2

I was able to restrict access to private content on my bucket using Cloudfront but now I'm unable to read from the bucket for Elemental Media Convert. Is there any way to allow only media convert services and restrict everything else?

Here is my bucket policy:

{
  "Version": "2008-10-17",
  "Id": "PolicyForCloudFrontPrivateContent",
  "Statement": [
    {
      "Sid": "1",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E3U7X28UWXXXXX"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::myawsbucket5696/*"
    }
  ]
}

Any help is appreciated. Thank you.

wishnuprathikantam
  • 113
  • 8
  • Unclear what you want. You can just write a second statement into the policy allowing whatever other service to access the bucket and its contents. – luk2302 Apr 25 '22 at 11:48
  • While trying to provide input from the restricted bucket to media convert it is failing with a message saying "3403: Access to 's3://.. is forbidden". I'm using a media convert role with full permission which is created from the dropdown provided for selecting/creating a role for the job. Thank you for replying, Any help is appreciated. – wishnuprathikantam Apr 25 '22 at 11:52
  • While trying to access the file from another folder from the same bucket I got error code: 1401, Which is a permission issue. – wishnuprathikantam Apr 25 '22 at 12:01
  • That cannot be related to the shown policy unless by adding that policy you have overwritten a previous policy which granted access. – luk2302 Apr 25 '22 at 12:02
  • I've just noticed I was able to convert an mp4 file by creating a new role with full permissions, but when trying to convert the m3u8 file I'm getting error 3403. Any clue? why this is happening? – wishnuprathikantam Apr 25 '22 at 12:30

1 Answers1

0

The 3403 error is 'HTTP Access Forbidden'. MediaConvert cannot read that file. Is it perhaps owned by a user other than the bucket owner? The role within your Account which MediaConvert assumes when running jobs on your behalf, will be subject to whatever access restrictions exist on objects within your source S3 bucket.

You can test & debug this file access outside of MediaConvert by assuming the designated Role in your AWS Console and then using the CloudShell prompt. Use the S3api command to attempt to get metadata about the object in question. This should succeed if your Role has permission to touch the object. For Example: aws s3api head-object --bucket mynewbucket --key myfile.mov

FYI you can see all MediaConvert error codes at https://docs.aws.amazon.com/mediaconvert/latest/ug/mediaconvert_error_codes.html

aws-robclem
  • 324
  • 2
  • 5