search

awslabs / amplify-video

An open source Category Plugin for the AWS Amplify-CLI that makes it easy to deploy live and file based streaming video services and integrate them into your Amplify applications.
https://www.npmjs.com/package/amplify-category-video
Apache License 2.0
267 stars 56 forks source link

Update key used for signing CloudFront URLs #181

Closed pragya213-2 closed 3 years ago

pragya213-2 commented 3 years ago

Describe the bug Using Amplify video plugin with Amplify CLI, when I try to update the key used for signing CloudFront URLs, following error occurs: ResourceExistsException: The operation failed because the secret vod9-pem already exists. at Request.extractError (/snapshot/node_modules/aws-sdk/lib/protocol/json.js:52:27) at Request.callListeners (/snapshot/node_modules/aws-sdk/lib/sequential_executor.js:106:20) at Request.emit (/snapshot/node_modules/aws-sdk/lib/sequential_executor.js:78:10) at Request.emit (/snapshot/node_modules/aws-sdk/lib/request.js:688:14) at Request.transition (/snapshot/node_modules/aws-sdk/lib/request.js:22:10) at AcceptorStateMachine.runTo (/snapshot/node_modules/aws-sdk/lib/state_machine.js:14:12) at /snapshot/node_modules/aws-sdk/lib/state_machine.js:26:10 at Request. (/snapshot/node_modules/aws-sdk/lib/request.js:38:9) at Request. (/snapshot/node_modules/aws-sdk/lib/request.js:690:12) at Request.callListeners (/snapshot/node_modules/aws-sdk/lib/sequential_executor.js:116:18)

To Reproduce Steps to reproduce the behavior:

amplify video add ? Please select from one of the below mentioned services: Video-On-Demand ? Provide a friendly name for your resource to be used as a label for this category in the project: vod9 ? Select a system-provided encoding template, specify an already-created template name: Default HLS Adaptive Bitrate ? Is this a production enviroment? Yes ? Do you want to protect your content with signed urls? Yes ? Provide the location to the pem key you want CloudFront you want to sign urls with: key1.pem ? What is the ID associated with the pem key? xyz ? Do you want Amplify to create a new GraphQL API to manage your videos? (Beta) No ✔ All resources built.

Then try to update the key used for signing CloudFront urls as follows: amplify video update ? Choose what project you want to update? vod9 ? Select a system-provided encoding template, specify an already-created template name: Default HLS Adaptive Bitrate ? Is this a production enviroment? Yes ? Do you want to protect your content with signed urls? Yes ? Provide the location to the pem key you want CloudFront you want to sign urls with: key2.pem ? What is the ID associated with the pem key? abc The operation failed because the secret vod9-pem already exists. ResourceExistsException: The operation failed because the secret vod9-pem already exists. at Request.extractError (/snapshot/node_modules/aws-sdk/lib/protocol/json.js:52:27) at Request.callListeners (/snapshot/node_modules/aws-sdk/lib/sequential_executor.js:106:20) at Request.emit (/snapshot/node_modules/aws-sdk/lib/sequential_executor.js:78:10) at Request.emit (/snapshot/node_modules/aws-sdk/lib/request.js:688:14) at Request.transition (/snapshot/node_modules/aws-sdk/lib/request.js:22:10) at AcceptorStateMachine.runTo (/snapshot/node_modules/aws-sdk/lib/state_machine.js:14:12) at /snapshot/node_modules/aws-sdk/lib/state_machine.js:26:10 at Request. (/snapshot/node_modules/aws-sdk/lib/request.js:38:9) at Request. (/snapshot/node_modules/aws-sdk/lib/request.js:690:12) at Request.callListeners (/snapshot/node_modules/aws-sdk/lib/sequential_executor.js:116:18)

Expected behavior The key used for signing CloudFront URLs should be updated

Desktop (please complete the following information):

Additional context When I first add the pem key location and ID, a secret in Secrets Manager is created with the name resourcename-pem( for example, vod9-pem). However this secret is not updated when I try to update the pem key, instead the above error is thrown.

I also tried to delete the secret generated from the Secrets Manager console, but there is a 7 day retention policy in place. After deleting the secret from console, the above commands result in the following error:

You can't create this secret because a secret with this name is already scheduled for deletion. InvalidRequestException: You can't create this secret because a secret with this name is already scheduled for deletion. at Request.extractError (/snapshot/node_modules/aws-sdk/lib/protocol/json.js:52:27) at Request.callListeners (/snapshot/node_modules/aws-sdk/lib/sequential_executor.js:106:20) at Request.emit (/snapshot/node_modules/aws-sdk/lib/sequential_executor.js:78:10) at Request.emit (/snapshot/node_modules/aws-sdk/lib/request.js:688:14) at Request.transition (/snapshot/node_modules/aws-sdk/lib/request.js:22:10) at AcceptorStateMachine.runTo (/snapshot/node_modules/aws-sdk/lib/state_machine.js:14:12) at /snapshot/node_modules/aws-sdk/lib/state_machine.js:26:10 at Request. (/snapshot/node_modules/aws-sdk/lib/request.js:38:9) at Request. (/snapshot/node_modules/aws-sdk/lib/request.js:690:12) at Request.callListeners (/snapshot/node_modules/aws-sdk/lib/sequential_executor.js:116:18)

Deleting and recreating the CloudFront distribution didn't make any difference. Selecting the following option in 'amplify video update' also did not make any difference once the secret had been created: Do you want to protect your content with signed urls? no

What would be the best way to update the vod module to update the key used for signing CloudFront urls?

