. It used to be unofficial on Amazon, but now that the developers are now affiliated with Amazon, it should be semi-official.

Advance preparation

$ pip install rsa
$ pip install boto

How to get the Signed URL

The explanation was below. http://boto.readthedocs.org/en/latest/ref/cloudfront.html

create_signed_url(url, keypair_id, expire_time=None, valid_after_time=None, ip_address=None, policy_url=None, private_key_file=None, private_key_string=None)

• url (str)
• keypair_id (str)
• expire_time (int)
• valid_after_time (int)
• ip_address (str)
• policy_url (str)
• private_key_file (str or file object.)
• private_key_string (str)

Below was a sample

http://stackoverflow.com/questions/2573919/creating-signed-urls-for-amazon-cloudfront

import boto
from boto.cloudfront import CloudFrontConnection
from boto.cloudfront.distribution import Distribution

expire_time = int(time.time() +3000)
conn = CloudFrontConnection('ACCESS_KEY_ID', 'SECRET_ACCESS_KEY')

##enter the id or domain name to select a distribution
distribution = Distribution(connection=conn, config=None, domain_name='', id='', last_modified_time=None, status='')
signed_url = distribution.create_signed_url(url='YOUR_URL', keypair_id='YOUR_KEYPAIR_ID_example-APKAIAZVIO4BQ',expire_time=expire_time,private_key_file="YOUR_PRIVATE_KEY_FILE_LOCATION")

URL referenced during the survey

-[AWS Meister Series] Content distribution by Amazon CloudFront / Amazon Elastic Transcoder http://www.slideshare.net/AmazonWebServicesJapan/20131120-aws-medisterregeneratecloudfrontetspublic There is an explanation on P29

--Accessing private content with Amazon CloudFront Part 1 http://dev.classmethod.jp/etc/amazon-cloudfront-private-contents-access-1/ There is a manual in English on the AWS management console, and at present, it seems that all operations can be performed from the web management console.

• Code and Examples for Creating a Signature for a Signed URL http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateCFSignatureCodeAndExamples.html There is no information on Python, but it seems to be helpful

Try it with a video

Make the above correspond to the video stream that was set to TODO

Preparation

--C2-video-test-private Add video folder to bucket --Added PyConAPACTW2014terada.mp4 to video folder --Added stream-enabled Distribution to CloudFront

• Select RTMP when creating
• Origin Domain Name : c2-video-test-private
• Restrict Bucket Access: Yes
• Origin Access Identity: Use an Existing Identity
• Select a pre-made version of Your Identities: (OAI for c2-video-test-private)
• Grant Read Permissions on Bucket: Yes
• Restrict Viewer Access: Yes
• Trusted Signers: Self
• Logging: On
• Other Logging settings (bucket and Path)

Up to this point, it should be easy to do by reviewing the past.

Create a Signed URL

Work with boto as above

• url = "rtmp://s3lse3ja7xuop9.cloudfront.net/cfx/st/&mp4:video/PyConAPACTW2014terada.mp4"
• policy_url = "video/*" A wildcard is specified. ** For rtmp ** Write only PATH as above (writing from rtpm: // doesn't work <I've been addicted to this for a few days)

>>> url = "rtmp://s3lse3ja7xuop9.cloudfront.net/cfx/st/&mp4:video/PyConAPACTW2014terada.mp4"
>>> policy_url = "video/*"
>>> signed_url = distribution.create_signed_url(url=url, keypair_id=YOUR_KEYPAIR_ID, expire_time=expire_time, private_key_file=YOUR_PRIVATE_KEY_FILE_LOCATION, policy_url=policy_url)
>>> print signed_url
rtmp://s3lse3ja7xuop9.cloudfront.net/cfx/st/&mp4:video/PyConAPACTW2014terada.mp4?Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoidmlkZW8vKiIsIkNvbmRpdGlvbiI6eyJEYXRlTGVzc1RoYW4iOnsiQVdTOkVwb2NoVGltZSI6MTQwNjg5OTIwMX19fV19&Signature=m10lfH4vpepAWVNLCGO9xr~TFs-ZCUklra-I4D6WZvqO3aHhijIbtPQOiK00BPZzTxnu-enkvTuao1aDoP~HSONzF5xIqGqMuP4RYJ-B0~g5iQxvac1VVkb~3lZXMRN3Oz45BsrRWQawyXp1o~0M9sFr~zIVQAbM8aAji1WmTu0~fY0UcfgO74DNevYw4-I4S8S2KLnSimFGeU0bz3b8bXtgxketPz0JhTyM4akK8gD7xWjskrxFOZ4pskCaLvJr3Pyb9pJsqQ9T2izNsPs0Ms5pi94FnOdyejSRWezqrxp00KNttnlc3DGCOcmcCNDNYdIMxmNC6MuAfQKx~a1tig__&Key-Pair-Id=APKAJAJZQHPKZI6OK5UQ

Template for video display

Make the src part a Signed URL.

<source src="rtmp://s3lse3ja7xuop9.cloudfront.net/cfx/st/&mp4:video/PyConAPACTW2014terada.mp4?Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoidmlkZW8vKiIsIkNvbmRpdGlvbiI6eyJEYXRlTGVzc1RoYW4iOnsiQVdTOkVwb2NoVGltZSI6MTQwNjg5OTIwMX19fV19&Signature=m10lfH4vpepAWVNLCGO9xr~TFs-ZCUklra-I4D6WZvqO3aHhijIbtPQOiK00BPZzTxnu-enkvTuao1aDoP~HSONzF5xIqGqMuP4RYJ-B0~g5iQxvac1VVkb~3lZXMRN3Oz45BsrRWQawyXp1o~0M9sFr~zIVQAbM8aAji1WmTu0~fY0UcfgO74DNevYw4-I4S8S2KLnSimFGeU0bz3b8bXtgxketPz0JhTyM4akK8gD7xWjskrxFOZ4pskCaLvJr3Pyb9pJsqQ9T2izNsPs0Ms5pi94FnOdyejSRWezqrxp00KNttnlc3DGCOcmcCNDNYdIMxmNC6MuAfQKx~a1tig__&Key-Pair-Id=APKAJAJZQHPKZI6OK5UQ"
                 type='rtmp/mp4' />

Test page

I think that the viewing deadline has already passed, but I confirmed that you can see it below http://c2-video-test.s3-website-ap-northeast-1.amazonaws.com/index2.html

TODO from the next time onwards

--I want to restrict viewing to the video stream and distribute it. -> 20140801 Described in the "Try with video" item above. --Investigating what happens with HLS for iOS-> http://qiita.com/terapyon/items/fadecf13ed1d11dcd34d ――Finally, I want to distribute the video using Plone authentication.

Author-related Blog articles

Private content distribution with AWS CloudFront