From 88e1c217d5db6310c42466cb98b79dda519a37eb Mon Sep 17 00:00:00 2001 From: awstools Date: Fri, 8 Nov 2024 19:22:22 +0000 Subject: [PATCH] feat(client-chime-sdk-media-pipelines): Added support for Media Capture Pipeline and Media Concatenation Pipeline for customer managed server side encryption. Now Media Capture Pipeline can use IAM sink role to get access to KMS key and encrypt/decrypt recorded artifacts. KMS key ID can also be supplied with encryption context. --- .../CreateMediaCapturePipelineCommand.ts | 10 ++ .../GetMediaCapturePipelineCommand.ts | 5 + .../src/commands/GetMediaPipelineCommand.ts | 5 + .../src/models/models_0.ts | 105 ++++++++++++++++++ .../src/protocols/Aws_restJson1.ts | 9 ++ .../aws-models/chime-sdk-media-pipelines.json | 47 +++++++- 6 files changed, 180 insertions(+), 1 deletion(-) diff --git a/clients/client-chime-sdk-media-pipelines/src/commands/CreateMediaCapturePipelineCommand.ts b/clients/client-chime-sdk-media-pipelines/src/commands/CreateMediaCapturePipelineCommand.ts index 2b0b397a27ed..7a6f5290f9e8 100644 --- a/clients/client-chime-sdk-media-pipelines/src/commands/CreateMediaCapturePipelineCommand.ts +++ b/clients/client-chime-sdk-media-pipelines/src/commands/CreateMediaCapturePipelineCommand.ts @@ -107,6 +107,11 @@ export interface CreateMediaCapturePipelineCommandOutput extends CreateMediaCapt * }, * }, * }, + * SseAwsKeyManagementParams: { // SseAwsKeyManagementParams + * AwsKmsKeyId: "STRING_VALUE", // required + * AwsKmsEncryptionContext: "STRING_VALUE", + * }, + * SinkIamRoleArn: "STRING_VALUE", * Tags: [ // TagList * { // Tag * Key: "STRING_VALUE", // required @@ -184,6 +189,11 @@ export interface CreateMediaCapturePipelineCommandOutput extends CreateMediaCapt * // }, * // }, * // }, + * // SseAwsKeyManagementParams: { // SseAwsKeyManagementParams + * // AwsKmsKeyId: "STRING_VALUE", // required + * // AwsKmsEncryptionContext: "STRING_VALUE", + * // }, + * // SinkIamRoleArn: "STRING_VALUE", * // }, * // }; * diff --git a/clients/client-chime-sdk-media-pipelines/src/commands/GetMediaCapturePipelineCommand.ts b/clients/client-chime-sdk-media-pipelines/src/commands/GetMediaCapturePipelineCommand.ts index 8991ded90667..e844d428067b 100644 --- a/clients/client-chime-sdk-media-pipelines/src/commands/GetMediaCapturePipelineCommand.ts +++ b/clients/client-chime-sdk-media-pipelines/src/commands/GetMediaCapturePipelineCommand.ts @@ -116,6 +116,11 @@ export interface GetMediaCapturePipelineCommandOutput extends GetMediaCapturePip * // }, * // }, * // }, + * // SseAwsKeyManagementParams: { // SseAwsKeyManagementParams + * // AwsKmsKeyId: "STRING_VALUE", // required + * // AwsKmsEncryptionContext: "STRING_VALUE", + * // }, + * // SinkIamRoleArn: "STRING_VALUE", * // }, * // }; * diff --git a/clients/client-chime-sdk-media-pipelines/src/commands/GetMediaPipelineCommand.ts b/clients/client-chime-sdk-media-pipelines/src/commands/GetMediaPipelineCommand.ts index 0d2b3754f100..2760f8b19442 100644 --- a/clients/client-chime-sdk-media-pipelines/src/commands/GetMediaPipelineCommand.ts +++ b/clients/client-chime-sdk-media-pipelines/src/commands/GetMediaPipelineCommand.ts @@ -117,6 +117,11 @@ export interface GetMediaPipelineCommandOutput extends GetMediaPipelineResponse, * // }, * // }, * // }, + * // SseAwsKeyManagementParams: { // SseAwsKeyManagementParams + * // AwsKmsKeyId: "STRING_VALUE", // required + * // AwsKmsEncryptionContext: "STRING_VALUE", + * // }, + * // SinkIamRoleArn: "STRING_VALUE", * // }, * // MediaLiveConnectorPipeline: { // MediaLiveConnectorPipeline * // Sources: [ // LiveConnectorSourceList diff --git a/clients/client-chime-sdk-media-pipelines/src/models/models_0.ts b/clients/client-chime-sdk-media-pipelines/src/models/models_0.ts index 0f7d9aa6c592..873ee9ed8bff 100644 --- a/clients/client-chime-sdk-media-pipelines/src/models/models_0.ts +++ b/clients/client-chime-sdk-media-pipelines/src/models/models_0.ts @@ -392,6 +392,10 @@ export interface AmazonTranscribeProcessorConfiguration { /** *

