Articles in this section

AWS MediaConnect - SRT (Encrypted)

  • Updated
Follow

Configuring SRT encryption/decryption on MediaConnect

Publishing an encrypted SRT stream to MediaConnect

 

Configuring SRT encryption/decryption on MediaConnect

  1. Navigate to your AWS account and enter the Secrets Manager Service
  2. Select Store a new secret

    1. Under secret type: select Other type of secret

    2. Under Key/value pairs:

      1. First select Plaintext

      2. Delete ALL contents of the Plaintext field including any brackets

      3. Add desired SRT encryption key into the plaintext field. (You can use any random encryption key generator such as this one at https://randomkeygen.com/). Be sure to note the key for future reference when configuring the SRT stream.

    3. Under Encryption key

      1. Select the aws/secretsmanager from the dropdown.

    4. Select Next
    5. Enter desired Secret name. All other fields are optional on this page.
    6. Click Next
    7. On the Configure rotation page, this is optional. Click Next
    8. On the Review page, click Store
    9. Refresh the page and open up the secret you just created

      1. NOTE: Make a note, or save a copy, of the Secret’s ARN for your IAM policy in the next step.

  1.  

  2. Enter the AWS IAM Service

    1. On the left-hand side bar, under Access Management, select Policies

    2. Create an IAM policy to allow AWS Elemental MediaConnect to access your secret

      1. Click Create policy

      2. Click JSON

      3. Clear ALL existing JSON text and replace with the text in the code block below in step 4. Leave the version set to 2012-10-17 and replace arn-for-secret with your Secret’s ARN.

      4. {  "Version": "2012-10-17",  "Statement": [  {  "Effect": "Allow",  "Action": [  "secretsmanager:GetResourcePolicy",  "secretsmanager:GetSecretValue",  "secretsmanager:DescribeSecret",  "secretsmanager:ListSecretVersionIds"  ],  "Resource": [  "arn-for-secret"  ]  }  ] }
      5. Click Next

    3. Under the Review and create page:
      1. Enter a Policy name

      2. Click Create policy

  3. Navigate back to the AWS IAM Service

    1. On the left-hand sidebar, under Access management, select Roles 

    2. Create an IAM role with a trusted relationship

      1. Click Create role

      2. Under Trusted entity type, select AWS Service

      3. Under Use case, select EC2

      4. Click Next

    3. Under the Add permissions page

      1. Search for the policy you just created in the Search bar

      2. Click the check box next to it

      3. Click Next

    4. Under the Name, review, and create page

      1. Enter a name for the Role name

      2. Click Create role

    5. From the IAM Roles page, you will now update your trust policy from EC2 to MediaConnect

      1. Search for and click your Role name

      2. Click the Trust relationships tab

      3. Click Edit trust policy

      4. Clear ALL existing JSON text and replace with the text in the code block below in step 5

      5. {  "Version": "2012-10-17",  "Statement": [  {  "Effect": "Allow",  "Principal": {  "Service": "mediaconnect.amazonaws.com"  },  "Action": "sts:AssumeRole"  }  ] }

      6. Click Update Policy

  4. Enter the AWS Key Management Service

    1. Create an encryption key by clicking Create key

    2. Under the Configure key page

      1. Set the Key type to Symmetric

      2. Set the Key usage to Encrypt and decrypt

      3. Click Next

    3. Under the Add labels page

      1. The Alias can be given a display name you prefer

      2. Description and Tags are optional entries

      3. Click Next

    4. Under the Define key administrative permissions page

      1. Search for your role Name here and check the box to the left of it

      2. Click Next

    5. Under the Define key usage permissions page

      1. Search for your role Name here and check the box to the left of it

      2. Click Next

    6. Under the Review page

      1. Review to ensure accuracy and then click Finish

  5. Navigate back to AWS Secrets Manager Service

    1. Click on your Secret name

    2. Click the Actions dropdown for Secrets details

    3. Select Edit encryption key

    4. Click the dropdown under Encryption key and choose the key created in the previous Key Management Service steps

    5. Click Save

  6. Navigate to AWS MediaConnect Service

    1. Update your MediaConnect Flow with decryption

      1. Click your Flow Name

      2. Click the circle next to your Source

      3. Click Update

      4. Under Decryption click Activate

      5. For Role ARN, click the dropdown, search for, and select your Role

      6. For Secret ARN, click the dropdown, search for, and select your Secret

      7. Click Update source

Publishing an encrypted SRT stream to MediaConnect

  1. Navigate to AWS MediaConnect and enter the Flow which you are using
  2. Start the Flow in the top-right of your Flow's screen
  3. Allow some time for the Flow to start and the Status will then show "Active" when it is ready

  4. Set up the Videon device to stream SRT

    1. Set Call Mode to Caller

    2. Configure the SRT URL

      1. Navigate to the appropriate Flow in MediaConnect and locate the Public Outbound IP address

      2. Enter the Public Outbound IP address into the Node / EdgeCaster's SRT output IP address

      3. From the MediaConnect Flow, select Sources and locate the Source port

      4. Enter the Source port into the Node / EdgeCaster's SRT output Port

    3. Enter a Latency greater than the Minimum Latency assigned to the MediaConnect Flow

    4. Enter a Bandwidth

    5. Ensure Encryption is turned ON

    6. Enter the passphrase used in your Secret in the Videon UI as the Encryption Passphrase
  5. Turn the SRT output ON and click Save


  6.  

  7. View stream in VLC

    1. srt://<ip_from_flow_output>:<port_from_flow_output>