How to use Kinesis Video Stream WebRTC SDK in the browser without providing credentials?

Question

I want to use kinesis video streams webrtc javascript sdk for producing video stream from a web page. The sdk readme says i need to supply accessKeyId and secrectAccessKey

signalingClient = new KVSWebRTC.SignalingClient({
    channelARN,
    channelEndpoint: endpointsByProtocol.WSS,
    clientId,
    role: KVSWebRTC.Role.VIEWER,
    region,
    credentials: {
        accessKeyId,
        secretAccessKey,
    },
    systemClockOffset: kinesisVideoClient.config.systemClockOffset,
});

Is there a way to make this more secure and avoid supplying the secret access key inside the javascript code? Doesn't it mean anyone viewing my web page source can take these credentials from the web page and use them to access the signaling channel? Can I use amplify-js Auth class to use the signaling client with an authenticated user?

tomeraz · Accepted Answer · 2020-05-21T12:54:46.873

4

Turns out I can use credentials inside the backend, and send a presigned link to the client using the class SigV4RequestSigner. There's no need to supply credentials on the client side.

Found it in the documentation:

This is a useful class to use in a NodeJS backend to sign requests and send them back to a client so that the client does not need to have AWS credentials.

edited May 21 '20 at 12:54

answered May 21 '20 at 12:44

tomeraz

193
3
15

3

I'm having a hard time trying to find an example to use. Is there any code that shows how this work? – Fernando Jul 10 '20 at 13:08
1

Yeah, provide examples please – X.Otano Sep 23 '20 at 08:21

score 1 · Answer 2 · answered Jul 09 '20 at 20:21

When creating the SignalingClient you can either specify the credentials or a requestSigner that returns a Promise<string>, see:

https://github.com/awslabs/amazon-kinesis-video-streams-webrtc-sdk-js/blob/master/README.md#class-signalingclient

credentials {object} Must be provided unless a requestSigner is provided.

Be aware that when not using credentials in the browser you will also need to run the KinesisVideoSignalingChannels related code on the server side, because this class does not supports request signer.

score 1 · Answer 3 · answered Jul 10 '20 at 18:27

For Kinesis, one of the possibilities is to implement in your NodeJS backend a function for signing your URLs.

const endpointsByProtocol = getSignalingChannelEndpointResponse.ResourceEndpointList.reduce((endpoints, endpoint) => {
    endpoints[endpoint.Protocol] = endpoint.ResourceEndpoint;
    return endpoints;
}, {});
console.log('[VIEWER] Endpoints: ', endpointsByProtocol);

const region = "us-west-2";
const credentials = {
    accessKeyId: "XAXAXAXAXAX",
    secretAccessKey: "SECRETSECRET"
};
const queryParams = {
    'X-Amz-ChannelARN': channelARN,
    'X-Amz-ClientId': formValues.clientId
}
const signer = new SigV4RequestSigner(region, credentials);
const url = await signer.getSignedURL(endpointsByProtocol.WSS, queryParams);
console.log(url);

Do you have an example about the complete funcionality? – X.Otano Sep 23 '20 at 08:24 — X.Otano, Sep 23 '20 at 08:24

How to use Kinesis Video Stream WebRTC SDK in the browser without providing credentials?

3 Answers3

Linked