Authentication
You can authenticate with the @remotion/lambda package either using:
- an
REMOTION_AWS_PROFILEorAWS_PROFILEenvironment variable pointing to a file REMOTION_AWS_ACCESS_KEY_IDandREMOTION_AWS_SECRET_ACCESS_KEYenvironment variablesAWS_ACCESS_KEY_IDandAWS_SECRET_ACCESS_KEYenvironment variables
Environment variables sitting in a .env file are automatically picked up if you use the Remotion CLI, but not if you use the Node.JS APIs. If multiple ways are provided, Remotion will use the order above and use the first credentials found.
We recommend using the environment variable variants prefixed with REMOTION_ because:
- On some environments, the unprefixed variants may be reserved (e.g. Vercel deployments)
- Confusing conflicts between Remotion and the AWS CLI may be caused if you use the unprefixed versions.
Rotating credentials
Using more than one AWS account can be a viable scaling strategy to increase the concurrency limit. To do so, you can set new values for the REMOTION_AWS_ACCESS_KEY_ID and REMOTION_AWS_SECRET_ACCESS_KEY or other environment variables before making an operation using @remotion/lambda. Below is an implementation example.
.envini
.envini
You need to read the .env file yourself using the dotenv package.
rotate-credentials.tstsxgetAccountCount = () => {letcount = 0;while (process .env ["AWS_KEY_" + (count + 1)] &&process .env ["AWS_SECRET_" + (count + 1)]) {count ++;}returncount ;};constgetRandomAwsAccount = () => {returnMath .ceil (Math .random () *getAccountCount ());};constsetEnvForKey = (key : number) => {process .env .REMOTION_AWS_ACCESS_KEY_ID =process .env [`AWS_KEY_${key }`];process .env .REMOTION_AWS_SECRET_ACCESS_KEY =process .env [`AWS_SECRET_${key }`];};// Set random account credentialssetEnvForKey (getRandomAwsAccount ());
rotate-credentials.tstsxgetAccountCount = () => {letcount = 0;while (process .env ["AWS_KEY_" + (count + 1)] &&process .env ["AWS_SECRET_" + (count + 1)]) {count ++;}returncount ;};constgetRandomAwsAccount = () => {returnMath .ceil (Math .random () *getAccountCount ());};constsetEnvForKey = (key : number) => {process .env .REMOTION_AWS_ACCESS_KEY_ID =process .env [`AWS_KEY_${key }`];process .env .REMOTION_AWS_SECRET_ACCESS_KEY =process .env [`AWS_SECRET_${key }`];};// Set random account credentialssetEnvForKey (getRandomAwsAccount ());
Using an AWS profile
available from v3.3.9
If you prefer AWS profile, you may use them. The list of profiles is located at ~/.aws/credentials on macOS and Linux and has the following format:
~/.aws/credentialsini
~/.aws/credentialsini
In this example, we added a remotion profile. Now, by setting REMOTION_AWS_PROFILE=remotion, you can select the profile and don't need to pass each environment variable separately anymore.
Skipping the credentials checkv4.0.160
There are other ways the S3 client can authenticate, like from EC2 instance metadata.
If you have set this up, you may set the REMOTION_SKIP_AWS_CREDENTIALS_CHECK environment variable to any value.
ts
ts
Remotion will not check the credentials and will not throw an error if they are not set.
However, if there is a misconfiguration, you may still get an error from the AWS SDK.
Also read the note about caching clients.
Disable cachingv4.0.160
AWS clients are cached to save memory and speed up initialization.
The cache key is based on the credentials and the region.
If you opted out of the credentials check, the instance is cached for the lifetime of the process.
If you want to disable the cache, set the REMOTION_SKIP_AWS_CREDENTIALS_CHECK environment variable to any value.
It's unlikely you need to set this value. This is only if you change the way you authenticate between API calls.