Learn how to use AWS to package your media for Studio DRM.
When using AWS Media Services with Studio DRM, you can use several services to package your media depending on your business needs. Each of the different AWS services are listed in the following table along with their use cases.
This article attempts to simplify using AWS Media Services with Studio DRM.
Since AWS Media Services products evolve, we strongly recommend verifying the steps in this documentation with the documentation for each specific AWS service. A link to each service's documentation is listed in the following table.
AWS Media Service | Description | Use Case |
---|---|---|
Amazon API Gateway | Amazon API Gateway enables you to create and deploy your own REST and WebSocket APIs. | Allows various media services to make calls to JWP’s SPEKE API |
Amazon S3 | Amazon Simple Storage Service (Amazon S3) is storage for the internet. | Stores files for processing and provides a space for processed files to be saved to |
AWS Elemental MediaConvert | AWS Elemental MediaConvert is a service that formats and compresses offline video content for delivery to televisions or connected devices. | Processes VOD assets |
AWS Elemental MediaPackage | AWS Elemental MediaPackage is a just-in-time video packaging and origination service that delivers highly secure, scalable, and reliable video streams to a wide variety of playback devices. | Processes both VOD and Live assets |
In addition to the AWS service, you must set up an API gateway to use the SPEKE API. Also note that you must use different endpoints depending on the SPEKE version. See SPEKE Versions for more guidance.
SPEKE Versions
AWS Media Services currently use V1 and V2 of AWS’ SPEKE standard. JWP supports these versions through different URLs.
SPEKE Version | Supported URL |
---|---|
SPEKE V1 | https://speke.vudrm.tech/{client}/speke |
SPEKE V2 | https://cpix.vudrm.tech/v2/speke/{client} |
We recommend using SPEKE V2 where possible as this gives you more control over the encryption used.
Implementation
Configure Media Package For Live
Use the following steps to configure Media Package:
- Log in to AWS.
- In the Console Home page, type MediaPackage into the search bar and select its result. The AWS Elemental MediaPackage page appears.
You can also click Services > Media Services > MediaPackage.
- Select Channels from the left sidebar.
- Click Create a new channel. The Create channel page appears.
- In the ID field, enter a channel identifier.
- Click Create. The details of the newly-created channel appear.
- Under Origin endpoints, click Manage endpoints. The Manage endpoints page appears.
- In the ID field, enter an endpoint identifier.
- (Optional) Add a description of the endpoint.
- For Manifest Name, type manifest.
- Under the Packager settings, select the packager type from the Type dropdown menu.
Packager Type | Use Case |
---|---|
Apple HLS | For use with FairPlay DRM |
DASH-ISO | For use with PlayReady or Widevine DRM |
Microsoft Smooth | For use with PlayReady DRM |
Common Media Application Format (CMAF) | For use with FairPlay, PlayReady, or Widevine DRM |
- In the Package encryption section, choose Encrypt content. The encryption settings appear.
- In the Resource ID field, add a resource ID.
- In the System IDs text box, type the appropriate DRM system identifiers.
DRM System | Identifier |
---|---|
FairPlay DRM | 94ce86fb-07ff-4f43-adb8-93d2fa968ca2 |
PlayReady DRM | 9a04f079-9840-4286-ab92-e65be0885f95 |
Widevine DRM | edef8ba9-79d6-4ace-a3c8-27dcd51d21ed |
- In the URL field, enter your API gateway URL.
- In the Role ARN field, enter an appropriate Amazon Resource Name.
- If available, select the SPEKE version. Version 2.0 is recommended.
- (SPEKE V2 only) Select a Video/Audio encryption preset.
- Click Save.
You can use the JWP Stream Tester to test the endpoints URL.
Configure Media Package for VOD
Use the following steps to configure Media Package:
- Log in to AWS.
- In the Console Home page, type MediaPackage into the search bar and select its result. The AWS Elemental MediaPackage page appears.
You can also click Services > Media Services > MediaPackage.
- Select Packaging groups from the left sidebar.
- Click Create group. The Create packaging group page appears.
- In the ID field, enter an endpoint identifier.
- Click Create. The details of the new packaging group appear.
- In the Manage configuration section, click Manage configurations. The Manage configurations page appears.
