IAM and cross-account S3

Video Toolkit workers run in Castlabs’ AWS account, but most jobs read and write S3 buckets in your AWS account. To make that work, you create an IAM role in your account that trusts the VTK worker role, gated by an ExternalId equal to your VTK organization’s API name. This page shows the trust relationship and the minimal S3 policies the role needs.

Two alternatives exist when role_arn is too coarse:

  • Access-key secret in the S3 URL (s3://{secret-name}@bucket/path) — shown in the Quickstart. Simple, but the same key is reused for every task.

  • Credential dispenser — an HTTPS endpoint you host that returns AWS credentials on each call. See Credential dispenser. Use this when you need per-task scoping, central audit, or multi-tenant brokering. A Lambda fronted by API Gateway is one common implementation; you can equally well point it at a static credential store, a mock, or any existing credential-vending machine.

Assuming IAM Roles

Operations on AWS resources either require AWS credentials or IAM roles to authorize the operation. Video Toolkit Jobs can assume roles of other accounts.

{
    "role_arn": "arn:aws:iam::xxxxx721xxxx:role/vtk-integrationtest",
    "tasks": []
}

Set role_arn at the job level to assume the same role for every task, or set it on individual storage:get / storage:put parameters when different storage steps need different roles.

In order to allow Video Toolkit Workers to assume that role they need a Trust Relationship with the Video Toolkit Worker role. Add predefined role values for the Castlabs Video Toolkit to the IAM role definition.

NOTE: The video toolkit staging environment is restricted for special testing cases only

    STAGING: "arn:aws:iam::379899276840:role/VTKWorker"
    PRODUCTION: "arn:aws:iam::873682911326:role/VTKWorker"

Example AWS IAM role definition:

{
    "Statement": [{
        "Action": "sts:AssumeRole",
        "Condition": {
            "StringEquals": {
                "sts:ExternalId": "[your organization api_name]"
            }
        },
        "Effect": "Allow",
        "Principal": {
            "AWS": [
                "arn:aws:iam::379899276840:role/VTKWorker",     --- to allow our staging system to assume that role (testing only!)
                "arn:aws:iam::873682911326:role/VTKWorker"      --- to allow our production system to assume that role
            ]
        }
    }],
    "Version": "2012-10-17"
}

The ExternalId is important and the Video Toolkit Worker won’t be able to assume the role without it due to security considerations.

Use your VTK Organization API name (for example drmtoday-example-api-name) as the ExternalId. Do not use the AWS Organization ID or the AWS account alias.

You can easily find the API name by going to the Organizations section in VTK and checking the API Name column in the list. Organization API Name

More info in our glossary.

Required Policy for S3 Download

{
    "Statement": [{
        "Action": [
            "s3:GetObject"
        ],
        "Effect": "Allow",
        "Resource": [
            "arn:aws:s3:::[yourbucket]/*"
        ]
    },
    {
        "Action": [
            "s3:GetBucketLocation",
            "s3:ListBucket"
        ],
        "Effect": "Allow",
        "Resource": [
            "arn:aws:s3:::[yourbucket]"
        ]
    }],
    "Version": "2012-10-17"
}

Required Policy for S3 Upload

{
    "Statement": [{
        "Action": [
            "s3:PutObject"
        ],
        "Effect": "Allow",
        "Resource": [
            "arn:aws:s3:::[yourbucket]/*"
        ]
    },
    {
        "Action": [
            "s3:GetBucketLocation",
            "s3:ListBucket"
        ],
        "Effect": "Allow",
        "Resource": [
            "arn:aws:s3:::[yourbucket]"
        ]
    }],
    "Version": "2012-10-17"
}
Next topic: Credential dispenser
Previous topic: Status