Wowza Support for S3 Pre-Signed URLs (sigv4)

Does Wowza support retrieving VOD content from S3 using pre-signed URLs (sigv4, the latest version)? I haven’t been able to find mention of using pre-signed URLs in the docs.

Here’s an example of a time-limited URL that grants access to the underlying S3 resource:

https://s3-us-west-2.amazonaws.com/MYBUCKET/MYKEY?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=60&X-Amz-SignedHeaders=host&X-Amz-Credential=XXXXXXXXXXXXXXXXX%2F20160524%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20160524T171359Z&X-Amz-Signature=XXXXXXXXXXXXXXXXXXXXXXXXXXXXX

The bucket in which the videos are stored contains lots of other non-video (and sensitive) resources that the wowza ec2 instance shouldn’t be able to access, so I’d like to be able to have browers make a request to wowza with a presigned URL like above somehow encoded in the request, with wowza using that exact URL to retrieve the content from S3 and having no other permissions or special configuration for access to the S3 bucket.

Is this possible?

Hello,

Sorry for any delay in response, since the community has not stepped in, I will give you the assistance that I can.

Yours is the first mention I can find of the use of pre-signed urls, and since that is unique to Amazon S3, and your use of your S3 bucket with content you want to protect from the Wowza service is a unique workflow.

First I woudl recommend putting any content you want protected from Wowza in a directory above the one you are using for Wowza Streaming Engine content, so if your content for playback on Wowza Streaming Engine in is /content/MyWowzaContent/, I would suggest putting the other content you want to restrict in it’s own directory at the same level as your /content directory and setting the proper permissions.

If you need a timed authentication method I would suggest using Secure Token as documented here:

https://www.wowza.com/docs/how-to-protect-streaming-using-securetoken-in-wowza-streaming-engine

Regards,

Jason Hatchett