An encoding uses Input and Output resources to define where to get source files from and where to write result files. When you use S3 bucket, you need to provide the IAM user accessing the bucket a set of permissions.

Learn more in these tutorials about creating AWS S3 Inputs/Outputs using Access/Secret keypairs or role-based authentication.

Full Access

If you want a quick solution, for example for quick evaluations or development environments, you can simply allocate the AmazonS3FullAccess policy will give the IAM user unrestricted access to your bucket.

Restricted Access

For most applications, you will want to tighten permissions to the strict set required. With AWS IAM, you have granular control to create a custom policy that only defines certain permissions.

The minimum set required (and why each permission is needed) is listed below:

For Input buckets

For Output buckets

(1) Access control list (ACL) enable you to manage access to buckets and objects. In our API it is possible to set the output of muxings and manifests to PUBLIC_READ or PRIVATE.

To get started we recommend initially setting the AmazonS3FullAccess policy to the output bucket. This can be tuned to reduce permissions once necessary operations are fully understood.

Public access for Output buckets

For Encodings started in our Bitmovin Dashboard, the output bucket’s policy needs to allow public access to your Amazon S3 storage. The PUBLIC_READ setting requires also that the correct bucket ownership policies are set. Here is a FAQ on how to do this: How can I configure an AWS S3 Bucket to test playback of my content?.

JSON Custom Policy

Assuming that you are using the same IAM user and a single policy for both Input and Output buckets, you can use the following JSON payload to create your custom policy in AWS IAM.

The following placeholders need to be replaced with the name of your bucket(s):

• <INPUT_BUCKET_NAME>
• <OUTPUT_BUCKET_NAME>

1{
2    "Version": "2012-10-17",
3    "Statement": [
4        {
5            "Sid": "BitmovinInputBucketPermissions",
6            "Effect": "Allow",
7            "Action": [
8                "s3:GetBucketLocation"
9            ],
10            "Resource": [
11                "arn:aws:s3:::<INPUT_BUCKET_NAME>"
12            ]
13        },
14        {
15            "Sid": "BitmovinInputObjectPermissions",
16            "Effect": "Allow",
17            "Action": [
18                "s3:GetObject"
19            ],
20            "Resource": [
21                "arn:aws:s3:::<INPUT_BUCKET_NAME>/*"
22            ]
23        },
24        {
25            "Sid": "BitmovinOutputBucketPermissions",
26            "Effect": "Allow",
27            "Action": [
28                "s3:ListBucket",
29                "s3:GetBucketLocation"
30            ],
31            "Resource": [
32                "arn:aws:s3:::<OUTPUT_BUCKET_NAME>"
33            ]
34        },
35        {
36            "Sid": "BitmovinOutputObjectPermissions",
37            "Effect": "Allow",
38            "Action": [
39                "s3:GetObject",
40                "s3:PutObject",
41                "s3:PutObjectAcl"
42            ],
43            "Resource": [
44                "arn:aws:s3:::<OUTPUT_BUCKET_NAME>/*"
45            ]
46        }
47    ]
48}