What permissions do I need to set on my S3 buckets for Encoding Input and Output?

An encoding uses Input and Output resources to define where to get source files from and where to write result files. When you use S3 bucket, you need to provide the IAM user accessing the bucket a set of permissions.

Learn more in these tutorials about creating AWS S3 Inputs/Outputs using Access/Secret keypairs or role-based authentication.

Full Access

If you want a quick solution, for example for quick evaluations or development environments, you can simply allocate the AmazonS3FullAccess policy will give the IAM user unrestricted access to your bucket.

Restricted Access

For most applications, you will want to tighten permissions to the strict set required. With AWS IAM, you have granular control to create a custom policy that only defines certain permissions.

The minimum set required (and why each permission is needed) is listed below:

For Input buckets

Action	Resource Level	Justification
`s3:GetBucketLocation`	Bucket	To determine the location of the input bucket to resolve the correct encoding region for mode AUTO.
`s3:GetObject`	Object	To read the file from the S3 bucket

For Output buckets

Action	Resource Level	Justification
`s3:GetBucketLocation`	Bucket	To determine the location of the output bucket to resolve the correct region for mode `AUTO`
`s3:ListBucket`	Bucket	To verify if all files are present at the output location (i.e., check if all uploaded segments are present)
`s3:PutObject`	Object	To write the file to the S3 Bucket
`s3:PutObjectAcl`⁽¹⁾	Object	To update the ACL for an object on a S3 Bucket (i.e., to allow public access to a file)
`s3:GetObject`	Object	To check that the file was successfully uploaded

(1) Since ACLs are disabled by default when creating new S3 buckets, you will need to enable them by editing the default object Ownership on your bucket. Otherwise, the s3:PutObjectAcl permissions will not take effect. ACLs should be enabled for all object writers.

JSON Custom Policy

Assuming that you are using the same IAM user and a single policy for both Input and Output buckets, you can use the following JSON payload to create your custom policy in AWS IAM.

1{
2    "Version": "2012-10-17",
3    "Statement": [
4        {
5            "Sid": "BitmovinInputBucketPermissions",
6            "Effect": "Allow",
7            "Action": [
8                "s3:GetBucketLocation"
9            ],
10            "Resource": [
11                "arn:aws:s3:::<INPUT_BUCKET_NAME>"
12            ]
13        },
14        {
15            "Sid": "BitmovinInputObjectPermissions",
16            "Effect": "Allow",
17            "Action": [
18                "s3:GetObject"
19            ],
20            "Resource": [
21                "arn:aws:s3:::<INPUT_BUCKET_NAME>/*"
22            ]
23        },
24        {
25            "Sid": "BitmovinOutputBucketPermissions",
26            "Effect": "Allow",
27            "Action": [
28                "s3:ListBucket",
29                "s3:GetBucketLocation"
30            ],
31            "Resource": [
32                "arn:aws:s3:::<OUTPUT_BUCKET_NAME>"
33            ]
34        },
35        {
36            "Sid": "BitmovinOutputObjectPermissions",
37            "Effect": "Allow",
38            "Action": [
39                "s3:GetObject",
40                "s3:PutObject",
41                "s3:PutObjectAcl"
42            ],
43            "Resource": [
44                "arn:aws:s3:::<OUTPUT_BUCKET_NAME>/*"
45            ]
46        }
47    ]
48}