- Newest
- Most votes
- Most comments
I understand you're experiencing issues with your Media Package and CloudFront integration for FAST livestream distribution, particularly after AWS removed the ability to automate a cloud link within Media Package. This is indeed a challenging situation, but there are a few things to consider that might help resolve your 403 error.
First, it's important to note that AWS has recently introduced Origin Access Control (OAC) for AWS Elemental MediaPackage origins with CloudFront. This new feature allows for more granular access control, permitting origin access only from designated CloudFront distributions. This change might be related to the issues you're experiencing.
To address your 403 error, you might want to check if you've properly configured the Origin Access Control between your MediaPackage origin and CloudFront distribution. This involves using AWS Signature Version 4 (SigV4) for authentication, which provides robust protection for your origin and prevents request tampering.
When setting up your CloudFront distribution manually, make sure you've enabled OAC when configuring your MediaPackage v2 endpoint with CloudFront. You can do this through the CloudFront Console, SDK, CLI, or CloudFormation.
Additionally, it's recommended to enable header-based MediaPackage CDN Authorization between MediaPackage endpoints and the CloudFront distribution. This can help ensure that only your CloudFront distribution can access the MediaPackage origin.
If you're still encountering issues after checking these configurations, it might be worth reaching out to AWS support, as there could be underlying changes or issues that are beyond your immediate control.
Remember, when working with live streaming setups, it's crucial to have the correct configurations in place, including proper cache behaviors, origin request policies, and potentially WAF rules if you're implementing additional security measures.
Sources
Deliver live streaming video with CloudFront and AWS Media Services - Amazon CloudFront
Amazon CloudFront now supports Origin Access Control (OAC) for AWS Elemental MediaPackage Origin
For MediaPackage V1, you'll need to use Header Authentication. CloudFront will send a secret header to MediaPackage during requests. MediaPackage will only allow requests using this header.
Documentation is here: https://docs.aws.amazon.com/mediapackage/latest/ug/cdn-auth.html
For EMP Live v1 you can create your workflow by using AWS solutions: https://aws.amazon.com/solutions/implementations/live-streaming-on-aws/ It will create Cloudfront distribution for you as well as secure access to EMP endpoint by CF distribution with custom header with secret.
Relevant content
- asked a year ago
- asked 3 years ago
AWS OFFICIALUpdated 10 months ago- AWS OFFICIALUpdated 2 years ago
Correct me if I'm wrong, but it's my understanding that OAC for CloudFront is MediaPackage V2 (VoD specific) while MediaPackage livestreaming remains on V1. Although I've already tried enabling OAC...and then deleted, it would seem to me that turning this on would further complicate the 403 I'm already getting being open access.
Also make sure CloudFront is not caching the 403 response for more than 1 sec: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/custom-error-pages-expiration.html. or else if you retry the request in a short period you might get the cached response. MediaPackageV2 is for live streaming while MediaPackageV1 has the VOD specific features that are not yet available in V2. Look at the following documentation on how to setup OAC with MediaPackageV2: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-mediapackage.html Also verify you can stream the content directly from MediaPackageV2 before setting the OAC and connecting MediaPackageV2 thru CloudFront.