# CDN authorization in AWS Elemental MediaPackage
<a name="cdn-auth"></a>

*Content Delivery Network (CDN) authorization* helps you to protect your content from unauthorized use. When you configure CDN authorization, MediaPackage only fulfills playback requests that are authorized between MediaPackage and your CDN. This prevents users from bypassing the CDN in order to directly access your content on the origin.

## How it works
<a name="working-with-cdn-auth"></a>

You configure your CDN, such as Amazon CloudFront, to include a *custom HTTP header* in content requests to MediaPackage.

Custom HTTP header and example value.

```
X-MediaPackage-CDNIdentifier: 9ceebbe7-9607-4552-8764-876e47032660
```

You store the header value as a *secret* in AWS Secrets Manager. When your CDN sends a playback request, MediaPackage verifies that the secret's value matches the custom HTTP header value. MediaPackage is given permission to read the secret with an AWS Identity and Access Management permissions policy and role.

Secret key and example value.

```
{“MediaPackageCDNIdentifier”: "9ceebbe7-9607-4552-8764-876e47032660"}
```

If the values match, MediaPackage serves the content along with an HTTP `200 OK` status code. If it's not a match, or if the authorization request fails, then MediaPackage doesn't serve the content, and sends an HTTP `403 Unauthorized` status code.

The following image shows successful CDN authorization using Amazon CloudFront.

![\[The image shows a successful CDN authentication flow. The bottom left shows a playback device requesting content from Amazon CloudFront indicated by an arrow. CloudFront includes the custom HTTP header and value in it's request to MediaPackage, indicated by an arrow. MediaPackage requests the secret info from AWS Secrets Manager, indicated by an arrow, which is dependent on permission from IAM. AWS Secrets Manager responds with the secret value to MediaPackage. MediaPackage verifies that the secret matches the header value, which is indicated by a green checkbox. MediaPackage sends an HTTP 200 OK status code along with video content to CloudFront. CloudFront serves the video content to the playback device.\]](http://docs.aws.amazon.com/mediapackage/latest/ug/images/cdn_auth.png)


For step-by-step instructions on how to set up CDN authorization, see [Setting up CDN authorization](cdn-auth-setup.md).

# Setting up CDN authorization
<a name="cdn-auth-setup"></a>

Complete the following steps to set up CDN authorization.

**Topics**
+ [Step 1: Configure a CDN custom origin HTTP header](#cdn-aut-setup-cdn)
+ [Step 2: Store the value as a secret in AWS Secrets Manager](#cdn-aut-setup-secret)
+ [Step 3: Create an IAM policy and role for MediaPackage access to Secrets Manager](#cdn-aut-setup-iam)
+ [Step 4: Enable CDN authorization in MediaPackage](#cdn-aut-setup-endpoint)

## Step 1: Configure a CDN custom origin HTTP header
<a name="cdn-aut-setup-cdn"></a>

In your CDN, configure a custom origin HTTP header that contains the header **X-MediaPackage-CDNIdentifier** and a value. For the value, we recommend that you use the [UUID version 4](https://www.ietf.org/rfc/rfc4122.txt) format, which produces a 36-character string. If you aren't using the UUID version 4 format, the value must be 8-128 characters long.

If your CDN has authorization headers configured, MediaPackage returns an error 404 until CDN authorization is enabled on the endpoint.

**Important**  
The value you choose should be a static value. There isn't native integration between your CDN and AWS Secrets Manager, so the value should be static both in your CDN and in AWS Secrets Manager. If you change this value after you configure your CDN and your secret, you have to manually rotate the value. For more information, see [Rotating the CDN header value](cdn-auth-rotate.md).

**Example header and value**

```
X-MediaPackage-CDNIdentifier: 9ceebbe7-9607-4552-8764-876e47032660
```

**To create a custom header in Amazon CloudFront**

1. Sign in to the AWS Management Console and open the CloudFront console at [https://console.aws.amazon.com/cloudfront/v4/home](https://console.aws.amazon.com/cloudfront/v4/home).

1. Create or edit a distribution.

1. In **Origin Settings**, complete the fields. You will use this same value for your secret in Secrets Manager.
   + For **Header Name**, enter **X-MediaPackage-CDNIdentifier**.
   + For **Value**, enter a value. We recommend that you use UUID version 4 format, which produces a 36-character string. If you aren't using the UUID version 4 format, the value must be 8-128 characters long. 

1. Complete the rest of the fields and save the distribution.

For more information about custom headers in CloudFront, see [Forwarding customer headers to your origin](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/forward-custom-headers.html) in the *Amazon CloudFront Developer Guide*.

## Step 2: Store the value as a secret in AWS Secrets Manager
<a name="cdn-aut-setup-secret"></a>

Store the same value that you use in your custom origin HTTP header as a *secret* in AWS Secrets Manager. The secret must use the same AWS account and Region settings as your AWS Elemental MediaPackage resources. MediaPackage doesn't support sharing secrets across accounts or Regions. However, you can use the same secret across multiple endpoints in the same Region and on the same account.

**To store a secret in Secrets Manager**

1. Sign in to the AWS Secrets Manager console at [https://console.aws.amazon.com/secretsmanager/](https://console.aws.amazon.com/secretsmanager/).

