Skip to content

AWS IAM

Assuming IAM Roles

Operations on AWS resources either require AWS credentials or IAM roles to authorize the operation. Video Toolkit Jobs can assume roles of other accounts.

{
    "role_arn": "arn:aws:iam::xxxxx721xxxx:role/vtks-integrationtest",
    "tasks": [...]
}

Assume the given role for all steps in the job. All AWS related tools however (S3 get/put) can have a separate role_arn parameter.

In order to allow Video Toolkit Workers to assume that role they need a Trust Relationship with the Video Toolkit Worker role. Add predefined role values for the castLabs Video Toolkit to the IAM role definition.

NOTE: The video toolkit staging environment is restricted for special testing cases only

STAGING: "arn:aws:iam::379899276840:role/VTKWorker"
PRODUCTION: "arn:aws:iam::873682911326:role/VTKWorker"

Example AWS IAM role definition:

{
    "Statement": [{
        "Action": "sts:AssumeRole",
        "Condition": {
            "StringEquals": {
                "sts:ExternalId": "[your organization name]"
            }
        },
        "Effect": "Allow",
        "Principal": {
            "AWS": [
                "arn:aws:iam::379899276840:role/VTKWorker",     --- to allow our staging system to assume that role (testing only!)
                "arn:aws:iam::873682911326:role/VTKWorker"      --- to allow our production system to assume that role
            ]
        }
    }],
    "Version": "2012-10-17"
}

The ExternalId is important and the Video Toolkit Worker won't be able to assume the role without it due to security considerations.

Required Policy for S3 Download

{
    "Statement": [{
        "Action": [
            "s3:GetObject"
        ],
        "Effect": "Allow",
        "Resource": [
            "arn:aws:s3:::[yourbucket]/*"
        ]
    },
    {
        "Action": [
            "s3:GetBucketLocation",
            "s3:ListBucket"
        ],
        "Effect": "Allow",
        "Resource": [
            "arn:aws:s3:::[yourbucket]"
        ]
    }],
    "Version": "2012-10-17"
}

Required Policy for S3 Upload

{
    "Statement": [{
        "Action": [
            "s3:PutObject"
        ],
        "Effect": "Allow",
        "Resource": [
            "arn:aws:s3:::[yourbucket]/*"
        ]
    },
    {
        "Action": [
            "s3:GetBucketLocation",
            "s3:ListBucket",
            "s3:HeadBucket"
        ],
        "Effect": "Allow",
        "Resource": [
            "arn:aws:s3:::[yourbucket]"
        ]
    }],
    "Version": "2012-10-17"
}