CloudFront CDN Watermark Embedder Guide

Overview

This document describes how to apply PallyCon watermark embedder with Lambda@Edge for service sites using the Amazon CloudFront CDN.

sequenceDiagram
    participant A as End user
    participant C as CDN
    A ->> C: Start playback of Session URL (request segments)
    Note right of C: Watermark embedder module
    C -->> C: Segments mixing by Session URL
    C ->> A: Send mixed segments
    Note right of A: Playback of mixed content

The source files needed for setting up Lambda@Edge can be downloaded from the Sample download page.

Create Lambda@Edge

  • Connect to the AWS console, select the lambda menu, and click the create function button.
  • Select region to N. Virginia. (Lambda@Edge must be created in the Virginia Region.)

1. Select runtime

  • Choose a Node.JS runtime later than v10. (10.x, 12.x, or 14.x)

2. Set roles

  • Select Create a custom role.

  • Create a Role by adding the permissions lambda:GetFunction, lambda:EnableReplication*, iam:CreateServiceLinkedRole, cloudfront:UpdateDistribution, and cloudfront:CreateDistribution as explained in CloudFront Guide.

  • Add logs related permission to collect Lambda access log into cloudwatch logs.

    {
    "Effect": "Allow",
    "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents"
    ],
    "Resource": "arn:aws:logs:*:*:*"
}

  • Add the following roles to the Trust Relationship tab of the created Role.

    { 
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": { 
                "Service": [
                    "lambda.amazonaws.com", 
                    "edgelambda.amazonaws.com" 
                ] 
            }, 
            "Action": "sts:AssumeRole"
        } 
    ] 
}

  • Apply the generated role to the lambda role.

3. Upload function

  • Click Create Function button to create lambda.

  • Select Upload a .ZIP file of Function Code - Code entry Type and add the lambda source downloaded from Console site.

  • Click the Save button to upload the source and modify the uploaded source via Cloud9.

4. Modify function source

Please be aware that if you modify a source other than those listed below, an error may occur.

  • Set the value of the corresponding variable in the table below.

    Source Line
    Name
    Required
    		 Description
    3 AVAILABLE_INTERVAL True The URL requested for watermarking contains a timestamp value. This item is the value for checking the validity of the timestamp.
    If set to 0, the timestamp validity period is not checked.
    Unit: (minutes)
    4 AES_KEY True Enter the site key value provided by the PallyCon console site.

  • After saving, click Publish new version of Action button to create version.

  • Copy the ARN containing the generated version. It is displayed in the upper right corner.

    • e.g. arn:aws:lambda:us-east-1:{account no.}:function:{lambda name}:{version}

Configure CloudFront

This guide assumes that you already created your CloudFront.

Apply Lambda@Edge

Connect to the AWS console, select the CloudFront menu and select CloudFront to apply Lambda@Edge.

1. Set Behaviors

  • Select the Behaviors tab, check the check box displayed and click the Edit button.

  • Configure Lambda Function Associations items.

    • EventType : select Viewer Request
    • Lambda Function ARN : input the ARN copied during Lambda@Edge creation process.

  • Click the Yes, Edit button.

2. Finish configuration

The status of CloudFront is changed to InProgress, and when Lambda@Edge is applied, status is changed to Deployed and all settings are completed.

For more information about Lambda@Edge, please refer to CloudFront guide from AWS.

Previous

Last updated on Feb 25, 2021