# Configuring authentication for your source location
Use **access configuration** to configure authentication for your source location. When access configuration is on, MediaTailor only retrieves source manifests from your origin if the request is authorized between MediaTailor and your origin. Access configuration is turned off by default.
MediaTailor supports the following authentication types:
+ SigV4 for Amazon S3 authentication
+ AWS Secrets Manager access token
+ SigV4 for MediaPackage version 2 (v2) authentication
This chapter explains how to use SigV4 for Amazon S3, MediaPackage v2, and AWS Secrets Manager access tokens for source location authentication.
For more information, select the applicable topic.
**Topics**
+ [Authenticating requests to Amazon S3 with SigV4](channel-assembly-access-configuration-sigv4.md)
+ [Working with SigV4 for MediaPackage Version 2](channel-assembly-access-configuration-sigv4-empv2.md)
+ [Working with AWS Secrets Manager access token authentication](channel-assembly-access-configuration-access-token.md)
# Authenticating requests to Amazon S3 with SigV4
Signature Version 4 (SigV4) for Amazon S3 is a signing protocol used to authenticate requests to Amazon S3 over HTTPS. When you use SigV4 for Amazon S3, MediaTailor includes a signed authorization header in the HTTPS request to the Amazon S3 bucket used as your origin. If the signed authorization header is valid, your origin fulfills the request. If it isn't valid, the request fails.
For general information about SigV4 for AWS Key Management Service, see the [Authenticating Requests (AWS Signature Version 4)](https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html) topic in the *Amazon S3 API reference*.
**Note**
MediaTailor always signs requests to these origins with SigV4.
## Requirements
If you activate SigV4 for Amazon S3 authentication for your source location, you must meet these requirements:
+ You must allow MediaTailor to access your Amazon S3 bucket by granting **mediatailor.amazonaws.com** principal access in IAM. For information about configuring access in IAM, see [Access management](https://docs.aws.amazon.com/IAM/latest/UserGuide/access.html) in the *AWS Identity and Access Management User Guide*.
+ The **mediatailor.amazonaws.com** service principal must have permissions to read all multivariant playlists referenced by the VOD source package configurations.
+ The caller of the API must have **s3:GetObject** IAM permissions to read all multivariant playlists referenced by your MediaTailor VOD source package configurations.
+ Your MediaTailor source location base URL must follow the Amazon S3 virtual hosted-style request URL format. For example, https://*bucket-name*.s3.*Region*.amazonaws.com/*key-name*. For information about Amazon S3 hosted virtual-style access, see [Virtual Hosted-Style Requests](https://docs.aws.amazon.com/AmazonS3/latest/userguide/VirtualHosting.html#virtual-hosted-style-access).
# Working with SigV4 for MediaPackage Version 2
Signature Version 4 (SigV4) for MediaPackage v2 is a signing protocol used to authenticate requests to MediaPackage v2 over HTTP. When you use SigV4 for MediaPackage v2, MediaTailor includes a signed authorization header in the HTTP request to the MediaPackage v2 endpoint used as your origin. If the signed authorization header is valid, your origin fulfills the request. If it isn't valid, the request fails.
For general information about SigV4 for MediaPackage v2, see the [Authenticating Requests (AWS Signature Version 4)](https://docs.aws.amazon.com/mediapackage/latest/userguide/sig-v4-authenticating-requests.html) topic in the *MediaPackage v2 API reference*.
## Requirements
If you activate SigV4 for MediaPackage v2 authentication for your source location, you must meet these requirements:
+ You must allow MediaTailor to access your MediaPackage v2 endpoint by granting **mediatailor.amazonaws.com** principal access in an Origin Access Policy on the endpoint.
+ Your MediaTailor source location base URL must be a MediaPackage v2 endpoint.
+ The caller of the API must have **mediapackagev2:GetObject** IAM permissions to read all multivariant playlists referenced by the MediaTailor source packaging configurations.
