-
Notifications
You must be signed in to change notification settings - Fork 56
Architecture
The Video resource implements two types of endpoints for consuming streaming media within your application - Live and Video-on-Demand (VOD). It provides the infrastructure necessary to ingest, store, process, and deliver content over Apple HLS protocol using AWS services.
The Live Streaming type will provide different origin architectures based on the configuration selected through the prompts. This is because there is a trade-off to be made with respect to latency and features. Essentially, if you need the lowest possible latency, MediaStore is a better choice. If you need advanced packaging features like filtering, multi-drm, and live-to-vod recordings, MediaPackage is necessary. This flexibility allows Amplify Video to compose the appropriate solution without too much input from the user.
Live Encoder -> MediaLive -> MediaStore and/or MediaPackage <-> CloudFront <-> Application
Ingest into the Live Stream Resource is provided by a MediaLive Input Stream Key that is provided by Amplify-CLI when a new Video Resource is pushed or when you run 'amplify video get-info'. This key is used in the upstream encoder configuration, typically at the site of the live event. We automatically configure OBS with this key when you use 'amplify video setup-obs'
Currently there is no implementation of authentication or authorization to live streams managed by Amplify Video. You can use the Amplify Auth component for user authentication in conjunction with Cloudfront Signed Cookies for temporary endpoint access.
The Video-on-Demand has a bit more going on under the hood. This type provides both a "video plane" (similar to Live Streaming) and a "content management plane" necessary to index, authorize, and serve the content and associated metadata.
This resource type is dependent on the Amplify Auth and API Categories. API is (optionally) used to host our content management API and Auth allows us to control what content users can access.
Source File -> S3 -> Lambda -> MediaConvert -> S3 <-> CloudFront <-> Application
Resolvers (DynamoDB/Lambda) <-> Appsync <-> Application
Content is processed by your VOD Video Resource when assets are uploaded to the input S3 bucket listed in aws-video-exports. If you configure an API as part of the Resource, upload can be easily configured within your application by using the Storage class within the aws-amplify javascript, ios, and android library. This can be used in conjunction with the Auth resource to authenticate uploads.
If you do not configure the the API as part of the Video resource, asset upload and authentication can be implemented in any method of your choosing (console, sdk, etc).
If you add a Content Management API and CloudFront Distribution to your VOD Resource through Amplify Video, we implement an authorization scheme. Amplify Video creates an Auth and API resource in addition to the Video resource to authenticate users and authorize access to specific API endpoints that vend CloudFront Signed URLs and metadata.
To sign the URLs, Amplify Video requires the CloudFront Key Pair generated and stored on your local development machine where Amplify-CLI can access it during the creation of the Video Resource. This key is securely stored in AWS Secrets Manager after you push the Video resource and is then used by a Lambda Function to sign content URLs.
- User Logs in via Cognito and Auth Component
- Application presents VOD assets for playback by creating an access URL from aws-video-exports.js (.json)
https:// awsOutputVideo + /assetID/ + assetID + extension + token
https://d2jyprsbv583cq.cloudfront.net/085feb2c-6e9f-5fb1-9c20-ead8479b4d5f/085feb2c-6e9f-5fb1-9c20-ead8479b4d5f.m3u8?Policy=foo&Key-Pair-Id=bar&Signature=foobar