Turns language identification on or off for multiple languages.

+ * + *

Calls to this API must include a LanguageCode, IdentifyLanguage, or IdentifyMultipleLanguages parameter. + * If you include more than one of those parameters, your transcription job fails.

+ * * @public */ IdentifyMultipleLanguages?: boolean; @@ -1214,6 +1218,68 @@ export const MediaPipelineSourceType = { */ export type MediaPipelineSourceType = (typeof MediaPipelineSourceType)[keyof typeof MediaPipelineSourceType]; +/** + *

Contains server side encryption parameters to be used by media capture pipeline. The + * parameters can also be used by media concatenation pipeline taking media capture pipeline + * as a media source.

+ * @public + */ +export interface SseAwsKeyManagementParams { + /** + *

The KMS key you want to use to encrypt your media pipeline output. + * Decryption is required for concatenation pipeline. If using a key located in the current + * Amazon Web Services account, you can specify your KMS key in one of four + * ways:

+ * + *

If using a key located in a different Amazon Web Services account than the current + * Amazon Web Services account, you can specify your KMS key in one of two + * ways:

+ * + *

If you don't specify an encryption key, your output is encrypted with the default + * Amazon S3 key (SSE-S3).

+ *

Note that the role specified in the SinkIamRoleArn request parameter must + * have permission to use the specified KMS key.

+ * @public + */ + AwsKmsKeyId: string | undefined; + + /** + *

Base64-encoded string of a UTF-8 encoded JSON, which contains the encryption context as + * non-secret key-value pair known as encryption context pairs, that provides an added layer + * of security for your data. For more information, see KMS encryption + * context and Asymmetric keys in KMS in the Key Management Service Developer + * Guide.

+ * @public + */ + AwsKmsEncryptionContext?: string; +} + /** *

A key/value pair that grants users access to meeting resources.

* @public @@ -1274,6 +1340,28 @@ export interface CreateMediaCapturePipelineRequest { */ ChimeSdkMeetingConfiguration?: ChimeSdkMeetingConfiguration; + /** + *

An object that contains server side encryption parameters to be used by media capture + * pipeline. The parameters can also be used by media concatenation pipeline taking media + * capture pipeline as a media source.

+ * @public + */ + SseAwsKeyManagementParams?: SseAwsKeyManagementParams; + + /** + *

The Amazon Resource Name (ARN) of the sink role to be used with AwsKmsKeyId + * in SseAwsKeyManagementParams. Can only interact with S3Bucket + * sink type. The role must belong to the caller’s account and be able to act on behalf of the + * caller during the API call. All minimum policy permissions requirements for the caller to + * perform sink-related actions are the same for SinkIamRoleArn.

+ *

Additionally, the role must have permission to kms:GenerateDataKey using + * KMS key supplied as AwsKmsKeyId in SseAwsKeyManagementParams. If + * media concatenation will be required later, the role must also have permission to + * kms:Decrypt for the same KMS key.

+ * @public + */ + SinkIamRoleArn?: string; + /** *

The tag key-value pairs.

* @public @@ -1368,6 +1456,21 @@ export interface MediaCapturePipeline { * @public */ ChimeSdkMeetingConfiguration?: ChimeSdkMeetingConfiguration; + + /** + *

An object that contains server side encryption parameters to be used by media capture + * pipeline. The parameters can also be used by media concatenation pipeline taking media + * capture pipeline as a media source.