# Working with AWS Secrets Manager access token authentication
MediaTailor supports *Secrets Manager access token authentication*. With AWS Secrets Manager access token authentication, MediaTailor uses an AWS Key Management Service (AWS KMS) customer managed key and an AWS Secrets Manager secret that you create, own, and manage to authenticate requests to your origin.
In this section, we explain how Secrets Manager access token authentication works, and provide step-by-step information about how to configure Secrets Manager access token authentication. You can work with Secrets Manager access token authentication in the AWS Management Console or programmatically with AWS APIs.
**Topics**
+ [Configuring AWS Secrets Manager access token authentication](channel-assembly-access-configuration-access-configuring.md)
+ [Integrating with MediaPackage endpoints that use CDN authorization](channel-assembly-access-configuration-access-token-integrating-emp-cdn-auth.md)
+ [How MediaTailor Secrets Manager access token authentication works](channel-assembly-access-configuration-overview.md)
# Configuring AWS Secrets Manager access token authentication
When you want to use AWS Secrets Manager access token authentication, you perform the following steps:
1. You [create an AWS Key Management Service customer managed key](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html).
1. You [create a AWS Secrets Manager secret](https://docs.aws.amazon.com/secretsmanager/latest/userguide/managing-secrets.html). The secret contains your access token, which is stored in Secrets Manager as an encrypted secret value. MediaTailor uses the AWS KMS customer managed key to decrypt the secret value.
1. You configure an AWS Elemental MediaTailor source location to use Secrets Manager access token authentication.
The following section provides step-by-step guidance on how to configure AWS Secrets Manager access token authentication.
**Topics**
+ [Step 1: Create an AWS KMS symmetric customer managed key](#channel-assembly-access-configuration-access-token-how-to-create-kms)
+ [Step 2: Create an AWS Secrets Manager secret](#channel-assembly-access-configuration-access-token-how-to-create-secret)
+ [Step 3: Configure a MediaTailor source location with access token authentication](#channel-assembly-access-configuration-access-token-how-to-enable-access-token-auth)
## Step 1: Create an AWS KMS symmetric customer managed key
You use AWS Secrets Manager to store your access token in the form of a `SecretString` stored in a secret. The `SecretString` is encrypted through the use of an *AWS KMS symmetric customer managed key *that you create, own, and manage. MediaTailor uses the symmetric customer managed key to facilitate access to the secret with a grant, and to encrypt and decrypt the secret value.
Customer managed keys let you perform tasks such as the following:
+ Establishing and maintaining key policies
+ Establishing and maintaining IAM policies and grants
+ Enabling and disabling key policies
+ Rotating cryptographic key material
+ Adding tags
For information about how Secrets Manager uses AWS KMS to protect secrets, see the topic [How AWS Secrets Manager uses AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/services-secrets-manager.html) in the *AWS Key Management Service Developer Guide*.
For more information about customer managed keys, see [Customer managed keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) in the *AWS Key Management Service Developer Guide*.
**Note**
AWS KMS charges apply for using a customer managed key For more information about pricing, see the [AWS Key Management Service Pricing](https://aws.amazon.com/kms/pricing/) page.
You can create an AWS KMS symmetric customer managed key using the AWS Management Console or programmatically with the AWS KMS APIs.
### To create a symmetric customer managed key
Follow the steps for [Creating a symmetric customer managed key](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html#create-symmetric-cmk) in the *AWS Key Management Service Developer Guide.*
Make a note of the key Amazon Resource Name (ARN); you'll need it in [Step 2: Create an AWS Secrets Manager secret](#channel-assembly-access-configuration-access-token-how-to-create-secret).
### Encryption context
An *encryption context* is an optional set of key-value pairs that contain additional contextual information about the data.
