Authenticating Lambda with EC2
EC2 instances have credentials that can interact with the AWS SDK. If you would like to use it with Remotion Lambda, you need to assume the role using STS to generate an access token that can be used by Remotion.
This guide will demonstrate how to securely interact with Remotion's renderMediaOnLambda()
operations from an AWS EC2 instance using Node.js and TypeScript.
To supplement this guide, two projects have been created:
-
The remotion-app includes a Remotion composition and utility scripts for deploying and deleting Remotion Lambda infrastructure in AWS. It should be noted that this is the same application as the one featured in the Serverless Framework guide. Follow the setup guide, if the Remotion lambda is not yet deployed to your AWS account.
-
The ec2-remotion-lambda is a TypeScript Node.js application that initiates a video rendering process via a REST endpoint.
Prerequisites
- AWS deployment profile on your local machine, to configure an AWS deployment profile on your local machine.
- A AWS policy created named
remotion-executionrole-policy
which is created from this guide. - An understanding how IAM and Assume Role works in AWS.
- A knowledge of creating and provisioning EC2 instances and installing packages in Ubuntu distro. These includes Git, Node.js, as you'll as running the nodejs application.
Setup for ec2-remotion-lambda
application
1. Create the Remotion policy
- The
remotion-executionrole-policy
should have been created, if not, follow this guide in setting this up.
2. Create role for remotion render execution
Steps
3. Create a role for the EC2 instance
Steps
4. Trust the EC2 role from "remotion-ec2-executionrole"
Steps
remotion-ec2-executionrolejson
{"Version": "2012-10-17","Statement": [{"Sid": "","Effect": "Allow","Principal": {"Service": "lambda.amazonaws.com"},"Action": "sts:AssumeRole"},{"Sid": "","Effect": "Allow","Principal": {"AWS": "arn:aws:iam::XXXXXXXX:role/ec2-remotion-role"},"Action": "sts:AssumeRole"}]}
remotion-ec2-executionrolejson
{"Version": "2012-10-17","Statement": [{"Sid": "","Effect": "Allow","Principal": {"Service": "lambda.amazonaws.com"},"Action": "sts:AssumeRole"},{"Sid": "","Effect": "Allow","Principal": {"AWS": "arn:aws:iam::XXXXXXXX:role/ec2-remotion-role"},"Action": "sts:AssumeRole"}]}
This configuration grants authority to ec2-remotion-role
to assume the role of remotion-ec2-executionrole
and provides the necessary permissions to access AWS services and resources required by Remotion for video rendering.
6. Create the EC2 instance
Steps
- From AWS Management console:
1Go to the EC2 dashboard by selecting EC2 from the list of services.
2Click on the "Launch Instance" button.
3Choose an Amazon Machine Image (AMI) that you want to use for your instance. You can select from a variety of pre-configured AMIs, or you can create your own. For this instance chose "Ubuntu AMI".
4Select an instance type that you want to use for your instance. The instance type determines the amount of CPU, memory, storage, and networking capacity that your instance will have. The recommended operating system is Ubuntu and at least 1Gib of RAM.
5Configure your instance details, such as the number of instances you want to launch, the VPC and subnet you want to use, and any advanced settings you want to enable.
6From "Network setting" tick the "Allow SSH traffic from", and from selection of allowing access select "My IP address". This will allow you to connect to the server instance via SSH and SFTP to upload the application code.
7From "Network setting" also, click "Allow HTTP traffic from the internet", this will allow the application to be trigger for REST API operation.
8Add storage to your instance by selecting the storage type and size you want to use.
9From "Advance details", on "IAM instance profile" find the role you specifically created for EC2, this is "ec2-remotion-role".
10Review your instance launch details and click the "Launch" button.
11Choose an existing key pair or create a new key pair to securely connect to your instance. This key pair is necessary to access your instance via SSH.
12Launch your instance by clicking the "Launch Instances" button.
13Wait for your instance to launch. Once it's ready, you can connect to it using SSH, RDP, or other remote access methods.
