从Amazon S3目录授权HLS流文件 [英] Authorising HLS streaming files from Amazon S3 directory

问题描述

我们有将原始视频转换为HLS格式(.m3u8和.ts文件)并将其组织到s3存储桶中的目录中的设置.值区中的每个目录代表一个视频.由于s3在其实现中实际上没有目录的概念，因此它不允许我们获取带签名的url来读取目录的内容以馈入视频播放器.

We have setup that converts raw videos into HLS format (.m3u8 and .ts files) and organises them into a directory inside a s3 bucket. Each directory inside the bucket represents one video. Since s3 doesn't really have the concept of directory in its implementation, it does not allow us to get a signed url to read the content of the directory to feed into the video player.

我尝试使用getObject单独为.m3u8文件签名，但由于尝试获取要播放的视频部分，因此s3会将其抛出403.在当前阶段，使用Cloudfront并非我们的选择.

I tried signing the URL for the .m3u8 file alone with getObject, but since tries to fetch the parts of the video to play, it will be thrown with an 403 by s3. Using cloudfront is not an option for us at this stage.

是否存在一种更好且安全的方法来处理s3中的流，而无需公开整个存储桶?

Is there a better and secure way to handle the streaming from s3 without making the entire bucket public?

推荐答案

对于仍在寻找类似解决方案的任何人，仅使用s3都无法获得目录或通配符的已签名url.更好的方法是将CloudFront置于s3前面，并使用带有自定义策略的CloudFront签名URL/Cookie，该URL/Cookie允许在签名时使用通配符.

For anybody still looking for similar solution, You can't get signed url for a directory or wildcard using s3 alone. The better way to do it is to have the CloudFront in front of s3 and use CloudFront Signed URLs/Cookies with Custom Policies which allows to use wildcards when signing.

AWS Docs中的示例:

Example from AWS Docs:

{ 
   "Statement": [
      { 
         "Resource":"http://d111111abcdef8.cloudfront.net/training/*", 
         "Condition":{ 
            "DateLessThan":{"AWS:EpochTime":1357034400}
         }
      }
   ] 
}

更多有关此内容的解释，请参见: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-creating-signed-url-custom-policy.html

More on that is explained here: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-creating-signed-url-custom-policy.html

尽管我们最初不想使用CloudFront，但最终还是使用了它，因为这似乎是当时唯一可行的选择，AWS的开发人员也建议这样做.

Even though we did not wanted to use CloudFront initially, we ended up using it since that seemed like the only feasible option at the time and developers from AWS also recommended the same.

如果您可以构建自定义解决方案，则可以构建一个充当授权者的lambda并在s3之上验证通配符.

If you are okay with building custom solution, you can build a lambda that acts like an authorizer and validated the wildcards on top of s3.

这篇关于从Amazon S3目录授权HLS流文件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！