Skip to main content

Authenticating Lambda with EC2

EC2 instances have credentials that can interact with the AWS SDK. If you would like to use it with Remotion Lambda, you need to assume the role using STS to generate an access token that can be used by Remotion.

This guide will demonstrate how to securely interact with Remotion's renderMediaOnLambda() operations from an AWS EC2 instance using Node.js and TypeScript.

To supplement this guide, two projects have been created:

  • The remotion-app includes a Remotion composition and utility scripts for deploying and deleting Remotion Lambda infrastructure in AWS. It should be noted that this is the same application as the one featured in the Serverless Framework guide. Follow the setup guide, if the Remotion lambda is not yet deployed to your AWS account.

  • The ec2-remotion-lambda is a TypeScript Node.js application that initiates a video rendering process via a REST endpoint.

Prerequisites

  • AWS deployment profile on your local machine, to configure an AWS deployment profile on your local machine.
  • A AWS policy created named remotion-executionrole-policy which is created from this guide.
  • An understanding how IAM and Assume Role works in AWS.
  • A knowledge of creating and provisioning EC2 instances and installing packages in Ubuntu distro. These includes Git, Node.js, as you'll as running the nodejs application.

Setup for ec2-remotion-lambda application

1. Create the Remotion policy

  • The remotion-executionrole-policy should have been created, if not, follow this guide in setting this up.

2. Create role for remotion render execution

Steps
1
Go to the IAM Roles section of your AWS account.
2
Click "Create role".
3
Under "Select type of trusted entity", select "AWS service", and under "Choose the service that will use this role", select "Lambda". Click "Next: Permissions".
4
Under "Attach permissions policies", search for "remotion-executionrole-policy" and click the checkbox to assign this policy. If the policy has not been created, refer to step 1.
5
Additionally, still in "Attach permissions policies", clear the filter and search for "AWSLambdaBasicExecutionRole". Click the checkbox and click "Next: Tags".
6
On the "Add tags" page, you can optionally add tags to the role. Click "Next: Review".
7
On the "Review" page, name the role "remotion-ec2-executionrole" exactly. Leave the other fields as they are.
8
Click "Create role" to confirm.

3. Create a role for the EC2 instance

Steps

1
From IAM Roles section of your AWS account.
2
Click "Create role".
3
Under "Select type of trusted entity", select "AWS service", and under "Choose the service that will use this role", select "EC2". Click "Next: Permissions".
4
Under "Attach permissions policies", leave it empty for now. Click "Next: Tags".
5
On the "Add tags" page, you can optionally add tags to the role. Click "Next: Review".
6
On the "Review" page, name the role as "ec2-remotion-role". Leave the other fields as they are.
7
Click "Create role" to confirm.
8
Make a note of the "ARN" for the role. It should be in this format "arn:aws:iam::XXXXXXXX:role/ec2-remotion-role"

4. Trust the EC2 role from "remotion-ec2-executionrole"

Steps

1
From the IAM Roles section, find the role created in step 2, or filter roles by name using "remotion-ec2-executionrole".
2
Click on the role to open its details page.
3
From the "Trust relationships" tab, click the "Edit trust relationship" button.
4
Edit the policy statement to add the ARN of the EC2 role (ec2-remotion-role) created in step 3. Add it as one of the principals and as a AWS principal.
5
Save the changes to the trust policy.

remotion-ec2-executionrole
json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::XXXXXXXX:role/ec2-remotion-role"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
remotion-ec2-executionrole
json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::XXXXXXXX:role/ec2-remotion-role"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
info

This configuration grants authority to ec2-remotion-role to assume the role of remotion-ec2-executionrole and provides the necessary permissions to access AWS services and resources required by Remotion for video rendering.

6. Create the EC2 instance

Steps

  • From AWS Management console:
    1
    Go to the EC2 dashboard by selecting EC2 from the list of services.
    2
    Click on the "Launch Instance" button.
    3
    Choose an Amazon Machine Image (AMI) that you want to use for your instance. You can select from a variety of pre-configured AMIs, or you can create your own. For this instance chose "Ubuntu AMI".
    4
    Select an instance type that you want to use for your instance. The instance type determines the amount of CPU, memory, storage, and networking capacity that your instance will have. The recommended operating system is Ubuntu and at least 1Gib of RAM.
    5
    Configure your instance details, such as the number of instances you want to launch, the VPC and subnet you want to use, and any advanced settings you want to enable.
    6
    From "Network setting" tick the "Allow SSH traffic from", and from selection of allowing access select "My IP address". This will allow you to connect to the server instance via SSH and SFTP to upload the application code.
    7
    From "Network setting" also, click "Allow HTTP traffic from the internet", this will allow the application to be trigger for REST API operation.
    8
    Add storage to your instance by selecting the storage type and size you want to use.
    9
    From "Advance details", on "IAM instance profile" find the role you specifically created for EC2, this is "ec2-remotion-role".
    10
    Review your instance launch details and click the "Launch" button.
    11
    Choose an existing key pair or create a new key pair to securely connect to your instance. This key pair is necessary to access your instance via SSH.
    12
    Launch your instance by clicking the "Launch Instances" button.
    13
    Wait for your instance to launch. Once it's ready, you can connect to it using SSH, RDP, or other remote access methods.

