# Policies and Permissions in MediaPackage Policies and Permissions This page provides an overview of resource policies in MediaPackage and describes the basic elements of a policy. Each listed element links to more details about that element and examples of how to use it. For a complete list of MediaPackage actions, resources, and conditions, see [Actions, resources, and condition keys for AWS Elemental MediaPackage](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalmediapackage.html) in the *AWS General Reference*. In its most basic sense, a policy contains the following elements: + **Resources** - Channels and origin endpoints are the MediaPackage resources for which you can allow or deny permissions. In a policy, you use the Amazon Resource Name (ARN) to identify the resource. For more information, see [MediaPackage resources](actions-resources-conditions-overview.md#resources-arn-format). **Important** Wildcards are not allowed in the resource ARN in [resource-based policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_resource-based). The policy must contain the explicit ARN for each resource that it applies to. + **Actions** - For each resource, MediaPackage supports a set of operations. You identify resource operations that you will allow (or deny) by using action keywords. For more information, see [IAM JSON Policy Elements: Action](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_action.html). + **Effect** - This determines what the effect will be when the user requests the specific action. This can be either *allow* or *deny*. If you do not explicitly grant access to (allow) a resource, access is implicitly denied. You can also explicitly deny access to a resource. You might do this to make sure that a user can't access the resource, even if a different policy grants access. For more information, see [IAM JSON Policy Elements: Effect](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_effect.html). + **Principal** - The account or user who is allowed access to the actions and resources in the statement. In a resource policy, the principal is the user, account, service, or other entity that is the recipient of this permission. For more information, see [Principals](policy-principal.md) and [AWS JSON Policy Elements: Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html). + **Condition** - These are the conditions for when a policy is in effect. You can use AWS‐wide keys and MediaPackage‐specific keys to specify conditions in an MediaPackage access policy. For more information, see [IAM JSON Policy Elements: Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html). To illustrate, consider the following `Allow` policy. With this policy in effect, Jane Doe has `mediapackagev2:GetObject` and `mediapackagev2:GetHeadObject` permissions on all objects from the specified origin endpoint under the condition that the request are made over HTTPS. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AllowJaneDoe", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/JaneDoe" }, "Action": ["mediapackagev2:GetObject","mediapackagev2:GetHeadObject"], "Resource": "arn:aws:mediapackagev2:us-east-1:111122223333:channelGroup/ChannelGroupName/channel/ChannelName/originEndpoint/OriginEndpointName", "Condition": { "Bool": { "aws:SecureTransport": "true" } } } ] } ``` ------ Resource policies are specific to the resources to which they are applied. You must apply the policy explicitly to each resource that requires it. For example, applying a policy to a particular origin endpoint that allows anonymous `GetObject` doesn't automatically apply `GetObject` to other endpoints even if the ARN matches. For instance, if you apply a policy to origin endpoint `abcdef01234567890`, it only applies to that endpoint and not to another endpoint with a similar ARN, like `021345abcdef6789`. For more, see the topics below. For complete policy language information, see [Policies and Permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) and [IAM JSON Policy Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) in the *IAM User Guide*. **Topics** + [ # Principals ](policy-principal.md) + [ # Actions, resources, and condition keys in MediaPackage ](actions-resources-conditions-overview.md) # Principals Principals The `Principal` element specifies the user, account, service, or other entity that is allowed or denied access to a resource. For more information, see [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html) in the *IAM User Guide*. ## Grant permissions to an AWS account To grant permissions to an AWS account, identify the account using the following format. ``` "AWS":"account-ARN" ``` The following are examples. ``` "Principal":{"AWS":"arn:aws:iam::AccountIDWithoutHyphens:root"} ``` ``` "Principal":{"AWS":["arn:aws:iam::AccountID1WithoutHyphens:root","arn:aws:iam::AccountID2WithoutHyphens:root"]} ``` ## Grant permissions to an IAM user To grant permission to an IAM user within your account, you must provide an `"AWS":"user-ARN"` name-value pair. ``` "Principal":{"AWS":"arn:aws:iam::account-number-without-hyphens:user/username"} ``` **Note** If an IAM identity is deleted after you update your resource policy, the resource policy will show a unique identifier in the principal element instead of an ARN. These unique IDs are never reused, so you can safely remove principals with unique identifiers from all of your policy statements. For more information about unique identifiers, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids) in the *IAM User Guide*. ## Grant anonymous permissions To grant permission to everyone, also referred as anonymous access, you set the wildcard (`"*"`) as the `Principal` value. For example, if you want to use clients with no AWS authorization to their origin endpoints. ``` "Principal":"*" ``` ``` "Principal":{"AWS":"*"} ``` Using `"Principal": "*"` with an `Allow` effect in a resource-based policy allows anyone, even if they’re not signed in to AWS, to access your resource. Using `"Principal" : { "AWS" : "*" }` with an `Allow` effect in a resource-based policy allows any root user, IAM user, assumed-role session, or federated user in any account in the same partition to access your resource. For anonymous users, these two methods are equivalent. For more information, see [All principals](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-anonymous) in the *IAM User Guide*. You cannot use a wildcard to match part of a principal name or ARN. **Important** Because anyone can create an AWS account, the **security level** of these two methods is equivalent, even though they function differently. **Warning** Use caution when granting anonymous access to your MediaPackage origin endpoints. When you grant anonymous access, anyone in the world can access your bucket. We highly recommend that you never grant any kind of anonymous write access to your origin endpoints. # Actions, resources, and condition keys in MediaPackage Actions, resources, and condition keys AWS Elemental MediaPackage (service prefix: `mediapackagev2`) provides service-specific resources, actions, and condition context keys for use in IAM permission policies. For the full list, see [Actions, resources, and condition keys for AWS Elemental MediaPackage](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalmediapackage.html) in the *AWS General Reference*. ## MediaPackage Actions Actions MediaPackage defines a set of permissions that you can specify in a policy. These are keywords, each of which maps to a specific MediaPackage operation. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. ## MediaPackage resources Resources The following common Amazon Resource Name (ARN) format identifies resources in AWS: ``` arn:${Partition}:mediapackagev2:${Region}:${AccountID}:channelGroup/${ChannelGroupName}/channel/${ChannelName}/originEndpoint/${OriginEndpointName} ``` For information about ARNs, see [Amazon Resource Names (ARNs)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *AWS General Reference*. For information about resources, see [IAM JSON Policy Elements: Resource](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_resource.html) in the *IAM User Guide*. A MediaPackage ARN includes the following: + **Partition** ‐ `aws` is a common partition name. If your resources are in the China (Beijing) Region, `aws-cn` is the partition name. + **Region** ‐ The AWS Region. + **AccountID** ‐ Your AWS account number. + **ChannelGroupName** ‐ The name of the channel group. + **ChannelName** ‐ The name of the channel. + **OriginEndpointName** ‐ The name of the origin endpoint. ## MediaPackage Conditions keys Condition keys The access policy language enables you to specify conditions when granting permissions. To specify conditions for when a policy is in effect, you can use the optional Condition element, or Condition block, to specify conditions for when a policy is in effect. You can use predefined AWS‐wide keys and MediaPackage‐specific keys to specify conditions in an MediaPackage access policy. In the Condition element, you build expressions in which you use Boolean operators (equal, less than, etc.) to match your condition against values in the request.