- In the ID field, enter an endpoint identifier.
- From the Type dropdown menu, select the packager type.
Packager Type | Use Case |
---|---|
Apple HLS | For use with FairPlay DRM |
DASH-ISO | For use with PlayReady or Widevine DRM |
Microsoft Smooth | For use with PlayReady DRM |
Common Media Application Format (CMAF) | For use with FairPlay, PlayReady, or Widevine DRM |
- After configuring your packaging, click Enable DRM.
- In the System IDs text box, type the appropriate DRM system identifiers.
DRM System | Identifier |
---|---|
FairPlay DRM | 94ce86fb-07ff-4f43-adb8-93d2fa968ca2 |
PlayReady DRM | 9a04f079-9840-4286-ab92-e65be0885f95 |
Widevine DRM | edef8ba9-79d6-4ace-a3c8-27dcd51d21ed |
- In the URL field, enter your API gateway URL.
- In the Role ARN field, enter an appropriate Amazon Resource Name.
- If available, select the SPEKE version. Version 2.0 is recommended.
- If using SPEKE Version 2.0, select a Video/Audio encryption preset.
- Click Save.
Create a Media Convert Job
Currently, depending on the format of the key response from the SPEKE-compliant key server, the output DASH MPD will contain PSSH elements (
<cenc:pssh>
) that are not wrapped in ContentProtection elements (<ContentProtection>
). MediaConvert will soon release a change that alters the behavior of jobs with this characteristic . If your workflow does not involve any custom workaround steps for this purpose, no further action is required.After the change, DASH outputs will only contain PSSH elements inside of parent ContentProtection elements, regardless of key response format. MediaConvert is making this change in order to comply with DASH Industry Forum standards, which require PSSH elements to be placed in ContentProtection parent elements1.
This change only potentially requires action if you have implemented custom workaround steps in your workflow to add missing ContentProtection elements through manifest manipulation. This change may require removing or modifying these workaround steps, as they will no longer be necessary.
Use the following steps to create a MediaConvert job:
- Log in to AWS.
- In the Amazon search bar of the new tab, type MediaConvert and click MediaConvert. The AWS Elemental MediaConvert page appears.
You can also click Services > Media Services > MediaConvert.
- Select Jobs from the left sidebar.
- Click Create a job. The Create job page appears.
- Under Input 1, in the Input file URL field, enter the URL of the source clip.
- In the side navigation under Output groups, click Add. The Add output group popup window appears.
- Select an output group.
Output Group | Description |
---|---|
Apple HLS | For use with FairPlay DRM |
DASH-ISO | For use with PlayReady or Widevine DRM |
Microsoft Smooth | For use with PlayReady DRM |
CMAF | For use with FairPlay, PlayReady, or Widevine DRM |
- Click Select. A page with the group settings appears.
- Under Destination, click Browse. The Choose a location popup window appears.
- From the S3 bucket dropdown menu, select the destination S3 bucket.
- In the Location field, search for the S3 bucket folder. The folder should have a path similar to this format: your-bucket/your-folder-name/.
- Click Choose. The popup window closes.
- In the Destination field, append manifest to the end of the destination.
- From the Segment control dropdown menu, select Segmented files.
- Add DRM and amend the output groups based on your output type. Only use one of the following instructions:
- In the video settings of your output, navigate to the Video tab of the Encoding settings.
- Enter your Max bitrate (bits/s).
- In the main side navigation under Job settings, click AWS integration. The AWS integration settings appear in the main panel.
- Under Service access, select Use an existing service role from the Service role control dropdown menu. The Service role field appears.
- In the Service role field, choose the relevant IAM role.
- Click Create.
You will need to wait several minutes for the job to process. On the Jobs page, you can press the Refresh button to check the status of the job. Once the job is complete, a value appears in the Finish time column.
HLS
FairPlay DRM Settings
Use the following steps to configure DRM settings:
- Click the DRM encryption toggle. The DRM encryption section expands.
- From the Encryption method dropdown menu, select Sample AES.
- From the Key provider type dropdown menu, select SPEKE.
- From the Initialization vector in manifest dropdown menu, select Exclude.
