Assuming IAM Roles

Assuming IAM Roles¶

Operations on AWS resources either require AWS credentials or IAM roles to authorize the operation. Video Toolkit Jobs can assume roles of other accounts.

{
    "role_arn": "arn:aws:iam::xxxxx721xxxx:role/vtks-integrationtest",
    "tasks": [...]
}

Assume the given role for all steps in the job. All AWS related tools however (S3 get/put) can have a separate role_arn parameter.

In order to allow Video Toolkit Workers to assume that role they need a Trust Relationship with the Video Toolkit Worker role. Add predefined role values for the castLabs Video Toolkit to the IAM role definition.

NOTE: The video toolkit staging environment is restricted for special testing cases only

STAGING: "arn:aws:iam::379899276840:role/VTKWorker"
PRODUCTION: "arn:aws:iam::873682911326:role/VTKWorker"

Example AWS IAM role definition:

{
    "Statement": [{
        "Action": "sts:AssumeRole",
        "Condition": {
            "StringEquals": {
                "sts:ExternalId": "[your organization name]"
            }
        },
        "Effect": "Allow",
        "Principal": {
            "AWS": [
                "arn:aws:iam::379899276840:role/VTKWorker",     --- to allow our staging system to assume that role (testing only!)
                "arn:aws:iam::873682911326:role/VTKWorker"      --- to allow our production system to assume that role
            ]
        }
    }],
    "Version": "2012-10-17"
}

The ExternalId is important and the Video Toolkit Worker won’t be able to assume the role without it due to security considerations.

Required Policy for S3 Download¶

{
    "Statement": [{
        "Action": [
            "s3:GetObject"
        ],
        "Effect": "Allow",
        "Resource": [
            "arn:aws:s3:::[yourbucket]/*"
        ]
    },
    {
        "Action": [
            "s3:GetBucketLocation",
            "s3:ListBucket"
        ],
        "Effect": "Allow",
        "Resource": [
            "arn:aws:s3:::[yourbucket]"
        ]
    }],
    "Version": "2012-10-17"
}

Required Policy for S3 Upload¶

{
    "Statement": [{
        "Action": [
            "s3:PutObject"
        ],
        "Effect": "Allow",
        "Resource": [
            "arn:aws:s3:::[yourbucket]/*"
        ]
    },
    {
        "Action": [
            "s3:GetBucketLocation",
            "s3:ListBucket",
            "s3:HeadBucket"
        ],
        "Effect": "Allow",
        "Resource": [
            "arn:aws:s3:::[yourbucket]"
        ]
    }],
    "Version": "2012-10-17"
}

Previous topic: Job completion notification

Next topic: Passwords and Security