What permissions do I need to set on my S3 buckets for Analytics Exports?
You can use S3 buckets as Output for your analytics exports. In order for the Bitmovin to be able to access them, you need certain permissions.
To export Analytics data to S3, you need to create an Output resource that defines where to write those exports (Learn more). When you use an S3 bucket, you need to provide the IAM Role accessing the bucket a set of permissions and a trust policy that allows bitmovin to assume the given role. This page describes the necessary bucket permissions. How to setup the trust policy is outlined in more detail here.
Full Access
If you want a quick solution, for example for quick evaluations or development environments, you can simply allocate the AmazonS3FullAccess
policy will give the IAM user unrestricted access to your bucket.
Restricted Access
For most applications, you will want to tighten permissions to the strict set required. With AWS IAM, you have granular control to create a custom policy that only defines certain permissions.
The minimum set required (and why each permission is needed) is listed below:
Action | Resource Level | Justification |
---|---|---|
s3:GetBucketLocation | Bucket | To determine the location of the bucket to resolve the correct region for mode AUTO |
s3:ListBucket | Bucket | To verify if all files are present at the output location (i.e., check if all generated files are present) |
s3:PutObject | Object | To write the file to the S3 Bucket |
s3:PutObjectAcl | Object | To update the ACL for an object on a S3 Bucket (i.e., to allow public access to a file) |
JSON Custom Policy
You can use the following JSON payload to create your custom policy in AWS IAM.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BitmovinOutputBucketPermissions",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::<OUTPUT_BUCKET_NAME>"
]
},
{
"Sid": "BitmovinOutputObjectPermissions",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::<OUTPUT_BUCKET_NAME>/*"
]
}
]
}
Updated about 1 year ago