+ * @public + */ + SseAwsKeyManagementParams?: SseAwsKeyManagementParams; + + /** + *

The Amazon Resource Name (ARN) of the sink role to be used with AwsKmsKeyId + * in SseAwsKeyManagementParams.

+ * @public + */ + SinkIamRoleArn?: string; } /** @@ -4060,6 +4163,7 @@ export const CreateMediaCapturePipelineRequestFilterSensitiveLog = (obj: CreateM ...(obj.ChimeSdkMeetingConfiguration && { ChimeSdkMeetingConfiguration: ChimeSdkMeetingConfigurationFilterSensitiveLog(obj.ChimeSdkMeetingConfiguration), }), + ...(obj.SinkIamRoleArn && { SinkIamRoleArn: SENSITIVE_STRING }), }); /** @@ -4072,6 +4176,7 @@ export const MediaCapturePipelineFilterSensitiveLog = (obj: MediaCapturePipeline ...(obj.ChimeSdkMeetingConfiguration && { ChimeSdkMeetingConfiguration: ChimeSdkMeetingConfigurationFilterSensitiveLog(obj.ChimeSdkMeetingConfiguration), }), + ...(obj.SinkIamRoleArn && { SinkIamRoleArn: SENSITIVE_STRING }), }); /** diff --git a/clients/client-chime-sdk-media-pipelines/src/protocols/Aws_restJson1.ts b/clients/client-chime-sdk-media-pipelines/src/protocols/Aws_restJson1.ts index a9bb990070df..5ee05cade440 100644 --- a/clients/client-chime-sdk-media-pipelines/src/protocols/Aws_restJson1.ts +++ b/clients/client-chime-sdk-media-pipelines/src/protocols/Aws_restJson1.ts @@ -207,6 +207,7 @@ import { SourceConfiguration, SpeakerSearchTask, SqsQueueSinkConfiguration, + SseAwsKeyManagementParams, StreamChannelDefinition, StreamConfiguration, Tag, @@ -241,9 +242,11 @@ export const se_CreateMediaCapturePipelineCommand = async ( ChimeSdkMeetingConfiguration: (_) => _json(_), ClientRequestToken: [true, (_) => _ ?? generateIdempotencyToken()], SinkArn: [], + SinkIamRoleArn: [], SinkType: [], SourceArn: [], SourceType: [], + SseAwsKeyManagementParams: (_) => _json(_), Tags: (_) => _json(_), }) ); @@ -1886,6 +1889,8 @@ const se_KinesisVideoStreamRecordingSourceRuntimeConfiguration = ( // se_SqsQueueSinkConfiguration omitted. +// se_SseAwsKeyManagementParams omitted. + // se_StreamChannelDefinition omitted. // se_StreamConfiguration omitted. @@ -2054,9 +2059,11 @@ const de_MediaCapturePipeline = (output: any, context: __SerdeContext): MediaCap MediaPipelineArn: __expectString, MediaPipelineId: __expectString, SinkArn: __expectString, + SinkIamRoleArn: __expectString, SinkType: __expectString, SourceArn: __expectString, SourceType: __expectString, + SseAwsKeyManagementParams: _json, Status: __expectString, UpdatedTimestamp: (_: any) => __expectNonNull(__parseRfc3339DateTimeWithOffset(_)), }) as any; @@ -2234,6 +2241,8 @@ const de_SpeakerSearchTask = (output: any, context: __SerdeContext): SpeakerSear // de_SqsQueueSinkConfiguration omitted. +// de_SseAwsKeyManagementParams omitted. + // de_StreamChannelDefinition omitted. // de_StreamConfiguration omitted. diff --git a/codegen/sdk-codegen/aws-models/chime-sdk-media-pipelines.json b/codegen/sdk-codegen/aws-models/chime-sdk-media-pipelines.json index 9c93ac5e3aab..f0f53979afca 100644 --- a/codegen/sdk-codegen/aws-models/chime-sdk-media-pipelines.json +++ b/codegen/sdk-codegen/aws-models/chime-sdk-media-pipelines.json @@ -260,7 +260,7 @@ "target": "com.amazonaws.chimesdkmediapipelines#Boolean", "traits": { "smithy.api#default": false, - "smithy.api#documentation": "

Turns language identification on or off for multiple languages.

" + "smithy.api#documentation": "

Turns language identification on or off for multiple languages.

