GCP Live Stream API
With Live Stream API, you can transcode live, linear video streams into a variety of formats. Live Stream API benefits broadcasters, production companies, businesses, and individuals looking to transform their live video content for use across a variety of user devices.
https://cloud.google.com/livestream/docs
Live Stream API supports content encryption using DRM (Widevine, PlayReady, FairPlay, ClearKey). However, Live Stream doesnβt directly integrate with any DRM tools. Instead, you are supposed to acquire an encryption key from a DRM provider yourself and pass it to the Live Stream API using a Secret Manager.
Axinom DRM Key Service suits well for this purpose.
Prerequisitesβ
To use Axinom DRM:
- Register on the Axinom Portal
- Start a free trial
- Go to My Mosaic / DRM and acquire credentials
- For using the SPEKE protocol you will need the following information:
- Key Service Tenant ID (a UUID)
- Key Service Management Key (a UUID)
- SPEKE endpoint URL (https://key-server-management.axprod.net/api/SpekeV2)
- For using the Widevine Common Encryption protocol you will need the following information:
- Widevine Provider Name
- Widevine Signing Key
- Widevine Signing IV
- Widevine Common Encryption endpoint URL (https://key-server-management.axprod.net/api/WidevineProtectionInfo)
- Once you are ready to go to production, upgrade your Axinom account to a paid plan.
Integration Stepsβ
To create your first encrypted stream, follow these steps. Google guide describes the details.
Acquire a key from Axinom DRMβ
You can acquire a key from Axinom DRM Key Service using any of the supported protocols.
We recommend using the widely used protocols SPEKE v2 or Widevine Common Encryption.
For initial integration, you can use Axinom UI tools (SPEKE and Widevine Common Encryption respectively) to generate the keys without any programming.
For production use, we recommend automating the task of key acquisition and storing in the GCP Secret Manager (see below).
However you acquire the key, make sure you record the respective keyId. This is a unique identifier for the key and is required later to get a DRM license from the DRM License Service.
Convert the key into a format that Live Stream API can useβ
The key must be provided to Live Stream API in the following JSON format:
{
"encryptionKeys": [
{
// Key for Widevine configurations.
"keyId": "44ec248b048c43a6a6ee58a752c6f9f8",
"key": "f1967daca83e81f38d80aa741e7b32c2",
"keyUri": "skd://44ec248b048c43a6a6ee58a752c6f9f8",
"matchers": [
{
"muxStreams": [
"fmp4_widevine_cenc_video",
"fmp4_widevine_cenc_audio",
"fmp4_widevine_cbcs_video",
"fmp4_widevine_cbcs_audio"
]
}
]
}
]
}
Format details are described in DRM protocol documentation.
Create a secret and store your encryption key thereβ
Create a secret using GCP Secret Manager and store the key in it.
Refer to Create a secret guide from Google.
Make sure you copy the key value to GCP Secret Manager on the shortest path and donβt store any copies of the key, as the security of your assets depends on this key being secret.
Configure the channel to use the encryption keyβ
In your channel configuration, use the element "encryptions" to describe the details.
Specifically, provide a reference to the secret that contains the key.
Make sure you gave secretAccessor role to the service account used to run the live stream.
Now you can start the channel.
Live Stream API enrypts the stream using the key from the secret.
To replace the key:
- Stop the channel
- Generate a new key, store it in a secret and update the channel configuration
- Start the channel
Automating Key Acquisitionβ
If you regularly use encrypted live streams in production, you may want to automate the key acquisition process.
Mainly, you have to automate the following steps:
- Acquire an enryption key from Axinom DRM Key Service
- Transform the key information into the JSON format that Live Stream API can use
- Store the key in GCP Secret Manager.
Acquire Key from Axinom DRMβ
Axinom DRM Key Service offers a Web API which can be easily accessed:
First, make sure you can call the API successfully using one of the tools suggested above.
Then try the same using a script sending an HTTP request.
Widevine Common Encryption is slightly easier to implement. A request is shorter, and a response comes already as JSON.
SPEKE instead relies on CPIX format, which is an industry standard for key exchange information. It is based on XML, and it requires creating a template document which you will send as a request. The Key Service will return the same document to you, extending it with the actual generated key information.
Transform the key into the JSON formatβ
Depending on the protocol you use, you receive the key details either as CPIX (an XML-based format) or as JSON.
You just need to transform the key information into the JSON format that Live Stream API can use. This is straightforward field mapping task.
Store the key in GCP Secret Managerβ
This can be achieved using GCP APIs.
You can use a sample implementation provided by Google.
Supportβ
Should you have any further questions on this integration, feel free to contact Axinom Support.
See alsoβ
- https://cloud.google.com/livestream/docs/how-to/encrypt-content - Encrypt a live stream (from GCP documentation)
- https://cloud.google.com/livestream/docs/reference/drm - DRM protocol documentation (from GCP documentation)
- Axinom SPEKE tool
- Axinom Widevine Common Encryption tool