使用 EC2 对 Lambda 进行身份验证
EC2 实例具有可以与 AWS SDK 交互的凭证。如果你想在 Remotion Lambda 中使用它,你需要使用 STS 假设角色以生成可以被 Remotion 使用的访问令牌。
🌐 EC2 instances have credentials that can interact with the AWS SDK. If you would like to use it with Remotion Lambda, you need to assume the role using STS to generate an access token that can be used by Remotion.
本指南将演示如何使用 Node.js 和 TypeScript 从 AWS EC2 实例安全地与 Remotion 的 renderMediaOnLambda() 操作进行交互。
🌐 This guide will demonstrate how to securely interact with Remotion's renderMediaOnLambda() operations from an AWS EC2 instance using Node.js and TypeScript.
为了补充本指南,已经创建了两个项目:
🌐 To supplement this guide, two projects have been created:
- remotion-app 包含一个 Remotion 组合和用于在 AWS 中部署及删除 Remotion Lambda 基础设施的实用脚本。需要注意的是,这与 Serverless Framework 指南 中介绍的应用相同。如果 Remotion Lambda 尚未部署到你的 AWS 账户,请按照设置 指南 操作。
- ec2-remotion-lambda 是一个 TypeScript Node.js 应用,通过 REST 端点启动视频渲染过程。
先决条件
🌐 Prerequisites
- 在本地计算机上配置 AWS 部署配置文件,在本地计算机上配置 AWS 部署配置文件。
- 一个名为
remotion-executionrole-policy的 AWS 策略是根据这个指南创建的。 - 理解 AWS 中 IAM 和 Assume Role 的工作原理。
- 具备创建和配置 EC2 实例以及在 Ubuntu 发行版 中安装软件包的知识。这包括 Git、Node.js,以及运行 Node.js 应用。
ec2-remotion-lambda 应用设置
🌐 Setup for ec2-remotion-lambda application
1. 创建移除政策
🌐 1. Create the Remotion policy
remotion-executionrole-policy应该已经创建,如果没有,请按照此指南进行设置。
2. 为 Remotion 渲染执行创建角色
🌐 2. Create role for remotion render execution
步骤
🌐 Steps
进入你 AWS 账户的 IAM 角色部分。3. 为 EC2 实例创建一个角色
🌐 3. Create a role for the EC2 instance
步骤
🌐 Steps
从你的 AWS 账户的 IAM 角色部分开始。4. 信任来自 “remotion-ec2-executionrole” 的 EC2 角色
🌐 4. Trust the EC2 role from "remotion-ec2-executionrole"
步骤
🌐 Steps
在 IAM 角色部分,找到第 2 步创建的角色,或使用“remotion-ec2-executionrole”按名称过滤角色。remotion-ec2-executionrole{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" }, { "Sid": "", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::XXXXXXXX:role/ec2-remotion-role" }, "Action": "sts:AssumeRole" } ] }
此配置授予 ec2-remotion-role 承担 remotion-ec2-executionrole 角色的权限,并提供访问 Remotion 在视频渲染中所需的 AWS 服务和资源的必要权限。
6. 创建 EC2 实例
🌐 6. Create the EC2 instance
步骤
🌐 Steps
- From AWS Management console:
1Go to the EC2 dashboard by selecting EC2 from the list of services.
2Click on the "Launch Instance" button.
3Choose an Amazon Machine Image (AMI) that you want to use for your instance. You can select from a variety of pre-configured AMIs, or you can create your own. For this instance chose "Ubuntu AMI".
4Select an instance type that you want to use for your instance. The instance type determines the amount of CPU, memory, storage, and networking capacity that your instance will have. The recommended operating system is Ubuntu and at least 1Gib of RAM.
5Configure your instance details, such as the number of instances you want to launch, the VPC and subnet you want to use, and any advanced settings you want to enable.
6From "Network setting" tick the "Allow SSH traffic from", and from selection of allowing access select "My IP address". This will allow you to connect to the server instance via SSH and SFTP to upload the application code.
7From "Network setting" also, click "Allow HTTP traffic from the internet", this will allow the application to be trigger for REST API operation.
8Add storage to your instance by selecting the storage type and size you want to use.
9From "Advance details", on "IAM instance profile" find the role you specifically created for EC2, this is "ec2-remotion-role".
10Review your instance launch details and click the "Launch" button.
11Choose an existing key pair or create a new key pair to securely connect to your instance. This key pair is necessary to access your instance via SSH.
12Launch your instance by clicking the "Launch Instances" button.
13Wait for your instance to launch. Once it's ready, you can connect to it using SSH, RDP, or other remote access methods.
