AWS Media Services (Standalone)

When using AWS Media Services with Studio DRM, you can use several services to package your media depending on your business needs. Each of the different AWS services are listed in the following table along with their use cases.

🚧

This article attempts to simplify using AWS Media Services with Studio DRM.

Since AWS Media Services products evolve, we strongly recommend verifying the steps in this documentation with the documentation for each specific AWS service. A link to each service's documentation is listed in the following table.

In addition to the AWS service, you must set up an API gateway to use the SPEKE API. Also note that you must use different endpoints depending on the SPEKE version. See SPEKE Versions for more guidance.

SPEKE Versions

AWS Media Services currently use V1 and V2 of AWS’ SPEKE standard. JWP supports these versions through different URLs.

💡

We recommend using SPEKE V2 where possible as this gives you more control over the encryption used.

Implementation

Configure Media Package For Live

Use the following steps to configure Media Package:

1. Log in to AWS.
2. In the Console Home page, type MediaPackage into the search bar and select its result. The AWS Elemental MediaPackage page appears.

   💡

   You can also click Services > Media Services > MediaPackage.

3. Select Channels from the left sidebar.
4. Click Create a new channel. The Create channel page appears.
5. In the ID field, enter a channel identifier.
6. Click Create. The details of the newly-created channel appear.
7. Under Origin endpoints, click Manage endpoints. The Manage endpoints page appears.
8. In the ID field, enter an endpoint identifier.
9. (Optional) Add a description of the endpoint.
10. For Manifest Name, type manifest.
11. Under the Packager settings, select the packager type from the Type dropdown menu.

12. In the Package encryption section, choose Encrypt content. The encryption settings appear.
13. In the Resource ID field, add a resource ID.
14. In the System IDs text box, type the appropriate DRM system identifiers.

15. In the URL field, enter your API gateway URL.
16. In the Role ARN field, enter an appropriate Amazon Resource Name.
17. If available, select the SPEKE version. Version 2.0 is recommended.
18. (SPEKE V2 only) Select a Video/Audio encryption preset.
19. Click Save.

💡

You can use the JWP Stream Tester to test the endpoints URL.

Configure Media Package for VOD

Use the following steps to configure Media Package:

1. Log in to AWS.
2. In the Console Home page, type MediaPackage into the search bar and select its result. The AWS Elemental MediaPackage page appears.

   💡

   You can also click Services > Media Services > MediaPackage.

3. Select Packaging groups from the left sidebar.
4. Click Create group. The Create packaging group page appears.
5. In the ID field, enter an endpoint identifier.
6. Click Create. The details of the new packaging group appear.
7. In the Manage configuration section, click Manage configurations. The Manage configurations page appears.
8. In the ID field, enter an endpoint identifier.
9. From the Type dropdown menu, select the packager type.

10. After configuring your packaging, click Enable DRM.
11. In the System IDs text box, type the appropriate DRM system identifiers.

12. In the URL field, enter your API gateway URL.
13. In the Role ARN field, enter an appropriate Amazon Resource Name.
14. If available, select the SPEKE version. Version 2.0 is recommended.
15. If using SPEKE Version 2.0, select a Video/Audio encryption preset.
16. Click Save.

Create a Media Convert Job

❗️

Currently, depending on the format of the key response from the SPEKE-compliant key server, the output DASH MPD will contain PSSH elements (<cenc:pssh>) that are not wrapped in ContentProtection elements (<ContentProtection>). MediaConvert will soon release a change that alters the behavior of jobs with this characteristic . If your workflow does not involve any custom workaround steps for this purpose, no further action is required.

After the change, DASH outputs will only contain PSSH elements inside of parent ContentProtection elements, regardless of key response format. MediaConvert is making this change in order to comply with DASH Industry Forum standards, which require PSSH elements to be placed in ContentProtection parent elements¹.

This change only potentially requires action if you have implemented custom workaround steps in your workflow to add missing ContentProtection elements through manifest manipulation. This change may require removing or modifying these workaround steps, as they will no longer be necessary.

