AWS IAM Role Policy Issue on Media Convert Service [ Cannot open input file [Failed to read data: AssumeRole failed]]]

Question

I am struggling with AWS IAM Role Policies, I am following a tutorial for Lambda function to read from s3 bucket event when a new file is uploaded and send it to AWS MediaConvert to convert the video file. Lambda function is being able to read from s3 in test but it fails the job at MediaConvert.

I have set the policies to the roles and also gave inline policies but still I am unable to get it working.

AWS Elemental MediaConvert Screenshot

Policies set for IAM ROLE

IAM Policies

Json for inline policy

lambda-s3-policy-inlinepolicy

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "ExampleStmt",
        "Action": [
            "s3:GetObject"
        ],
        "Effect": "Allow",
        "Resource": [
            "arn:aws:s3:::aws-mybucket-01/*"
        ]
    }
]
 }

Policy Summary PolicySummaryImg

VodLambdaRole

{
"Version": "2012-10-17",
"Statement": [
    {
        "Action": [
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
        ],
        "Resource": "*",
        "Effect": "Allow",
        "Sid": "Logging"
    },
    {
        "Action": [
            "iam:PassRole"
        ],
        "Resource": [
            "arn:aws:iam::myAccountID:role/my-lambda-role"
        ],
        "Effect": "Allow",
        "Sid": "PassRole"
    },
    {
        "Action": [
            "mediaconvert:*"
        ],
        "Resource": [
            "*"
        ],
        "Effect": "Allow",
        "Sid": "MediaConvertService"
    },
    {
        "Effect": "Allow",
        "Action": [
            "sts:AssumeRole"
        ],
        "Resource": "arn:aws:iam::myAccountID:role/my-lambda-role"
    }
]
}

PolicySummary

I am a little confused... you mention an AWS Lambda function, but the error is appearing in the MediaConvert console. So where is the error originating? (I am familiar with IAM, but not with MediaConvert.) Does MediaConvert access the S3 object itself, or does it trigger an AWS Lambda function to access the S3 object? — John Rotenstein, Jul 30 '21 at 08:16
the mediaConvert access the s3 object itself and outputs it to the s3 bucket after converting videos. Error is originating at MediaConvert - Error 1434 which is IAM Issue — jahan, Jul 30 '21 at 08:24

score 9 · Accepted Answer · answered Jul 30 '21 at 08:14

9

Make sure that the IAM Role assigned to the MediaConvert job has a Trust Policy that trusts MediaConvert:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "mediaconvert.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

This is normally generated automatically when you create an IAM Role in the management console and select MediaConvert as the Service.

answered Jul 30 '21 at 08:14

John Rotenstein

241,921
22
380
470

Thanks John, it worked. I had to add mediaconvert into Trust Policies – jahan Jul 30 '21 at 08:28
Great! Please mark this as the accepted answer so that future readers can identify the solution. – John Rotenstein Jul 30 '21 at 08:33

AWS IAM Role Policy Issue on Media Convert Service [ Cannot open input file [Failed to read data: AssumeRole failed]]]

1 Answers1