Secrets Manager includes an [encryption context](https://docs.aws.amazon.com/kms/latest/developerguide/services-secrets-manager.html#asm-encryption-context) when encrypting and decrypting the `SecretString`. The encryption context includes the secret ARN, which limits the encryption to that specific secret. As an added measure of security, MediaTailor creates an AWS KMS grant on your behalf. MediaTailor applies a [GrantConstraints](https://docs.aws.amazon.com/kms/latest/APIReference/API_GrantConstraints.html) operation that only allows us to *decrypt* the `SecretString` associated with the secret ARN contained in the Secrets Manager encryption context.
For information about how Secrets Manager uses encryption context, see the [Encryption context ](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context)topic in the *AWS Key Management Service Developer Guide*.
### Setting the key policy
Key policies control access to your customer managed key. Every customer managed key must have exactly one key policy, which contains statements that determine who can use the key and how they can use it. When you create your customer managed key you can use the default key policy. For more information, see [Authentication and access control for AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/control-access.html) in the *AWS Key Management Service Developer Guide*.
To use your customer managed key with your MediaTailor source location resources, you must give permission to the IAM principal that calls [CreateSourceLocation](https://docs.aws.amazon.com/mediatailor/latest/apireference/API_CreateSourceLocation.html) or [UpdateSourceLocation](https://docs.aws.amazon.com/mediatailor/latest/apireference/API_UpdateSourceLocation.html) to use the following API operations:
+ `kms:CreateGrant` – Adds a grant to a customer managed key. MediaTailor creates a grant on your customer managed key that lets it use the key to create or update a source location configured with access token authentication. For more information about using [Grants in AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html), see the *AWS Key Management Service Developer Guide.*
This allows MediaTailor to do the following:
+ Call `Decrypt` so that it can successfully retrieve your Secrets Manager secret when calling [GetSecretValue](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html).
+ Call `RetireGrant` to retire the grant when the source location is deleted, or when access to the secret has been revoked.
The following is an example policy statement that you can add for MediaTailor:
```
{
"Sid": "Enable MediaTailor Channel Assembly access token usage for the MediaTailorManagement IAM role",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::account number:role/MediaTailorManagement"
},
"Action": "kms:CreateGrant",
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ViaService": "mediatailor.region.amazonaws.com"
}
}
}
```
For more information about specifying permissions in a policy and troubleshooting key access, see [Grants in AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html) in the *AWS Key Management Service Developer Guide*.
## Step 2: Create an AWS Secrets Manager secret
Use Secrets Manager to store your access token in the form of a `SecretString` that's encrypted by an AWS KMS customer managed key. MediaTailor uses the key to decrypt the `SecretString`. For information about how Secrets Manager uses AWS KMS to protect secrets, see the topic [How AWS Secrets Manager uses AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/services-secrets-manager.html) in the *AWS Key Management Service Developer Guide*.
If you use AWS Elemental MediaPackage as your source location origin, and would like to use MediaTailor Secrets Manager access token authentication follow the procedure [Integrating with MediaPackage endpoints that use CDN authorization](channel-assembly-access-configuration-access-token-integrating-emp-cdn-auth.md).
You can create a Secrets Manager secret using the AWS Management Console or programmatically with the Secrets Manager APIs.
### To create a secret
Follow the steps for [Create and manage secrets with AWS Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/managing-secrets.html) in the *AWS Secrets Manager User Guide*.
Keep in mind the following considerations when creating your secret:
+ The [KmsKeyId](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_ReplicaRegionType.html#SecretsManager-Type-ReplicaRegionType-KmsKeyId) must be the [key ARN](https://docs.aws.amazon.com/kms/latest/developerguide/find-cmk-id-arn.html) of the customer managed key you created in Step 1.
+ You must supply a [SecretString](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_CreateSecret.html#SecretsManager-CreateSecret-request-SecretString). The `SecretString` should be a valid JSON object that includes a key and value containing the access token. For example, \$1"MyAccessTokenIdentifier":"112233445566"\$1. The value must between 8-128 characters long.
When you configure your source location with access token authentication, you specify the `SecretString` key. MediaTailor uses the key to look up and retrieve the access token stored in the `SecretString`.
Make a note of the secret ARN and the `SecretString` key. You'll use them when you configure your source location to use access token authentication.
