What permissions S3 needs for AWS MediaConverter to have access to write files?

Question

We are using AWS MediaConverter to convert videos to mp4 format. But MediaConvrter is giving this error in the job:

Unable to write to output file [s3://{path_to_file}]: [Failed to write data: Access Denied]

Obviously, MediaConverter doesn't have write access to bucker, but I don't know how to give them to it.

We have following policy for S3:

{
    "Version": "2008-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement": [
        {
            "Sid": "1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::{CloudFront-origin}"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::{S3-bucket}/*"
        },
        {
            "Sid": "2",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::{role-for-our-API}",
                    "arn:aws:iam::{MediaConverter-role}"
                ]
            },
            "Action": "*",
            "Resource": "arn:aws:s3:::{S3-bucket}/*"
        }
    ]
}

Our ACL gives Write, List permission only for Bucket Owner. Previously everyone could List and Write objects and MediaConverter worked, but we found this we could not accept List and Write permissions for everyone.

Block public access is off for every point.

IAM user that we using for API and Role that we are using for MediaConverter have all the permissions for S3 (AmazonS3FullAccess).

Appreciate any help, thank you.

Answer 1

@uliaadamchuk Try to create a new role(ex: media-converter) and add the Role ARN to the Job Setting:

Step 1: Go to IAM Role > Create Role > look for MediaConverter and attach AmazonS3FullAccess and AmazonAPIGatewayInvokeFullAccess (optional) policies or use JSON version below:

 {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "*"
        }
    ]
}

Step 2: In the Media Converter Job Settings > Settings> Add IAM Role> add the Role ARN: ex- "arn:aws:iam::741xxxxxx:role/media-converter"

Step 3: Create the job and check whether now its working or not !!

Answer 2

I believe that the configuration should be as follow. Please note the changes in "Action" and "Resource" where you were missing top level bucket.

{
            "Sid": "2",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::{role-for-our-API}",
                    "arn:aws:iam::{MediaConverter-role}"
                ]
            },
            "Action": "s3:*",
            "Resource": ["arn:aws:s3:::{S3-bucket}","arn:aws:s3:::{S3-bucket}/*" ]
}

Answer 3

I had the same problem. I was using the default MediaConvert role which I had modified and it didn't have permission for what I was trying to do.

So, I made a new role for MediaConvert.

Name it MediaConvertRole.

Policies

Note: click "Attach policies" button, these are pre-made policies provided by Amazon. You don't have to create these from scratch yourself.

1. AmazonS3FullAccess

Whose policy looks like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:*",
                "s3-object-lambda:*"
            ],
            "Resource": "*"
        }
    ]
}

2. AmazonAPIGatewayInvokeFullAccess

Whose policy looks like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "execute-api:Invoke",
                "execute-api:ManageConnections"
            ],
            "Resource": "arn:aws:execute-api:*:*:*"
        }
    ]
}

When you create your MediaConvert job, make sure to select the right role:

Answer 4

I encountered the same error, also while having the correct s3 permissions for the bucket, the issue that caused it for me was the same thing MichaelTam mentioned, CannedAcl was not matching the bucket permissions. The bucket i used did not have public access, but the job settings specified public access in my CannedAcl.

I assume there can also be other combinations of settings on the bucket and job that can missmatch and give this error. Setting BUCKET_OWNER_FULL_CONTROL worked for me on a bucket with public access blocked and object writer as owner of the files.

Answer 5

I would like to make sure you have set the AccessControl to BUCKET_OWNER_FULL_CONTROL in Mediaconvert job settings. It sounds like this isn't being set in the job settings and since the bucket requires the objects to be set with the Bucket owner full control ACL.

Setting can be found under all the Output Group settings, under destination settings.

"DestinationSettings": {
              "S3Settings": {
              "AccessControl": {
              "CannedAcl": "BUCKET_OWNER_FULL_CONTROL"
            }
          }

Regards Michael