7. Upload the code to the server and install dependencies

The application requires Node.js and NVM on the server. You can follow this guide for installing Node.js. The recommended Node.js version is v18.15.0, and NVM is quite helpful in switching between Node.js versions. Install it and learn how to use it by following this guide.

Upload the application code to the EC2 instance by any means you are comfortable with. For this instance, the code was uploaded using an SFTP client named Cyberduck. Upload the application code to the home directory. When logging in from Cyberduck, the default directory is /home/ubuntu.

Installing the dependencies

1
 Connect to the server using ssh client, below is an example how to connect to the server.
 ssh -i "remotion.pem" ubuntu@example.com
 ssh -i "remotion.pem" ubuntu@example.com
2
 Go to the application directory
bash
cd ec2-remotion-lambda
bash
cd ec2-remotion-lambda
3
 Execute the command below to install application dependencies.
bash
npm i
bash
npm i

8. Configure the application environment variables

Steps

1
From the application directory, create a file named .env
2
 Assign values for the environment keys such as PORT, REMOTION_ROLE_ARN, REMOTION_ROLE_SESSION_NAME, API_USERNAME, API_PASSWORD

.env
bash
PORT=8080
REMOTION_ROLE_ARN=arn:aws:iam::XXXXXXXXXX:role/remotion-ec2-executionrole
REMOTION_ROLE_SESSION_NAME=render-sessions
API_USERNAME=admin
API_PASSWORD=password
.env
bash
PORT=8080
REMOTION_ROLE_ARN=arn:aws:iam::XXXXXXXXXX:role/remotion-ec2-executionrole
REMOTION_ROLE_SESSION_NAME=render-sessions
API_USERNAME=admin
API_PASSWORD=password
  • PORT represents the which port should the application can run from.
  • REMOTION_ROLE_ARN represents the ARN of the role which the application assume to render the video, for this instance it is remotion-ec2-executionrole ARN from step 2.
  • REMOTION_ROLE_SESSION_NAME a name to uniquely identify the role session when the same role is assumed by different principals.

The application is secured using basic authentication or username and password, in production setting this needs to be updated to a more robust security mechanism.

  • API_USERNAME represents the username to use when interacting with the API.
  • API_PASSWORD represent the password to use when interacting with the API.

9. Run the application from the application directory, by executing the command below

bash
npm run start
bash
npm run start

The application will start an http service that is accessible on the port specified on .env, for this instance it is in port 8080.

9. Interacting with the API

The application can be interacted with using CURL. To interact with the API, follow the steps below.

  • Since the application is still not a daemon process, launch another shell session to connect to the server.

    bash
    ssh -i "remotion.pem" ubuntu@example.com
    bash
    ssh -i "remotion.pem" ubuntu@example.com

  • Execute the CURL command

    Request
    bash
     curl --location --request POST 'http://localhost:8080/render' \
    --header 'Authorization: Basic YWRtaW46cGFzc3dvcmQ='
    Request
    bash
     curl --location --request POST 'http://localhost:8080/render' \
    --header 'Authorization: Basic YWRtaW46cGFzc3dvcmQ='

    The Authorization header is a combination of word Basic and a space, then the base64 encoded username and password joined together by colon, username:password.

    From the /render API resource, the application will execute this piece of code This codes assume the role of ec2-remotion-role, then provided with temporary access tokens ie AccessKeyId, SecretAccessKey and SessionToken. These credentials will then need to be set as environment variables on the server so that in can be used by the renderMediaOnLambda() process. Setting the environment parameters route the render process in this (code)[https://github.com/alexfernandez803/remotion-serverless/blob/main/ec2-app/render_handler.ts#L14].

    API Response
    bash
    {"message":"Video rendered.","renderId":"px60ct13fy","bucketName":"remotionlambda-apsoutheast2-qv16gcf02l"}
    API Response
    bash
    {"message":"Video rendered.","renderId":"px60ct13fy","bucketName":"remotionlambda-apsoutheast2-qv16gcf02l"}

10. Cleanup: Destroy the EC2 instance from your AWS account

Steps

1
From your AWS account.
2
Click on the "EC2" service from the list of available services.
3
From the EC2 Dashboard, select the instance that you want to destroy. For this instance it's "remotion-server".
4
Make sure that you have selected the correct instance, and then click on the "Actions" button located t the top of the page.
5
In the "Actions" drop-down menu, select "Instance State" and then click on "Terminate" from the sub-menu.
6
 A warning message will appear, asking you to confirm the termination. Click on the "Yes, Terminate" button to proceed.
7
 Once you confirm the termination, the instance will enter the "shutting-down" state, and it may take a few minutes for the instance to fully terminate.
8
 After the instance has been terminated, you will no longer access it or any data that was stored on it.

note

This is a simple demonstration of using Remotion's Lambda and EC2. To productionize this approach, other steps may be required based on the use case. Implement an enterprise-grade security mechanism, run the application as a service, and have it sit behind a reverse proxy like Nginx.

See also