THOM-AwS commented 3 years ago

This is my ticket with AWS Support, I am trying a few things to see if I can get this back on track, but I am having no success here. I have tried again to update the cloudfront keys, but it did not work. Then I tried to generate a new set of keys and add them in the place of the first set. I have also since tried to remove the original keys and they are now in the deleting state. This also has not been successful. I am getting the same error messages. 

amplify update video                                                                                                                                          master   
? Choose what project you want to update? MYVideo
? Select a system-provided encoding template, specify an already-created template name:  Default HLS Adaptive Bitrate
? Is this a production enviroment? Yes
? Do you want to protect your content with signed urls? Yes
? Provide the location to the pem key you want CloudFront you want to sign urls with: /Users/MYUSER/Downloads/pk-MYID.pem
? What is the ID associated with the pem key? MYID
You can't create this secret because a secret with this name is already scheduled for deletion.
InvalidRequestException: You can't create this secret because a secret with this name is already scheduled for deletion.
    at Request.extractError (/usr/local/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/protocol/json.js:52:27)
    at Request.callListeners (/usr/local/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
    at Request.emit (/usr/local/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
    at Request.emit (/usr/local/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/request.js:688:14)
    at Request.transition (/usr/local/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/usr/local/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at /usr/local/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request.<anonymous> (/usr/local/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/request.js:38:9)
    at Request.<anonymous> (/usr/local/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/request.js:690:12)
    at Request.callListeners (/usr/local/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/sequential_executor.js:116:18)

Clearly the keys are tied to the modules name, rather than just to the keys name. I tried then to remove and re add the Video module, and this also threw me an error that it has dependencies. 

amplify remove video                                                                                                                                          master   
? Choose the resource you would want to remove MYVideo

? Are you sure you want to delete the resource? This action deletes all files related to this resource from the backend directory. Yes
Resource cannot be removed because it has a dependency on another resource
Dependency: AppSync:MYAPI
Resource cannot be removed because it has a dependency on another resource
Error: Resource cannot be removed because it has a dependency on another resource
    at /usr/local/lib/node_modules/@aws-amplify/cli/lib/extensions/amplify-helpers/remove-resource.js:128:31
    at Array.forEach (<anonymous>)
    at /usr/local/lib/node_modules/@aws-amplify/cli/lib/extensions/amplify-helpers/remove-resource.js:124:40
    at Array.forEach (<anonymous>)
    at deleteResourceFiles (/usr/local/lib/node_modules/@aws-amplify/cli/lib/extensions/amplify-helpers/remove-resource.js:122:22)
    at processTicksAndRejections (internal/process/task_queues.js:93:5)
    at async Object.run (/usr/local/lib/node_modules/amplify-category-video/commands/video/remove.js:7:5)
    at async Object.executeAmplifyCommand (/usr/local/lib/node_modules/amplify-category-video/index.js:78:3)
    at async executePluginModuleCommand (/usr/local/lib/node_modules/@aws-amplify/cli/lib/execution-manager.js:166:5)
    at async Object.executeCommand (/usr/local/lib/node_modules/@aws-amplify/cli/lib/execution-manager.js:35:9)

Any help with this would be much appreciated, as we are trying to get our project live right now, and we are waiting on this to begin uploading videos to our platform for showcasing.

wizage commented 3 years ago

A fix was in the works in December 2020, I just got back into the grove of things and just need to validate the changes and make sure they are good to go out!

THOM-AwS commented 3 years ago

a faster way to get past this as a total road block is to force remove the secret from the secrets manager, you dont have to wait for the full period to elapse in secrets manager. https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_delete-restore-secret.html for anyone that needs to find this out quickly.

wizage commented 3 years ago

Hey @HaterMonestary sorry about the delay. We ended up merging this project with updating to no longer using root credentials for signed urls and instead going with the new prefered method of using signed urls with CloudFront. We are releasing it shortly with the ability to not update your keys, rotate your keys or remove keys all together!

Will update when the update is live!

danielvouch commented 3 years ago

Having the same issue here, even deleting the secret through AWS CLI threw same error

You can't create this secret because a secret with this name is already scheduled for deletion.

I'm running amplify video update

Anyone figure this out?

THOM-AwS commented 3 years ago

Having the same issue here, even deleting the secret through AWS CLI threw same error

You can't create this secret because a secret with this name is already scheduled for deletion.

I'm running amplify video update

Anyone figure this out?

aws secretsmanager delete-secret --secret-id YOUR_SECRET_NAME --force-delete-without-recovery

wizage commented 3 years ago

We HIGHLY recommend upgrading your Amplify Video to solve this issue. But if you have a requirement to stay on an older version. This is correct!