\n \n

Calls to this API must include a LanguageCode, IdentifyLanguage, or IdentifyMultipleLanguages parameter. \n If you include more than one of those parameters, your transcription job fails.

\n " } }, "LanguageOptions": { @@ -1982,6 +1982,18 @@ "smithy.api#documentation": "

The configuration for a specified media pipeline. SourceType must\n be ChimeSdkMeeting.

" } }, + "SseAwsKeyManagementParams": { + "target": "com.amazonaws.chimesdkmediapipelines#SseAwsKeyManagementParams", + "traits": { + "smithy.api#documentation": "

An object that contains server side encryption parameters to be used by media capture\n pipeline. The parameters can also be used by media concatenation pipeline taking media\n capture pipeline as a media source.

" + } + }, + "SinkIamRoleArn": { + "target": "com.amazonaws.chimesdkmediapipelines#Arn", + "traits": { + "smithy.api#documentation": "

The Amazon Resource Name (ARN) of the sink role to be used with AwsKmsKeyId\n in SseAwsKeyManagementParams. Can only interact with S3Bucket\n sink type. The role must belong to the caller’s account and be able to act on behalf of the\n caller during the API call. All minimum policy permissions requirements for the caller to\n perform sink-related actions are the same for SinkIamRoleArn.

\n

Additionally, the role must have permission to kms:GenerateDataKey using\n KMS key supplied as AwsKmsKeyId in SseAwsKeyManagementParams. If\n media concatenation will be required later, the role must also have permission to\n kms:Decrypt for the same KMS key.

" + } + }, "Tags": { "target": "com.amazonaws.chimesdkmediapipelines#TagList", "traits": { @@ -4585,6 +4597,18 @@ "traits": { "smithy.api#documentation": "

The configuration for a specified media pipeline. SourceType must\n be ChimeSdkMeeting.

" } + }, + "SseAwsKeyManagementParams": { + "target": "com.amazonaws.chimesdkmediapipelines#SseAwsKeyManagementParams", + "traits": { + "smithy.api#documentation": "

An object that contains server side encryption parameters to be used by media capture\n pipeline. The parameters can also be used by media concatenation pipeline taking media\n capture pipeline as a media source.

" + } + }, + "SinkIamRoleArn": { + "target": "com.amazonaws.chimesdkmediapipelines#Arn", + "traits": { + "smithy.api#documentation": "

The Amazon Resource Name (ARN) of the sink role to be used with AwsKmsKeyId\n in SseAwsKeyManagementParams.

" + } } }, "traits": { @@ -6146,6 +6170,27 @@ "smithy.api#documentation": "

The configuration settings for the SQS sink.

" } }, + "com.amazonaws.chimesdkmediapipelines#SseAwsKeyManagementParams": { + "type": "structure", + "members": { + "AwsKmsKeyId": { + "target": "com.amazonaws.chimesdkmediapipelines#String", + "traits": { + "smithy.api#documentation": "

The KMS key you want to use to encrypt your media pipeline output.\n Decryption is required for concatenation pipeline. If using a key located in the current\n Amazon Web Services account, you can specify your KMS key in one of four\n ways:

\n \n

If using a key located in a different Amazon Web Services account than the current\n Amazon Web Services account, you can specify your KMS key in one of two\n ways:

\n \n

If you don't specify an encryption key, your output is encrypted with the default\n Amazon S3 key (SSE-S3).

\n

Note that the role specified in the SinkIamRoleArn request parameter must\n have permission to use the specified KMS key.

", + "smithy.api#required": {} + } + }, + "AwsKmsEncryptionContext": { + "target": "com.amazonaws.chimesdkmediapipelines#String", + "traits": { + "smithy.api#documentation": "

Base64-encoded string of a UTF-8 encoded JSON, which contains the encryption context as\n non-secret key-value pair known as encryption context pairs, that provides an added layer\n of security for your data. For more information, see KMS encryption\n context and Asymmetric keys in KMS in the Key Management Service Developer\n Guide.

" + } + } + }, + "traits": { + "smithy.api#documentation": "

Contains server side encryption parameters to be used by media capture pipeline. The\n parameters can also be used by media concatenation pipeline taking media capture pipeline\n as a media source.

" + } + }, "com.amazonaws.chimesdkmediapipelines#StartSpeakerSearchTask": { "type": "operation", "input": {