Azure Media Services Shared Access Policy limitations

StackOverflow https://stackoverflow.com/questions/14972156

Question

I'm trying to create time-limited URL's for smooth streaming of media stored in Azure Media Services.

I am working against the code supplied here. Windows Azure Smooth Streaming example

I upload a video file to a new Asset. I encode that video file using Azure Media Service encoding with the preset "H264 Adaptive Bitrate MP4 Set 720p". With the resulting encoded asset, I then attempt to create a streaming URL by creating an Access Policy and then a Locator, which I use to generate the URL used for streaming.

Here is the code:

string urlForClientStreaming = "";

IAssetFile manifestFile = (from f in Asset.AssetFiles
                   where f.Name.EndsWith(".ism")
                   select f).FirstOrDefault();

if (manifestFile != null)
{ 
    // Create a 1 hour readonly access policy. 
    IAccessPolicy policy = _mediaContext.AccessPolicies.Create("Streaming policy",   TimeSpan.FromHours(1), AccessPermissions.Read);

    // Create a locator to the streaming content on an origin. 
    ILocator originLocator =     _mediaContext.Locators.CreateLocator(LocatorType.OnDemandOrigin, Asset,    policy, DateTime.UtcNow.AddMinutes(-5));

    urlForClientStreaming = originLocator.Path + manifestFile.Name + "/manifest";

    if (contentType == MediaContentType.HLS)
    urlForClientStreaming = String.Format("{0}{1}", urlForClientStreaming, "(format=m3u8-aapl)");
}

return urlForClientStreaming;

This works great. Until the 6th time you execute that code against the same Asset. Then you receive this error:

"Server does not support setting more than 5 shared access policy identifiers on a single container."

So, that's fine. I don't need to create a new AccessPolicy everytime, I can reuse the one I've created previously, build a Locator using that same policy. However, even then, I get the error about 5 shared access policies on a single container.

Here is the new code that creates the locator with the same AccessPolicy used previously:

string urlForClientStreaming = "";

IAssetFile manifestFile = (from f in Asset.AssetFiles
                   where f.Name.EndsWith(".ism")
                   select f).FirstOrDefault();

if (manifestFile != null)
{ 
    // Create a 1 hour readonly access policy
    IAccessPolicy accessPolicy = null;
    accessPolicy =
      (from p in _mediaContext.AccessPolicies where p.Name == "myaccesspolicy" select p).FirstOrDefault();

     if (accessPolicy == null)
     {
         accessPolicy = _mediaContext.AccessPolicies.Create("myaccesspolicy", TimeSpan.FromHours(1), AccessPermissions.Read);
     }

    // Create a locator to the streaming content on an origin. 
    ILocator originLocator =     _mediaContext.Locators.CreateLocator(LocatorType.OnDemandOrigin, Asset,    policy, DateTime.UtcNow.AddMinutes(-5));

    urlForClientStreaming = originLocator.Path + manifestFile.Name + "/manifest";

    if (contentType == MediaContentType.HLS)
    urlForClientStreaming = String.Format("{0}{1}", urlForClientStreaming, "(format=m3u8-aapl)");
}

return urlForClientStreaming;

I don't understand why it's saying I've created 5 shared access policies. In the case of the second block of code, I only ever create one access policy. I can verify there is only ever one AccessPolicy by viewing the content of _mediaContext.AccessPolicies, there is always just one access policy in that list.

At some point this will likely have many users requesting access to the same Asset. The URL's provided to these clients need to be time limited as per our clients requirements.

Is this not the appropriate means to create a URL for smooth streaming of an asset?

Was it helpful?

Solution 2

Now with Azure Media Services content protection feature, you could encrypt your media file with either AES or PlayReady, generate a long-lived locator. At the same time, you set Token-Authorization policy for the content key, the token duration could be set to a short-period of time (enough for the player to retrieve the content key). This way you could control your content access. For more information, you could refer to my blog: http://azure.microsoft.com/blog/2014/09/10/announcing-public-availability-of-azure-media-services-content-protection-services/

OTHER TIPS

Late reply I know...

Given your requirement to create a single URL that can be used by anyone indefinitely, I would suggest that you:

  1. Create a long lived locator when you create the asset, e.g. for a year - you can use the same access policy each time like you have in your second example
  2. When you're building the URL for streaming, get that locator from the asset
  3. Check the length of time left on the asset - if it's less than a certain amount of time (e.g. a month) then extend the locator by using the ILocator.Update, e.g. for another year. Updating the expiry date of the locator does not affect the original access policy that you used to create the locator.
  4. Profit.

HTH

The locators were not designed to do per-user access control. Use a Digital Rights Management system for that. They have concepts of viewing windows, persistent and non-persistent licensing and much more. Specifically, I'm talking about using PlayReady encryption in WAMS and a PlayReady server to configure and provide the licenses (there is EzDRM in the Azure Portal, also BuyDRM and others).

Locators offer basic on-off switching of streaming services. You can create up to 5, because they are using the underlying SAS limitation of 5 per-container.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top