I was able to restrict access to private content on my bucket using Cloudfront but now I'm unable to read from the bucket for Elemental Media Convert. Is there any way to allow only media convert services and restrict everything else?
Here is my bucket policy:
{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E3U7X28UWXXXXX"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::myawsbucket5696/*"
}
]
}
Any help is appreciated. Thank you.
The 3403 error is 'HTTP Access Forbidden'. MediaConvert cannot read that file. Is it perhaps owned by a user other than the bucket owner? The role within your Account which MediaConvert assumes when running jobs on your behalf, will be subject to whatever access restrictions exist on objects within your source S3 bucket.
You can test & debug this file access outside of MediaConvert by assuming the designated Role in your AWS Console and then using the CloudShell prompt. Use the S3api command to attempt to get metadata about the object in question. This should succeed if your Role has permission to touch the object. For Example: aws s3api head-object --bucket mynewbucket --key myfile.mov
FYI you can see all MediaConvert error codes at https://docs.aws.amazon.com/mediaconvert/latest/ug/mediaconvert_error_codes.html