Transcoder API

Google Cloud Cloud Foundations & Onboarding
1

Implementing GCP transcoder API, Some of the details are unclear for the implementation below queries

  1. How can I implement encrypted content? https://cloud.google.com/transcoder/docs/how-to/encrypt-content

    1. I followed the sample example getting an error with

      config {
  inputs {
    key: "input0"
    uri: "gs://demo-input/e9f33d5"
  }
  edit_list {
    key: "atom0"
    inputs: "input0"
    start_time_offset {
    }
  }
  elementary_streams {
    video_stream {
      h264 {
        width_pixels: 640
        height_pixels: 360
        frame_rate: 60.0
        bitrate_bps: 550000
        pixel_format: "yuv420p"
        rate_control_mode: "vbr"
        crf_level: 21
        gop_duration {
          seconds: 3
        }
        vbv_size_bits: 550000
        vbv_fullness_bits: 495000
        entropy_coder: "cabac"
        profile: "high"
        preset: "veryfast"
      }
    }
    key: "video_stream0"
  }
  elementary_streams {
    audio_stream {
      codec: "aac"
      bitrate_bps: 64000
      channel_count: 2
      channel_layout: "fl"
      channel_layout: "fr"
      sample_rate_hertz: 48000
    }
    key: "audio_stream0"
  }
  mux_streams {
    key: "ts_aes128"
    file_name: "ts_aes128.ts"
    container: "ts"
    elementary_streams: "video_stream0"
    elementary_streams: "audio_stream0"
    segment_settings {
      segment_duration {
        seconds: 3
      }
      individual_segments: true
    }
    encryption_id: "aes-128"
  }
  output {
    uri: "gs://deletion-test1/c952bf80-7f82/"
  }
  encryptions {
    aes_128 {
    }
    id: "aes-128"
    secret_manager_key_source {
      secret_version: "projects/7558/secrets/dev-demo-secretkey/versions/1"
    }
    drm_systems {
      clearkey {
      }
    }
  }
}

      
error {
code: 3
message: "Secret config field config.encryptions[0].secretManagerKeySource.secretVersion is an invalid json, expected a valid json."
details {
type_url: "type.googleapis.com/google.rpc.BadRequest"
value: "\nJ\n:config.encryptions[0].secretManagerKeySource.secretVersion\022\fInvalid JSON"
}
}

    2. How do handle multi-tenant approach encrypted content, do I need to implement each video’s keys or alternative approach?

  2. How do I protect the video player from playing to access the configuration? ex: If I use shaka-player then on the browser need to access the video other players should be blocked from accessing the video
  3. After transcoding API-generated videos, how can I play the videos?

    1. Based on this document https://cloud.google.com/transcoder/docs/transcode-video I need to make all objects in a bucket publicly readable Note: roles/storage.objectViewer includes permission to list the objects in the bucket. If you don’t want to grant listing publicly, use roles/storage.legacyObjectReader.

    2. I’m not a fan doing making my bucket public or legacyObjectReader

    3. When I’m using the below setting, for playing video files The player will use the manifest.m3u8 file how to handle .mp4 file do I need to make any permission or not?? how do I ensure my video is protected while the video player internally calls accessing mp4 files?

      audio-only0000000000.m4s
hd.mp4
manifest.m3u8
manifest.mpd
media-hd.m3u8
media-hd0000000000.ts
media-sd.m3u8
media-sd0000000000.ts
sd.mp4
video-only-hd0000000000.m4s
video-only-sd0000000000.m4s

    4. what are the best practices for the implementation of transcoding API for playing videos?

  4. How can I use a signed URL approach for playing videos?

Thanks for support

2

  1. The error you’re encountering seems to be related to the JSON format for specifying the secret version. Make sure your JSON format is correct. You might want to check the JSON structure and ensure that it adheres to the required format. Refer to the SecretManagerKeySource documentation for details on how to structure the JSON.

  2. For a multi-tenant approach, you generally need to manage keys separately for each tenant. Each video should have its own set of encryption keys. This ensures that the content for one tenant is not accessible by another. When using the Transcoder API, you would generate and manage these keys securely.

  3. To protect the video player and access to configuration, you should implement proper authentication and authorization mechanisms. This might involve securing the configuration files, using authentication tokens, and ensuring that only authorized users or applications can access the player and related resources.

  4. If you don’t want to make your bucket public, you can use more fine-grained access controls. Grant the necessary permissions only to the entities that need them, such as the service account used by your video player. You don’t necessarily need to make everything publicly readable.

  5. The Transcoder API typically generates HLS or DASH manifests (like manifest.m3u8 or manifest.mpd). These manifest files reference the segmented media files (.ts files). You can control access to these files through proper bucket permissions. The player should be configured to use the manifest file, and it will internally handle the access to the individual media segments.

  6. Best practices for transcoding API Implementation:

  • Securely manage encryption keys.
  • Implement proper access controls on your storage bucket.
  • Use signed URLs for secure access to resources.
  • Protect configuration files and use proper authentication for your video player.
  1. To use signed URLs, you can generate a signed URL for each resource (e.g., video file) and provide that URL to the client. The signed URL includes a signature based on your private key, allowing controlled access to the specified resource for a limited time.