Example for use IoT certification instead of aws access key about amazon-kinesis-video-streams-webrtc-sdk-c HOT 7 CLOSED

Hi @ek9852

Please refer to Controlling Access to Kinesis Video Streams Resources Using AWS IoT for provisioning details. Thanks

from amazon-kinesis-video-streams-webrtc-sdk-c.

Hi @ek9852

Please refer to Controlling Access to Kinesis Video Streams Resources Using AWS IoT for provisioning details.

You may want to allow authorizations for the signaling apis as well.

e.g.

{
            "Effect": "Allow",
            "Action": [
                "kinesisvideo:CreateSignalingChannel",
                "kinesisvideo:DescribeSignalingChannel",
                "kinesisvideo:DeleteSignalingChannel",
                "kinesisvideo:GetSignalingChannelEndpoint"
            ],
            "Resource": "arn:aws:kinesisvideo:*:*:channel/*"
        }

Thanks

from amazon-kinesis-video-streams-webrtc-sdk-c.

Thanks, BTW how about the TURN server, do I need to set it up or config myself, or it is transparent to KVS webrtc sdk user.

from amazon-kinesis-video-streams-webrtc-sdk-c.

@ek9852 It should be transparent to the KVS WebRTC SDK User!

We provide an API signalingClientGetIceConfigInfo where you pull your ICE Servers from and copy them into your RtcConfig, you can see it happening here

from amazon-kinesis-video-streams-webrtc-sdk-c.

@Sean-Der
How can I specify the policy to use thingsname arm ?
"Resource": "arn:aws:kinesisvideo:::channel/" =>
"Resource": "arn:aws:kinesisvideo:::channel/${credentials-iot:ThingName}/" ??
And how can I specify that in the KVS webrtc API ?

from amazon-kinesis-video-streams-webrtc-sdk-c.

Hi @ek9852 ,
Yes, you can specify

"Resource": "arn:aws:kinesisvideo:*:*:channel/\${credentials-iot:ThingName}/*"

And then use it in the iot credentials provider:
https://github.com/awslabs/amazon-kinesis-video-streams-producer-sdk-cpp/blob/0888c666efbe7f20891a86c9e64a677f73e33b17/kinesis-video-c-producer/src/include/com/amazonaws/kinesis/video/common/Include.h#L530-L543

A sample policy would looks like

{
   "Version":"2012-10-17",
   "Statement":[
      {
          "Effect":"Allow",
          "Action":[
            "kinesisvideo:DescribeSignalingChannel",
            "kinesisvideo:CreateSignalingChannel",
            "kinesisvideo:GetSignalingChannelEndpoint",
            "kinesisvideo:GetIceServerConfig",
            "kinesisvideo:ConnectAsMaster",
            "kinesisvideo:ConnectAsViewer"
          ],
          "Resource":"arn:aws:kinesisvideo:*:*:channel/\${credentials-iot:ThingName}/*"
      }
   ]
}

You can use aws iot describe-endpoint --endpoint-type iot:CredentialProvider --output text to get the iot credentials endpoint and curl 'https://www.amazontrust.com/repository/SFSRootCAG2.pem' --output cacert.pem to get CA cert.

Then replace the credentials provider here with iot credentials provider like https://github.com/awslabs/amazon-kinesis-video-streams-webrtc-sdk-c/blob/master/samples/Common.c#L486-L490

createLwsIotCredentialProvider(
            "cor13xxxxx168.credentials.iot.us-west-2.amazonaws.com",  // iot credentials endpoint
            "/Users/username/Downloads/iot-signaling/certificate.pem",  // path to iot certificate
            "/Users/username/Downloads/iot-signaling/private.pem.key", // path to iot private key
            "/Users/username/Downloads/iot-signaling/cacert.pem", // path to CA cert
            "KinesisVideoSignalingCameraIoTRoleAlias", // iot role alias
            channelName, // iot thing name
            &pSampleConfiguration->pCredentialProvider));

from amazon-kinesis-video-streams-webrtc-sdk-c.

@zhiyua-git When you get a chance would you mind updating the documentation (or maybe having a sample) that does this?

I am not familiar with the IoT stuff at all, but this could be really helpful in the future.

thanks!

from amazon-kinesis-video-streams-webrtc-sdk-c.