- In the Resource ID field, enter a unique identifier for your content.
The identifier is often referred to as the content ID. This must only contain alphanumeric characters, hyphens (-), or underscores (_).
- In the System ID field, enter 94ce86fb-07ff-4f43-adb8-93d2fa968ca2.
- In the Key provider URL field, enter your API gateway URL.
DASH / Microsoft Smooth Streaming
PlayReady / Widevine DRM Settings
Use the following steps to configure DRM settings:
- Click the DRM encryption toggle. The DRM encryption section expands.
- In the Resource ID field, enter a unique identifier for your content.
The identifier is often referred to as the content ID. This must only contain alphanumeric characters, hyphens (-), or underscores (_).
- In the System IDs text box, type the appropriate DRM system identifiers.
DRM System | Identifier |
---|---|
PlayReady DRM | 9a04f079-9840-4286-ab92-e65be0885f95 |
Widevine DRM | edef8ba9-79d6-4ace-a3c8-27dcd51d21ed |
- In the Key provider URL field, enter your API gateway URL.
CMAF
FairPlay / PlayReady / Widevine DRM Settings
Use the following steps to configure DRM settings:
- Click the DRM encryption toggle. The DRM encryption section expands.
- In the Resource ID field, enter a unique identifier for your content.
The identifier is often referred to as the content ID. This must only contain alphanumeric characters, hyphens (-), or underscores (_).
- In the System ID signaled in HLS text box, type an appropriate DRM system identifier.
DRM System | Identifier |
---|---|
FairPlay DRM | 94ce86fb-07ff-4f43-adb8-93d2fa968ca2 |
Widevine DRM | edef8ba9-79d6-4ace-a3c8-27dcd51d21ed |
PlayReady DRM | Not supported by HLS |
- In the System IDs signaled in DASH text box, type the appropriate DRM system identifiers.
DRM Sytem | Identifier |
---|---|
FairPlay DRM | Not supported by DASH |
Widevine DRM | edef8ba9-79d6-4ace-a3c8-27dcd51d21ed |
PlayReady DRM | 9a04f079-9840-4286-ab92-e65be0885f95 |
- In the Key provider URL field, enter your API gateway URL.
Test Your Content
After generating your content, you can validate a Studio DRM-protected stream in your web environment using the JWP Stream Tester.
If your content is stored in S3, you must either make it accessible via a CDN or publicly accessible in order to use our stream tester.
API Gateway
Import the API from Swagger
Use the following steps to import the API:
- In the Amazon search bar of the new tab, search for and click API Gateway. The API Gateway page appears.
You can also click Services > Networking & Content Delivery > API Gateway.
- In the REST API section, click Import. A setup page appears.
- Under Choose the protocol, select REST.
- Under Create new API, select Import from Swagger or Open API 3.
- Under Import from Swagger or Open API 3, paste the following JSON.
{
"swagger": "2.0",
"info": {
"title": "speke proxy"
},
"basePath": "/speke",
"schemes": [
"https"
],
"paths": {
"/": {
"post": {
"produces": [
"application/json"
],
"parameters": [
{
"name": "API-KEY",
"in": "header",
"required": false,
"type": "string"
}
],
"responses": {
"200": {
"description": "200 response"
}
}
}
}
}
}
- Click Import.
API Gateway setup
- In the POST box, click Set up now.
- For the Integration type, select HTTP.
- Check Use HTTP Proxy integration.
- Set the Endpoint URL. Be sure to use the appropriate SPEKE URL.
- Click Save. The Method Execution page appears.
- Click Integration Request.
- Expand the HTTP Headers section.
- Click Add header. A row appears.
- In the Name field, enter API-KEY.
- In the Mapped from field, enter '{your-api-key}'. Be sure to surround the API key with single quotes.
- At the end of the row, click the checkmark to save the header.
- At the top of the page, click Actions > Deploy API. The Deploy API popup window appears.
- From the Deployment stage dropdown menu, select [New Stage].
- In the Stage name field, enter an appropriate name.
- Click Deploy. The Stage Editor page appears for the stage that has been created.
At the top of the Stage Editor page, your Invoke URL is listed. The Invoke URL can be used by other AWS services to make requests to JWP's SPEKE API.