How do I serve protected videos from cloudfront

Question

I'm trying to serve private video content over RTMP, accessible only through a signed url

Here are my CloudFront distribution settings:

Origin Domain Name : ct.recorder.s3.amazonaws.com   

Restrict Bucket Access : Yes

Origin Access Identity : Use an Existing Identity

Your Identities : CT rtmp videos

Grant Read Permissions on Bucket : No, I Will Update Permissions

Restrict Viewer Access (Use Signed URLs) : Yes

Trusted Signers : Self

Distribution State : Enabled

When I try a signed cloudfront url, it'll fail to play.

Am I missing something?

I'm using the SDK to programmatically upload the video files, so I have control over the permissions I can set. Do I have to make a CannedACL or something?

On the bucket level, I made a policy file:

{
    "Version": "2008-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement": [
        {
            "Sid": "1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity EF5LIV7LW3XE4"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::ct.recorder/*"
        }
    ]
}

However it still doesn't work. I still can't access my videos

I tried rtmpdump and that failed with a NetStream.Failed

EDIT:

I got the free edition of Cloudberry for S3, and I went into the bucket and the objects in the bucket and set permissions so that the Origin access identity can read.

The result is that CloudFront Origin Access Identity EF5LIV7LW3XE4 has Open/download permissions on the object of the bucket, and it has list permissions for the bucket itself.

But that didn't help. rtmpdump and the player still return errors.

EDIT:

I've tried editing the policy, but when I change it to what Michael suggests, save it, and view it again, my policy does not have my edits in it.

EDIT:

It's not that I can't edit the policy, it's that AWS auto-corrects the "CanonicalUser" to "AWS", and sets the values appropriately.

So now I'm confused. The documentation says I need "CanonicalUser", but AWS won't let me do it.

EDIT:

After getting official confirmation from the forums that it does indeed auto-correct, I'll assume that my S3 bucket policy is correct, and that the problem is elsewhere. Perhaps with the library I'm using to sign my keys.

EDIT:

I tried using Cloudberry Explorer to create a signed cloudfront url, using my private key and access ID, but that url wouldn't work for either my player or rtmpdump.

EDIT:

I got confirmation that the node package that I was using to create signed urls wasn't compatible with rtmp urls. Is there a node package that is?

Answer 1

The signed URL was the problem. The node package I was using couldn't do rtmp urls. Once I switched to using the official sdk for .net, I could play my content. The package has since been updated to work with rtmp urls.

Answer 2

"Principal": {
     "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity EF5LIV7LW3XE4"
},

Almost certainly not what you want.

"Principal":{
  "CanonicalUser":"79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2bexample"
},

To specify an origin access identity, use the value of Amazon S3 Canonical User ID on the Origin Access Identity page in the CloudFront console

^{— http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#private-content-granting-permissions-to-oai (emphasis added)}

On the left side of the screen, under "Private Content," the value you need is under "Origin Access Identity" is where you'll find that string of hex digits.