### Attaching a resource-based secret policy
To let MediaTailor access the secret value, you must attach a resource-based policy to the secret. For more information, see [Attach a permissions policy to an Secrets Manager Secret](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_resource-policies.html) in the *AWS Secrets Manager User Guide*.
The following is a policy statement example that you can add for MediaTailor:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "mediatailor.amazonaws.com"
},
"Action": "secretsmanager:GetSecretValue",
"Resource": "arn:aws:secretsmanager:us-east-1:111122223333:secret:secret-name"
}
]
}
```
------
## Step 3: Configure a MediaTailor source location with access token authentication
You can configure Secrets Manager access token authentication using the AWS Management Console or programmatically with the MediaTailor APIs.
**To configure a source location with Secrets Manager access token authentication**
Follow the steps for [Access configuration](channel-assembly-creating-source-locations.md#access-configuration-console) in the *AWS Elemental MediaTailor User Guide*.
# Integrating with MediaPackage endpoints that use CDN authorization
If you use AWS Elemental MediaPackage as your source location origin, MediaTailor can integrate with MediaPackage endpoints that use CDN authorization.
To integrate with a MediaPackage endpoint that uses CDN authorization, use the following procedure.
**To integrate with MediaPackage**
1. Complete the steps in [Setting up CDN authorization](https://docs.aws.amazon.com/mediapackage/latest/ug/cdn-auth-setup.html) in the *AWS Elemental MediaPackage User Guide*, if you haven't already.
1. Complete the procedure in [Step 1: Create an AWS KMS symmetric customer managed key](channel-assembly-access-configuration-access-configuring.md#channel-assembly-access-configuration-access-token-how-to-create-kms).
1. Modify the secret that you created when you set up MediaPackage CDN authorization. Modify the secret with the following values:
+ Update the `KmsKeyId` with the customer managed key ARN that you created in [Step 1: Create an AWS KMS symmetric customer managed key](channel-assembly-access-configuration-access-configuring.md#channel-assembly-access-configuration-access-token-how-to-create-kms).
+ (Optional) For the `SecretString`, you can either rotate the UUID to a new value, or you can use the existing encrypted secret as long as it's a key and value pair in a standard JSON format, such as `{"MediaPackageCDNIdentifier": "112233445566778899"}`.
1. Complete the steps in [Attaching a resource-based secret policy](channel-assembly-access-configuration-access-configuring.md#channel-assembly-access-configuration-access-token-secret-policy).
1. Complete the steps in [Step 3: Configure a MediaTailor source location with access token authentication](channel-assembly-access-configuration-access-configuring.md#channel-assembly-access-configuration-access-token-how-to-enable-access-token-auth).
# How MediaTailor Secrets Manager access token authentication works
After you create or update a source location to use access token authentication, MediaTailor includes the access token in an HTTP header when requesting source content manifests from your origin.
Here's an overview of how MediaTailor uses Secrets Manager access token authentication for source location origin authentication:
1. When you create or update a MediaTailor source location that uses access token authentication, MediaTailor sends a [DescribeSecret](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DescribeSecret.html#SecretsManager-DescribeSecret-request-SecretId) request to Secrets Manager to determine the AWS KMS key associated with the secret. You include the secret ARN in your source location access configuration.
1. MediaTailor creates a [grant](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html) for the customer managed key, so that MediaTailor can use the key to access and decrypt the access token stored in the SecretString. The grant name will be `MediaTailor-SourceLocation-your AWS account ID-source location name`.
You can revoke access to the grant, or remove MediaTailor's access to the customer managed key at any time. For more information, see [RevokeGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_RevokeGrant.html) in the *AWS Key Management Service API Reference*.
1. When a VOD source is created or updated, or used in a program, MediaTailor makes HTTP requests to the source locations to retrieve the source content manifests associated with the VOD sources in the source location. If the VOD source is associated with a source location that has an access token configured, the requests include the access token as an HTTP header value.