7. 将代码上传到服务器并安装依赖
🌐 7. Upload the code to the server and install dependencies
该应用需要在服务器上安装 Node.js 和 NVM。你可以按照此指南安装 Node.js。推荐的 Node.js 版本是 v18.15.0,而 NVM 在切换 Node.js 版本时非常有用。请安装它并通过此 指南 学习如何使用。
🌐 The application requires Node.js and NVM on the server. You can follow this guide for installing Node.js. The recommended Node.js version is v18.15.0, and NVM is quite helpful in switching between Node.js versions. Install it and learn how to use it by following this guide.
通过你熟悉的任何方式将应用代码上传到EC2实例。在本例中,代码是使用名为Cyberduck的SFTP客户端上传的。将应用代码上传到主目录。从Cyberduck登录时,默认目录是/home/ubuntu.
🌐 Upload the application code to the EC2 instance by any means you are comfortable with. For this instance, the code was uploaded using an SFTP client named Cyberduck. Upload the application code to the home directory. When logging in from Cyberduck, the default directory is /home/ubuntu.
安装依赖
🌐 Installing the dependencies
使用 SSH 客户端连接到服务器,下面是连接服务器的示例。 ssh -i "remotion.pem" ubuntu@example.comcd ec2-remotion-lambdanpm i8. 配置应用环境变量
🌐 8. Configure the application environment variables
步骤
🌐 Steps
在应用目录中,创建一个名为.env 的文件PORT、REMOTION_ROLE_ARN、REMOTION_ROLE_SESSION_NAME、API_USERNAME、API_PASSWORD.envPORT=8080 REMOTION_ROLE_ARN=arn:aws:iam::XXXXXXXXXX:role/remotion-ec2-executionrole REMOTION_ROLE_SESSION_NAME=render-sessions API_USERNAME=admin API_PASSWORD=password
PORT表示应用可以从哪个端口运行。REMOTION_ROLE_ARN表示应用assume用于渲染视频的角色的ARN,在此实例中,它是来自step 2的remotion-ec2-executionroleARN。REMOTION_ROLE_SESSION_NAME是用来在同一个角色被不同主体承担时唯一标识该角色会话的名称。
该应用使用 basic authentication 或用户名和密码进行保护,在生产环境中,这需要更新为更强大的安全机制。
🌐 The application is secured using basic authentication or username and password, in production setting this needs to be updated to a more robust security mechanism.
API_USERNAME表示在与 API 交互时使用的用户名。API_PASSWORD表示在与 API 交互时使用的密码。
9. 从应用目录运行应用,执行以下命令
🌐 9. Run the application from the application directory, by executing the command below
npm run start该应用将启动一个 HTTP 服务,可以通过 .env 指定的端口访问,对于此实例,它在端口 8080。
🌐 The application will start an http service that is accessible on the port specified on .env, for this instance it is in port 8080.
9. 与 API 交互
🌐 9. Interacting with the API
可以使用 CURL 与该应用进行交互。要与 API 交互,请按照以下步骤操作。
🌐 The application can be interacted with using CURL. To interact with the API, follow the steps below.
-
由于该应用仍然不是守护进程,请启动另一个 shell 会话以连接到服务器。
ssh -i "remotion.pem" ubuntu@example.com -
执行 CURL 命令
Requestcurl --location --request POST 'http://localhost:8080/render' \ --header 'Authorization: Basic YWRtaW46cGFzc3dvcmQ='Authorization头是单词Basic和一个空格的组合,然后是用冒号username:password连接在一起的base64编码用户名和密码。从
/renderAPI 资源,应用将执行这段 代码。这段代码假设ec2-remotion-role的角色,然后提供临时访问令牌,即AccessKeyId、SecretAccessKey和SessionToken。这些凭证随后需要在服务器上设置为环境变量,以便renderMediaOnLambda()进程可以使用。设置环境参数会在此 代码 中引导渲染进程。API Response{"message":"Video rendered.","renderId":"px60ct13fy","bucketName":"remotionlambda-apsoutheast2-qv16gcf02l"}
10. 清理:从你的 AWS 账户中销毁 EC2 实例
🌐 10. Cleanup: Destroy the EC2 instance from your AWS account
步骤
🌐 Steps
从你的 AWS 账户进入。这是一个使用 Remotion 的 Lambda 和 EC2 的简单演示。要将这种方法投入生产,可能需要根据具体用例采取其他步骤。实现企业级安全机制,将应用作为服务运行,并让它位于像 Nginx 这样的反向代理后面。
另请参阅
🌐 See also