Learn how to integration Axinom Key Service with AWS MediaConvert using SPEKE.

Axinom Key Service and AWS MediaConvert


This guide is aimed at Axinom’s customers who want to create DRM encrypted content with AWS MediaConvert. The guide demonstrates how to encode a video and apply DRM protection to it.


The prerequisites for integrating Axinom DRM Key Service with AWS MediaConvert are:

  • Access to Amazon Web Services (AWS)

  • A video file in the mp4 format in an AWS S3 bucket

Logging in to the AWS Console

Log in to the AWS Management Console at https://console.aws.amazon.com.

Setting up the AWS API Gateway

The API Gateway is the main point of integration with Axinom Key Service. The API Gateway is configured to provide an endpoint that proxies key requests from various AWS media services (such as MediaConvert and MediaPackage) to Axinom Key Service. Information is exchanged according to the Secure Packager and Encoder Key Exchange (SPEKE) specification. For information on SPEKE, see AWS documentation at https://docs.aws.amazon.com/speke/latest/documentation/what-is-speke.html.

  1. Open the AWS API Gateway console at https://console.aws.amazon.com/apigateway.

  2. Create a new API:

    1. To create an initial API, click Get Started and then OK.

    2. To create a subsequent API, click Create API.

    3. Set general API settings:

      • Protocol: REST.

      • API creation method: New API.

      • API name: "Axinom Key Service SPEKE".

      • Endpoint type: Regional.

        GatewayAPI General
    4. Choose Create API.

  3. Add a POST method to the API:

    1. Select ResourcesActionsCreate Method.

      GatewayAPI CreateMethod
    2. Choose POST from the dropdown and save the selection.

      GatewayAPI Configuration
    3. Configure the POST method:

      1. Integration type: HTTP.

      2. Use HTTP Proxy integration: yes.

      3. HTTP method: POST.

      4. Endpoint URL: https://key-server-management.axtest.net/api/Speke (this is the Axinom Key Service SPEKE endpoint).

        1. For production, use the following endpoint: https://key-server-management.axprod.net/api/Speke

      5. Content Handling: Passthrough.

      6. Use Default Timeout: yes.

        GatewayAPI ConfigurePost
      7. Click Save.

  4. Add an authorization header to the POST method:

    1. Go to the POST - Method Execution pane and choose Integration Request.

      GatewayAPI IntegrationRequest
    2. Expand HTTP Headers and choose Add header.

    3. Specify the Basic HTTP authentication header using your Axinom Key Service Management API credentials:

      • Name: Authorization.

      • Mapped from: 'Basic <credentials>', where <credentials> are the Base64-encoded Tenant ID and Management Key GUID strings joined by a colon. The single quotes must be included.


        If the Tenant ID is 2028718f-1edd-482a-b6b5-8067e93cfbfa and the Management Key is e0b81b34-dd82-4897-89f2-bdf32d7023f7 then the resulting "Mapped from" value should be 'Basic MjAyODcxOGYtMWVkZC00ODJhLWI2YjUtODA2N2U5M2NmYmZhOmUwYjgxYjM 0LWRkODItNDg5Ny04OWYyLWJkZjMyZDcwMjNmNw=='.

        GatewayAPI AddHeaders2
    4. Save the changes.

  5. Test the API configuration:

    1. In the /-POST- Method Execution panel, click TEST.

      GatewayAPI Test
    2. Paste a valid SPEKE request inside the Request Body box.

      An example of a valid SPEKE request
      <?xml version="1.0" encoding="UTF-8"?>
      <cpix:CPIX id="Test" xmlns:cpix="urn:dashif:org:cpix" xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc" xmlns:speke="urn:aws:amazon:com:speke">
      		<cpix:ContentKey kid="c158dedd-2d45-43b7-a7ac-aed65511a884"/>
      		<cpix:DRMSystem kid="c158dedd-2d45-43b7-a7ac-aed65511a884" systemId="edef8ba9-79d6-4ace-a3c8-27dcd51d21ed">
      			<cpix:ContentProtectionData />
      			<speke:ProtectionHeader />
      			<cpix:PSSH />
      			<cpix:URIExtXKey />
      			<speke:KeyFormat />
      			<speke:KeyFormatVersions />
    3. Click Test.

