CloudFront Embedder Guide
Overview
This document describes how to apply PallyCon watermark embedder with Lambda@Edge for service sites using the Amazon CloudFront CDN.
sequenceDiagram
participant A as End user
participant C as Cloud Front CDN
A ->> C: Start playback of Session URL (request segments)
Note right of C: Watermark embedder
C -->> C: Segments mixing by Session URL
C ->> A: Send mixed segments
Note right of A: Playback of mixed content
Set up CloudFront Embedder using AWS CDK
This AWS CDK sample contains the source code which generates the aws resources needed to set up the CloudFront embedder.
CloudFront Embedder CDK sampleSet up CloudFront Embedder yourself
CloudFront Embedder files needed for setting up Lambda@Edge can be downloaded from the Sample download page.
Tutorial Video
This video is a tutorial about how to embed Forensic Watermarking using CloudFront Embedder.
Lambda@Edge User Guide
If you are unfamiliar with using Lambda@Edge with Amazon CloudFront CDN, it is recommended to make yourself familiar with the usage by referring to the AWS online documents below before proceeding to the next step.
- Get started creating and using Lambda@Edge functions
- Tutorial: Creating a simple Lambda@Edge function
Create IAM Permissions and Roles
First, you need to create the required IAM permissions and execution role to configure Lambda@Edge. In the IAM service screen of the AWS console, create the permissions and roles as follows by refer to the AWS guide.
- Create a role by adding the permissions
lambda:GetFunction,lambda:EnableReplication*,iam:CreateServiceLinkedRole,cloudfront:UpdateDistribution, andcloudfront:CreateDistribution.
To add permission, you must first specify the target service (Lambda). Also, to add
lambda:EnableReplication*permission, first addlambda:EnableReplicationpermission and then modify the JSON code.
-
Add log-related permission to collect Lambda access log into cloudwatch logs.
{ "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:*" } -
Add the following roles to the
Trust Relationshiptab of the created Role.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "lambda.amazonaws.com", "edgelambda.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] }
Create Lambda@Edge function
- Go to the
Lambdaservice in the AWS console and click theCreate functionbutton. - Select
US East (N. Virginia)as the AWS Region in the upper right corner of the console. (Lambda@Edge must be created in the Virginia Region to use it.)
1. Function name and Runtime settings
Function Name: Enter any name to identify the function. (e.g. fwm-cf-embedder)Runtime: SelectNode.js 12.xor later. (12.x, 14.x, 16.x, etc.) The default at the time of this writing isNode.js 16.x.Architecture: use the defaultx86_64.
2. Set the execution role
- Click
Change default execution role, selectUse existing role, and select the IAM role created in the previous step. - Click the
Create functionbutton at the bottom of the screen to create a Lambda@Edge function.
3. Upload and edit sample code
-
Click the
Upload from > .zip filebutton on theCode sourcescreen to upload the CloudFront Embedder zip file downloaded from the Sample Download Page. -
Check the uploaded sample code and modify the following items.
Please be aware that if you modify a source other than those listed below, an error may occur.
- In the
config.jsonsource, set the value of the corresponding variables as below.
| Name | Required | Description |
|---|---|---|
aesKey |
True | Enter the site key value provided by the PallyCon console site. |
type |
True | Enter unlabeled_a_variant if preprocessed A/B version segments are stored together in one folder, and enter directory_prefix if they are packaged in separate 0 and 1 folders. If you use the latest version of the FWM CLI packager or if you are a new customer of PallyCon SaaS packaging service, it is basically packaged in the form of Unlabeled A Variant. (default: unlabeled_a_variant) |
availableInterval |
True | The URL requested for watermarking contains a timestamp value. This item is the value for checking the validity of the timestamp. If set to 0, the timestamp validity period is not checked. (Unit: minutes) |
prefixFolder |
False | Set the name of the parent folder where the A/B version contents are stored - For contents packaged with old version packaging service: dldzkdpsxmdnjrtm - For contents packaged with the new T&P service: wm-contentsThe default value is ["dldzkdpsxmdnjrtm", "wm-contents"], which supports both cases. |
| wmPublicKey | False | Set when using the wmt token type. Use the Akamai public key issued from the PallyCon site. It can be requested the helpdesk. |
| wmPassword | False | Set when using the wmt token type. Use the Akamai password issued from the PallyCon site. It can be requested the helpdesk. |
-
After saving, click
Publish new versionofActionbutton to create version. -
Copy the ARN containing the generated version. It is displayed in the upper right corner.
- e.g. arn:aws:lambda:us-east-1:{account no.}:function:{lambda name}:{version}
Configure CloudFront
This guide assumes that you already created your CloudFront.
Apply Lambda@Edge
Connect to the AWS console, select the CloudFront menu and select CloudFront to apply Lambda@Edge.
1. Set Behaviors
-
Select the
Behaviorstab, check the check box displayed and click the Edit button. -
Configure
Lambda Function Associationsitems.- EventType : select
Viewer Request - Lambda Function ARN : input the ARN copied during Lambda@Edge creation process.
- EventType : select
-
Click the
Yes, Editbutton.
2. Finish configuration
The status of CloudFront is changed to InProgress, and when Lambda@Edge is applied, status is changed to Deployed and all settings are completed.
For more information about Lambda@Edge, please refer to CloudFront guide from AWS.