7. Upload the code to the server and install dependencies
The application requires Node.js and NVM on the server. You can follow this guide for installing Node.js. The recommended Node.js version is v18.15.0, and NVM is quite helpful in switching between Node.js versions. Install it and learn how to use it by following this guide.
Upload the application code to the EC2 instance by any means you are comfortable with. For this instance, the code was uploaded using an SFTP client named Cyberduck. Upload the application code to the home directory. When logging in from Cyberduck, the default directory is /home/ubuntu.
Installing the dependencies
ssh -i "remotion.pem" ubuntu@example.com
ssh -i "remotion.pem" ubuntu@example.com
bash
cd ec2-remotion-lambda
bash
cd ec2-remotion-lambda
bash
npm i
bash
npm i
8. Configure the application environment variables
Steps
.env
PORT
, REMOTION_ROLE_ARN
, REMOTION_ROLE_SESSION_NAME
, API_USERNAME
, API_PASSWORD
.envbash
PORT=8080REMOTION_ROLE_ARN=arn:aws:iam::XXXXXXXXXX:role/remotion-ec2-executionroleREMOTION_ROLE_SESSION_NAME=render-sessionsAPI_USERNAME=adminAPI_PASSWORD=password
.envbash
PORT=8080REMOTION_ROLE_ARN=arn:aws:iam::XXXXXXXXXX:role/remotion-ec2-executionroleREMOTION_ROLE_SESSION_NAME=render-sessionsAPI_USERNAME=adminAPI_PASSWORD=password
PORT
represents the which port should the application can run from.REMOTION_ROLE_ARN
represents theARN
of the role which the applicationassume
to render the video, for this instance it isremotion-ec2-executionrole
ARN fromstep 2
.REMOTION_ROLE_SESSION_NAME
a name to uniquely identify the role session when the same role is assumed by different principals.
The application is secured using basic authentication
or username and password, in production setting this needs to be updated to a more robust security mechanism.
API_USERNAME
represents the username to use when interacting with the API.API_PASSWORD
represent the password to use when interacting with the API.
9. Run the application from the application directory, by executing the command below
bash
npm run start
bash
npm run start
The application will start an http service that is accessible on the port specified on .env
, for this instance it is in port 8080.
9. Interacting with the API
The application can be interacted with using CURL. To interact with the API, follow the steps below.
-
Since the application is still not a daemon process, launch another shell session to connect to the server.
bashssh -i "remotion.pem" ubuntu@example.combashssh -i "remotion.pem" ubuntu@example.com -
Execute the CURL command
Requestbashcurl --location --request POST 'http://localhost:8080/render' \--header 'Authorization: Basic YWRtaW46cGFzc3dvcmQ='Requestbashcurl --location --request POST 'http://localhost:8080/render' \--header 'Authorization: Basic YWRtaW46cGFzc3dvcmQ='The
Authorization
header is a combination of wordBasic
and a space, then thebase64
encoded username and password joined together by colon,username:password
.From the
/render
API resource, the application will execute this piece of code This codes assume the role ofec2-remotion-role
, then provided with temporary access tokens ieAccessKeyId
,SecretAccessKey
andSessionToken
. These credentials will then need to be set as environment variables on the server so that in can be used by therenderMediaOnLambda()
process. Setting the environment parameters route the render process in this (code)[https://github.com/alexfernandez803/remotion-serverless/blob/main/ec2-app/render_handler.ts#L14].API Responsebash{"message":"Video rendered.","renderId":"px60ct13fy","bucketName":"remotionlambda-apsoutheast2-qv16gcf02l"}API Responsebash{"message":"Video rendered.","renderId":"px60ct13fy","bucketName":"remotionlambda-apsoutheast2-qv16gcf02l"}
10. Cleanup: Destroy the EC2 instance from your AWS account
Steps
This is a simple demonstration of using Remotion's Lambda and EC2. To productionize this approach, other steps may be required based on the use case. Implement an enterprise-grade security mechanism, run the application as a service, and have it sit behind a reverse proxy like Nginx.