      GatewayAPI IntegrationTest
      • If the configuration is correct and a valid SPEKE request was provided, Axinom Key Service returns 200 OK with the SPEKE response in the response body.

      • If an authentication error occurred, Axinom Key Service returns 401 Unauthorized. In that case, check that the authorization header contains a valid Base64-encoded string, as explained in the step "4. Add an authorization header to the POST method".

  6. Deploy the API:

    1. Select ResourcesActionsDeploy API.

      GatewayAPI DeployAPI
    2. Deployment stage: [New Stage].

    3. Stage name: "TestStage".

      GatewayAPI DeployAPI2
    4. Choose Deploy.

      • If the configuration is later changed, the API must be redeployed for the update to be enabled to other services.

    5. Note down the API Invoke URL. This will be provided to AWS media services as the key service URL.

      GatewayAPI InvokeURL

Setting up the Identity and Access Management Role

Before configuring MediaPackage, it is necessary to create an Identity and Access Management (IAM) role that allows MediaPackage to call the API Gateway.

  1. Open the AWS IAM console at https://console.aws.amazon.com/iam.

  2. Create a new role:

    1. Choose Roles from the left menu.

    2. Click Create role.

      IAM CreateRole0
    3. Select AWS service entity type → MediaConvert service → MediaConvert use case.

      IAM MediaConvertTemplate
    4. Click Next: PermissionsNext: TagsNext: Review.

    5. Provide role information:

      1. Role name: "MediaConvertRole".

        IAM CreateRole1
      2. Click Create role.

Setting up MediaConvert

MediaConvert allows encoding Video on Demand (VOD) content while applying DRM protection to it. This chapter shows how to create a simple DRM-protected MediaConvert job with an mp4 video input.

  1. Open the AWS MediaConvert console at https://console.aws.amazon.com/mediaconvert.

  2. Create a new MediaConvert job by clicking Create job on the right side:

    Convert CreateJobButton
    1. In the Input pane, click "Browse" and choose an input file from an S3 bucket.

      Convert InputField
      1. From the S3 bucket menu, choose the location of the input file by clicking the drop-down arrows. Once the file is chosen, click Choose.

        Convert ChooseLocation
    2. In the Create job pane, in the Output groups section, click add to add an output group. Output groups are different files that are present once the job finishes. Most output groups are audio or video files.

      Convert OutputGroup
      1. From the list in the Add output group, choose "DASH ISO" and then click Select.

        Convert AddOutputGroup
    3. In the DASH ISO group settings next to the Destination value, click Browse and select a destination for the output of the convert job.

      Convert AddDestination
    4. Add DRM information by clicking the small slider next to DRM encryption and fill in the following fields.

      1. Resource ID is an arbitrary value that MediaPackage uses to generate content key IDs. Enter any value, e.g. "ContentID". It will be passed in the CPIX document on the root element in the attribute "id".

      2. System ID is specific to each DRM technology provider. Enter the System IDs for the DRMs you want to use. For example, select up to two of the following values to use Widevine and/or PlayReady. AWS MediaConvert does not allow more than two entries.

        9a04f079-9840-4286-ab92-e65be0885f95 (PlayReady)

        edef8ba9-79d6-4ace-a3c8-27dcd51d21ed (Widevine)


        System IDs for all providers can be found at:

      3. Key provider URL- use the Invoke URL created in the [Setting up the AWS API gateway].

      4. Other settings can be left to defaults.

        Convert AddDRM
    5. At the bottom of the page, in the Outputs, click Add output. Having separate outputs for audio and video is a standard practice in the streamed media that many players require.

      1. Add name modifiers to the outputs. One should be for video and the other for audio.

        Convert OutputsWindow
    6. In the Output groups section, click Output 1.

      Convert Output1Select
      1. Since this will be the video output, remove the audio part from Output 1. In the Encoding settings, click Audio 1 and then click Remove audio.

        Convert RemoveAudio1
      2. Make sure Bitrate (bits/S) is defined. You can use "5000000", for example.

        Convert BitRate
    7. In the Output groups section, click Output 2.

      1. Since this will be the audio output, remove the video part in the Output 2 by selecting Video in the Encoding settings of Output 2 and clicking Remove video.