Use the following steps to create a MediaConvert job:

1. Log in to AWS.
2. In the Amazon search bar of the new tab, type MediaConvert and click MediaConvert. The AWS Elemental MediaConvert page appears.

   💡

   You can also click Services > Media Services > MediaConvert.

3. Select Jobs from the left sidebar.
4. Click Create a job. The Create job page appears.
5. Under Input 1, in the Input file URL field, enter the URL of the source clip.
6. In the side navigation under Output groups, click Add. The Add output group popup window appears.
7. Select an output group.

8. Click Select. A page with the group settings appears.
9. Under Destination, click Browse. The Choose a location popup window appears.
10. From the S3 bucket dropdown menu, select the destination S3 bucket.
11. In the Location field, search for the S3 bucket folder. The folder should have a path similar to this format: your-bucket/your-folder-name/.
12. Click Choose. The popup window closes.
13. In the Destination field, append manifest to the end of the destination.
14. From the Segment control dropdown menu, select Segmented files.
15. Add DRM and amend the output groups based on your output type. Only use one of the following instructions:
    • HLS
    • DASH
    • CMAF
16. In the video settings of your output, navigate to the Video tab of the Encoding settings.
17. Enter your Max bitrate (bits/s).
18. In the main side navigation under Job settings, click AWS integration. The AWS integration settings appear in the main panel.
19. Under Service access, select Use an existing service role from the Service role control dropdown menu. The Service role field appears.
20. In the Service role field, choose the relevant IAM role.
21. Click Create.

You will need to wait several minutes for the job to process. On the Jobs page, you can press the Refresh button to check the status of the job. Once the job is complete, a value appears in the Finish time column.

HLS

DASH / Microsoft Smooth Streaming

CMAF

Test Your Content

After generating your content, you can validate a Studio DRM-protected stream in your web environment using the JWP Stream Tester.

If your content is stored in S3, you must either make it accessible via a CDN or publicly accessible in order to use our stream tester.

API Gateway

Import the API from Swagger

Use the following steps to import the API:

1. In the Amazon search bar of the new tab, search for and click API Gateway. The API Gateway page appears.

   💡

   You can also click Services > Networking & Content Delivery > API Gateway.

2. In the REST API section, click Import. A setup page appears.
3. Under Choose the protocol, select REST.
4. Under Create new API, select Import from Swagger or Open API 3.
5. Under Import from Swagger or Open API 3, paste the following JSON.

{
  "swagger": "2.0",
  "info": {
    "title": "speke proxy"
  },
  "basePath": "/speke",
  "schemes": [
    "https"
  ],
  "paths": {
    "/": {
      "post": {
        "produces": [
          "application/json"
        ],
        "parameters": [
          {
            "name": "API-KEY",
            "in": "header",
            "required": false,
            "type": "string"
          }
        ],
        "responses": {
          "200": {
            "description": "200 response"
          }
        }
      }
    }
  }
}

6. Click Import.

API Gateway setup

1. In the POST box, click Set up now.
2. For the Integration type, select HTTP.
3. Check Use HTTP Proxy integration.
4. Set the Endpoint URL. Be sure to use the appropriate SPEKE URL.
5. Click Save. The Method Execution page appears.
6. Click Integration Request.
7. Expand the HTTP Headers section.
8. Click Add header. A row appears.
9. In the Name field, enter API-KEY.
10. In the Mapped from field, enter '{your-api-key}'. Be sure to surround the API key with single quotes.
11. At the end of the row, click the checkmark to save the header.
12. At the top of the page, click Actions > Deploy API. The Deploy API popup window appears.
13. From the Deployment stage dropdown menu, select [New Stage].
14. In the Stage name field, enter an appropriate name.
15. Click Deploy. The Stage Editor page appears for the stage that has been created.

At the top of the Stage Editor page, your Invoke URL is listed. The Invoke URL can be used by other AWS services to make requests to JWP's SPEKE API.