1. Choose **Store a new secret**. For **Secret type**, choose **Other type of secrets**.

1. For **Key/value pairs**, enter the key and value information.
   + In the box on the left, enter **MediaPackageCDNIdentifier**.
   + In the box on the right, enter the value that you configured for your custom origin HTTP header. For example, `9ceebbe7-9607-4552-8764-876e47032660`.

1. For **Encryption key**, you can keep the default value as **DefaultEncryptionKey**.

1. Choose **Next**.

1. For **Secret name**, we recommend that you prefix it with **MediaPackage/** so that you know it's a secret used for MediaPackage. For example, **MediaPackage/cdn\$1auth\$1us-west-2**.

1. Choose **Next**.

1. For **Configure automatic rotation**, keep the default **Disable automatic rotation** setting.

   If you need to rotate the authorization code later, see [Rotating the CDN header value](cdn-auth-rotate.md).

1. Choose **Next**, and then choose **Store**.

   This takes you to the list of your secrets.

1. Select your secret name to view the **Secret ARN**. The ARN has a value similar to `arn:aws:secretsmanager:us-west-2:123456789012:secret:MediaPackage/cdn_auth_test-xxxxxx`. You use the Secret ARN when you configure CDN authorization for MediaPackage in Step 4: Enable CDN Authorization in MediaPackage. 

## Step 3: Create an IAM policy and role for MediaPackage access to Secrets Manager
<a name="cdn-aut-setup-iam"></a>

Create an IAM policy and role to give MediaPackage read access to Secrets Manager. When MediaPackage receives a playback request from the CDN, it verifies that the stored secret value matches the value in the custom HTTP header. Follow the steps in [Allowing AWS Elemental MediaPackage to access other AWS services](setting-up-create-trust-rel.md) to set up the policy and role.

## Step 4: Enable CDN authorization in MediaPackage
<a name="cdn-aut-setup-endpoint"></a>

You can enable CDN authorization for your endpoints or video on demand (VOD) packaging groups with the MediaPackage console, AWS CLI, or MediaPackage API. You use the ARN for the IAM policy and role that you created in Step 3: Create an IAM policy and role for MediaPackage access to Secrets Manager.

**Tip**  
Use the same secret across multiple endpoints in the same Region and on the same account. Reduce costs by creating a new secret only when necessary for your workflow.

If your CDN has authorization headers configured, MediaPackage returns an error 404 until CDN authorization is enabled on the endpoint.

**To enable CDN authorization for live content with the console**

1. Open the MediaPackage console at [https://console.aws.amazon.com/mediapackage/](https://console.aws.amazon.com/mediapackage/).

1. If you don't already have a channel, create one. For help, see [Creating a channel](channels-create.md).

1. Create or edit an endpoint.

1. In **Access control settings**, select **Use CDN authorization**. Complete the fields:
   + In **Secrets role ARN**, enter the ARN for the IAM role that you created in [Step 3: Create an IAM policy and role for MediaPackage access to Secrets Manager](#cdn-aut-setup-iam).
   + In **CDN identifier secret ARN**, enter the ARN for the secret in Secrets Manager that your CDN uses for authorization to access your endpoint.

1. Complete the remaining fields as needed and save the endpoint.

**To enable CDN authorization for VOD content with the console**

1. Open the MediaPackage console at [https://console.aws.amazon.com/mediapackage/](https://console.aws.amazon.com/mediapackage/).

1. If you don't already have a VOD packaging group, create one. For help, see [Creating a packaging group](pkg-group-create.md).

1. Create or edit a packaging group.

1. In **Configure access control**, select **Enable authorization**. Complete the fields:
   + In **Secrets role ARN**, enter the ARN for the IAM role that you created in [Step 3: Create an IAM policy and role for MediaPackage access to Secrets Manager](#cdn-aut-setup-iam).
   + In **CDN identifier secret ARN**, enter the ARN for the secret in Secrets Manager that your CDN uses for authorization to access your endpoint.

1. Complete the remaining fields as needed and save the packaging group.

You have now completed the setup for CDN authorization. Requests to this endpoint must contain the same authorization code that you saved in Secrets Manager.

**To enable CDN authorization with the MediaPackage API**  
For information about enabling CDN authorization with the MediaPackage API, see the following API references:
+ [MediaPackage live API reference](https://docs.aws.amazon.com/mediapackage/latest/apireference/resources.html)
+ [MediaPackage VOD API reference](https://docs.aws.amazon.com/mediapackage-vod/latest/apireference/)

# Rotating the CDN header value
<a name="cdn-auth-rotate"></a>

If you change the CDN custom origin HTTP header value, you need to rotate the stored secret value in Secrets Manager. The following procedure describes how to rotate your value in Secrets Manager to make sure that your CDN's HTTP header value and the Secrets Manager stored secret value are in sync.

**To rotate the value**

1. Update the stored secret value in Secrets Manager as described in [Modifying a secret](https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_update-secret.html) in the *AWS Secrets Manager User Guide*.

   To ensure continued playback for active streams, MediaPackage authorizes requests that use either the current value in Secrets Manager or one version back.

1. Wait 10 minutes for MediaPackage to recognize that the value has changed in Secrets Manager.

1. In your CDN, update the value in `X-MediaPackage-CDNIdentifier` to the new authorization code.

1. Wait for your CDN to update fully with the new value before you send any requests through it to MediaPackage.

   To disable the previous secret value, save the new secret value two times. This way, both the current and previous secret versions have the same value.