Setting-up DRM is an important, but sometimes a somewhat complicated job to execute. The complexity often comes from the business requirements, DRM technology is more and more available to everyone.
In this blog we will talk you through setting up, a Widevine DRM integration between AWS Elemental Media Package and EZDRM (https://www.ezdrm.com/)
Let’s start with the basic concept of DRM.
For Video On Demand and Live streaming you “chunk” your video feed in “small” segments, let’s say in segments of 2 seconds. A player will reassemble these small segments and display them as a continuous video stream.
For security, DRM encrypts each video segment using an AES based algorithm (the exact algorithm depends on the settings and is out of scope for this blog).
The key on how DRM works is how to distribute the encryption key securely, in this first part we will talk about how to get an encryption key securely towards a video packager.
As per the product sheet: “AWS Elemental MediaPackage prepares, protects, and distributes your video content to a broad range of connected devices. The service can take a single video input from an encoder such as AWS Elemental MediaLive, package it in multiple streaming formats, and automatically scale outputs in response to audience demand.”
The protection comes from DRM, AWS Elemental Media Packages realises this by integrating with a 3rd party DRM provider using the Speke interface. Speke stands for Secure Packager and Encoder Key Exchange and is a well known REST API specification.
To integrate AWS Elemental Media Packager with EZDRM via the Speke interface we have to configure an API Gateway in between. The packager will call the API Gateway, the API Gateway injects a security key in the header which is required by EZDRM.
The following picture depicts this overview:
The configuration can be created as following using the AWS Serverless Application Model.
First of all we need an API Gateway which acts as proxy between the Packager and EZDRM:
DrmKeygenAPI:
Type: AWS::Serverless::Api
Properties:
OpenApiVersion: 3.0.1
StageName: Dev
Name: EZDRM keygen API
EndpointConfiguration:
Type: REGIONAL
DefinitionBody:
Fn::Transform:
Name: AWS::Include
Parameters:
Location: "./openapi.yaml"
Where the open api spec is as following:
openapi: 3.0.3
info:
title: Ezdrm keygen API
description: "OVP Ezdrm keygen API"
version: 0.0.1
tags:
- name: Keygen API
x-amazon-apigateway-request-validators:
basic:
validateRequestBody: true
validateRequestParameters: true
params-only:
validateRequestBody: false
validateRequestParameters: true
x-amazon-apigateway-request-validator: basic
paths:
/copyProtection:
post:
x-amazon-apigateway-integration:
type: http_proxy
httpMethod: POST
uri: "https://cpix.ezdrm.com/speke2/speke2.aspx"
requestParameters:
integration.request.header.ezdrmSecureToken: "'${EZDRMSecureToken}'"
Secondly we need to configure the media packager for encryption. We first of all need to create an IAM role which allows the packager to call the API Gateway:
MediaPackageRole:
Type: AWS::IAM::Role
Properties:
RoleName:
Fn::Sub: MediaPackageRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- mediapackage.amazonaws.com
Action:
- sts:AssumeRole
Policies:
- PolicyName: InvokeEzdrmPolicy
PolicyDocument:
Statement:
- Effect: Allow
Action:
- execute-api:Invoke
Resource:
- Fn::Join:
- ''
- - 'arn:aws:execute-api:'
- Ref: AWS::Region
- ':'
- Ref: AWS::AccountId
- ':'
- Ref: DrmKeygenAPI
- /*/GET/client/*/*
- Fn::Join:
- ''
- - 'arn:aws:execute-api:'
- Ref: AWS::Region
- ':'
- Ref: AWS::AccountId
- ':'
- Ref: DrmKeygenAPI
- ' /*/POST/copyProtection'
Now we can configure the packager with the following variables:
SystemId: “edef8ba9-79d6-4ace-a3c8-27dcd51d21ed” (the Widevine System ID)
Url: https://${DrmKeygenAPI}.execute-api.${AWS::Region}.amazonaws.com/dev/copyProtection
RoleARN: The ARN to the role we have defined above.
Once this is setup, we have a path in place were the AWS Elemental Media Packager can encrypt the video files using keys provided by EZDRM.