What permissions S3 needs for AWS MediaConverter to have access to write files?

Question

We are using AWS MediaConverter to convert videos to mp4 format. But MediaConvrter is giving this error in the job:

Unable to write to output file [s3://{path_to_file}]: [Failed to write data: Access Denied]

Obviously, MediaConverter doesn't have write access to bucker, but I don't know how to give them to it.

We have following policy for S3:

{
    "Version": "2008-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement": [
        {
            "Sid": "1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::{CloudFront-origin}"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::{S3-bucket}/*"
        },
        {
            "Sid": "2",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::{role-for-our-API}",
                    "arn:aws:iam::{MediaConverter-role}"
                ]
            },
            "Action": "*",
            "Resource": "arn:aws:s3:::{S3-bucket}/*"
        }
    ]
}

Our ACL gives Write, List permission only for Bucket Owner. Previously everyone could List and Write objects and MediaConverter worked, but we found this we could not accept List and Write permissions for everyone.

Block public access is off for every point.

IAM user that we using for API and Role that we are using for MediaConverter have all the permissions for S3 (AmazonS3FullAccess).

Appreciate any help, thank you.

Have you find out the solution? – Meo Beo Mar 08 '21 at 08:55 — Meo Beo, Mar 08 '21 at 08:55

score 2 · Answer 1 · answered Dec 22 '20 at 04:35

I would like to make sure you have set the AccessControl to BUCKET_OWNER_FULL_CONTROL in Mediaconvert job settings. It sounds like this isn't being set in the job settings and since the bucket requires the objects to be set with the Bucket owner full control ACL.

Setting can be found under all the Output Group settings, under destination settings.

"DestinationSettings": {
              "S3Settings": {
              "AccessControl": {
              "CannedAcl": "BUCKET_OWNER_FULL_CONTROL"
            }
          }

Regards Michael

Hei Michael, thanks for the response, we had PUBLIC_READ before, but anyway I also tried this and it didn't help. — julia adamchuk, Dec 22 '20 at 15:10

score 0 · Answer 2 · edited Jan 05 '21 at 16:53

0

I believe that the configuration should be as follow. Please note the changes in "Action" and "Resource" where you were missing top level bucket.

{
            "Sid": "2",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::{role-for-our-API}",
                    "arn:aws:iam::{MediaConverter-role}"
                ]
            },
            "Action": "s3:*",
            "Resource": ["arn:aws:s3:::{S3-bucket}","arn:aws:s3:::{S3-bucket}/*" ]
}

edited Jan 05 '21 at 16:53

Sabito stands with Ukraine

4,271
8
34
56

answered Dec 15 '20 at 16:27

Arek Chojak

1
1

Hei, thank you for your response, but it didn't help, MediaConverter shows the same error. – julia adamchuk Dec 16 '20 at 09:45
Hi @juliaadamchuk. Let me review this and I'll get back to you shortly. – Arek Chojak Dec 18 '20 at 11:36

score 0 · Answer 3 · answered Dec 16 '20 at 13:17

0

@uliaadamchuk Try to create a new role(ex: media-converter) and add the Role ARN to the Job Setting:

Step 1: Go to IAM Role > Create Role > look for MediaConverter and attach AmazonS3FullAccess and AmazonAPIGatewayInvokeFullAccess (optional) policies or use JSON version below:

 {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "*"
        }
    ]
}

Step 2: In the Media Converter Job Settings > Settings> Add IAM Role> add the Role ARN: ex- "arn:aws:iam::741xxxxxx:role/media-converter"

Step 3: Create the job and check whether now its working or not !!

answered Dec 16 '20 at 13:17

adarsh kavtiyal

55
1
10

Hei Adarsh, we already have AmazonS3FullAccess policy for MediaConverter role, so I only added AmazonAPIGatewayInvokeFullAccess, but it didn't help. – julia adamchuk Dec 17 '20 at 11:55
@juliaadamchuk sorry to here that but are you sure you are using correct Role ARN in the Job Settings? May be the one you are giving doesn't have access to s3. – adarsh kavtiyal Dec 17 '20 at 13:39
Yes, Ive double checked it. – julia adamchuk Dec 21 '20 at 13:04
sam issue as @juliaadamchuk – Umar Sid Jun 29 '21 at 18:15

score 0 · Answer 4 · answered Dec 02 '21 at 22:23

I had the same problem. I was using the default MediaConvert role which I had modified and it didn't have permission for what I was trying to do.

So, I made a new role for MediaConvert.

Name it MediaConvertRole.

Policies

Note: click "Attach policies" button, these are pre-made policies provided by Amazon. You don't have to create these from scratch yourself.

AmazonS3FullAccess

Whose policy looks like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:*",
                "s3-object-lambda:*"
            ],
            "Resource": "*"
        }
    ]
}

AmazonAPIGatewayInvokeFullAccess

Whose policy looks like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "execute-api:Invoke",
                "execute-api:ManageConnections"
            ],
            "Resource": "arn:aws:execute-api:*:*:*"
        }
    ]
}

When you create your MediaConvert job, make sure to select the right role:

score 0 · Answer 5 · answered May 04 '23 at 06:39

I encountered the same error, also while having the correct s3 permissions for the bucket, the issue that caused it for me was the same thing MichaelTam mentioned, CannedAcl was not matching the bucket permissions. The bucket i used did not have public access, but the job settings specified public access in my CannedAcl.

I assume there can also be other combinations of settings on the bucket and job that can missmatch and give this error. Setting BUCKET_OWNER_FULL_CONTROL worked for me on a bucket with public access blocked and object writer as owner of the files.

What permissions S3 needs for AWS MediaConverter to have access to write files?

5 Answers5