[object Object] Icon

Encoding
Learn how to create, start, manage and modify Encodings

[object Object] Icon

Player
Learn how to create, start, manage and modify Players

[object Object] Icon

Analytics
Learn how to create, start, manage and modify Analyticss

Docs Home
User shortcuts for search
Focus by pressing f
Hide results by pressing Esc
Navigate via   keys

Wed Sep 16 2020

What permissions do I need to set on my S3 buckets for Analytics Exports?

To export Analytics data to S3, you need to create an Output resource that defines where to write those exports (Learn more). When you use an S3 bucket, you need to provide the IAM user accessing the bucket a set of permissions.

Full Access

If you want a quick solution, for example for quick evaluations or development environments, you can simply allocate the AmazonS3FullAccess policy will give the IAM user unrestricted access to your bucket.

Restricted Access

For most applications, you will want to tighten permissions to the strict set required. With AWS IAM, you have granular control to create a custom policy that only defines certain permissions.

The minimum set required (and why each permission is needed) is listed below:

ActionResource LevelJustification
s3:GetBucketLocationBucketTo determine the location of the bucket to resolve the correct region for mode AUTO
s3:ListBucketBucketTo verify if all files are present at the output location (i.e., check if all generated files are present)
s3:PutObjectObjectTo write the file to the S3 Bucket
s3:PutObjectAclObjectTo update the ACL for an object on a S3 Bucket (i.e., to allow public access to a file)

JSON Custom Policy

Assuming that you are using the same IAM user and a single policy for both Input and Output buckets, you can use the following JSON payload to create your custom policy in AWS IAM.

1{
2 "Version": "2012-10-17",
3 "Statement": [
4 {
5 "Sid": "BitmovinOutputBucketPermissions",
6 "Effect": "Allow",
7 "Action": [
8 "s3:ListBucket",
9 "s3:GetBucketLocation"
10 ],
11 "Resource": [
12 "arn:aws:s3:::<OUTPUT_BUCKET_NAME>"
13 ]
14 },
15 {
16 "Sid": "BitmovinOutputObjectPermissions",
17 "Effect": "Allow",
18 "Action": [
19 "s3:PutObject",
20 "s3:PutObjectAcl"
21 ],
22 "Resource": [
23 "arn:aws:s3:::<OUTPUT_BUCKET_NAME>/*"
24 ]
25 }
26 ]
27}

Give us feedback