AWS IAM
Assuming IAM Roles¶
Operations on AWS resources either require AWS credentials or IAM roles to authorize the operation. Video Toolkit Jobs can assume roles of other accounts.
{
"role_arn": "arn:aws:iam::xxxxx721xxxx:role/vtks-integrationtest",
"tasks": [...]
}
Assume the given role for all steps in the job. All AWS related tools however (S3 get/put) can have a separate role_arn parameter.
In order to allow Video Toolkit Workers to assume that role they need a Trust Relationship with the Video Toolkit Worker role. Add predefined role values for the castLabs Video Toolkit to the IAM role definition.
NOTE: The video toolkit staging environment is restricted for special testing cases only
STAGING: "arn:aws:iam::379899276840:role/VTKWorker"
PRODUCTION: "arn:aws:iam::873682911326:role/VTKWorker"
Example AWS IAM role definition:
{
"Statement": [{
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "[your organization name]"
}
},
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::379899276840:role/VTKWorker", --- to allow our staging system to assume that role (testing only!)
"arn:aws:iam::873682911326:role/VTKWorker" --- to allow our production system to assume that role
]
}
}],
"Version": "2012-10-17"
}
The ExternalId is important and the Video Toolkit Worker won't be able to assume the role without it due to security considerations.
Required Policy for S3 Download¶
{
"Statement": [{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::[yourbucket]/*"
]
},
{
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::[yourbucket]"
]
}],
"Version": "2012-10-17"
}
Required Policy for S3 Upload¶
{
"Statement": [{
"Action": [
"s3:PutObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::[yourbucket]/*"
]
},
{
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:HeadBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::[yourbucket]"
]
}],
"Version": "2012-10-17"
}