# IAM permissions for MediaLive as a trusted entity IAM permissions for trusted entitySetting up MediaLive as a trusted entity The section about setting up MediaLive as a trusted entity has been rewritten. The information has been reorganized. But there are no changes to the underlying rules for setting up a trusted entity. AWS Elemental MediaLive must be set up so that when a channel is running, MediaLive itself has access to perform operations on resources that belong to your organization's AWS account. In other words, MediaLive must be set up as a *trusted entity* in your organization's AWS account. **Topics** + [ # About the trusted entity role ](about-trusted-entity.md) + [ # Options for implementing the trusted entity ](scenarios-for-medialive-role.md) + [ # Create the trust entity – simple option ](setup-trusted-entity-simple.md) + [ # Create the trusted entity - complex option ](setup-trusted-entity-complex.md) # About the trusted entity role AWS Elemental MediaLive must be set up so that when a channel is running, MediaLive itself has access to perform operations on resources that belong to your organization's AWS account. For example, your deployment might use Amazon S3 as a source for files, such as blackout images, that MediaLive requires during processing. For MediaLive to obtain these files, it must have read access to some or all buckets in Amazon S3. To perform the required operations on those resources, MediaLive must be set up as a *trusted entity* on your account. MediaLive is set up as a trusted entity as follows: A role (that belongs to your AWS account) identifies MediaLive as a trusted entity. The role is attached to one or more policies. Each policy contains statements about allowed operations and resources. The chain between the trusted entity, role, and policies makes this statement: "MediaLive is allowed to assume this role in order to perform the operations on the resources that are specified in the policies." ![\[Diagram showing role connected to multiple policies and AWS Elemental MediaLive via trust relationship.\]](http://docs.aws.amazon.com/medialive/latest/ug/images/medialiveaccessrole.png) After this role is created, the MediaLive user attaches the role to a specified channel, when they create or edit the channel. This attachment makes this statement: "For this channel, MediaLive is allowed to assume this role in order to perform the operations on the resources specified in the policies." The attachment is at the channel level, which gives you the flexibility to create different roles for different channels. Each role gives MediaLive access to different operations and, especially, different resources. ![\[Diagram showing role attached to channel, indicating service access flexibility.\]](http://docs.aws.amazon.com/medialive/latest/ug/images/medialiveaccessrole-to-channel.png) # Options for implementing the trusted entity Choose the option There are two options for setting up the trusted entity role in AWS Elemental MediaLive: a simple option and a complex option. Your organization must decide which option to use. This decision must be made by a person in your organization who understands your organization's requirements for access to resources. This person must understand whether there is a requirement that AWS Elemental MediaLive channels should be restricted in their access to resources in other AWS services. For example, this person should determine whether channels should be restricted in their access to buckets in Amazon S3 so that a specified channel can access some buckets and not others. **Topics** + [ ## Simple option ](#about-simple-scenario) + [ ## Complex option ](#about-complex-scenarios) ## Simple option The simple option typically applies when both these situations apply: + Users in your organization are using AWS Elemental MediaLive to encode the organization's own assets (not assets belonging to customers). + Your organization doesn't have rigorous rules about accessing assets. For example, you don't have video assets that can be handled only by specific users or departments. With the simple option, there is only one role: `MediaLiveAccessRole`. All channels use this role and all users in your organization can attach that role to the channels that they work with. The `MediaLiveAccessRole` role grants broad access to operations and complete access to all resources. It allows either read-only access or read/write access to all the services that MediaLive must access when a channel is running. And most significantly, it allows full access to all the resources associated with those services. If the simple option is suitable to your deployment, follow the steps in [Create the trust entity – simple option](setup-trusted-entity-simple.md). ## Complex option The complex option applies when the `MediaLiveAccessRole` role is too broad for your use, given that it allows broad access to operations and complete access to all resources. For example, you might have the following requirements: + A requirement that a given channel should be allowed to access only specific resources, and another channel should be allowed to access only specific, different resources. In a situation like this, you need to create several access roles. Each role narrows down permissions to a different set of resources. + A requirement that each user should be allowed to display only specific roles on the console, to prevent a user from viewing a role they should not know about or to prevent a user from selecting the wrong role. For example, you might want to set up so that only user A can work with workflow X, and you might further require that only user A knows about workflow X. If the complex option is applicable to your deployment, follow the steps in [Create the trusted entity - complex option](setup-trusted-entity-complex.md). # Create the trust entity – simple option Set up with simple option Read this section if you decided that you should use the [simple option](scenarios-for-medialive-role.md) for setting up the trusted entity. With the simple option, MediaLive users must have permissions to use the trusted entity wizard, which is in the **IAM Role** section on the **Channel and input details** pane: ![\[IAM role configuration for AWS Elemental MediaLive channel with options to use or create roles.\]](http://docs.aws.amazon.com/medialive/latest/ug/images/medialiveaccessrole_withUpdateButton.png) You must set up all MediaLive users with permissions to use the wizard to perform two types of activities: + Create and update the MediaLiveAccessRole trusted entity. The first user to create a MediaLive channel creates the trusted entity. Then each time MediaLive releases a new feature that requires new permissions, a user must press a button that automatically updates the trusted entity. + Use the wizard to attach the MediaLiveAccessRole trusted entity to a channel. Every time a user creates a channel, they must attach this trusted entity to the channel. You must give all users the access described in the following table. All the actions are in the IAM service. Include all these actions in the policy (or in one of the policies) that you create for the users. | Fields in the wizard | Description | Actions | | --- | --- | --- | | Use existing role | Users must be able to select MediaLiveAccessRole from the selection field that accompanies the Use existing role field. | `ListRole` `PassRole` | | **Create role from template option** | Users must be able to select the Create role from template field. (The role needs to be created only once, by the first user to create a channel. But it is easiest to give these permissions to all users.) | `CreateRole` `PutRolePolicy` `AttachRolePolicy` | | Specify custom role ARN | Users don't need to be able to select this field. They will use MediaLiveAccessRole. They will never use a custom role. | None | | Update button | This button appears only if MediaLiveAccessRole isn't up to date. Users must be able to select this button so that MediaLive updates the MediaLiveAccessRole with new permissions. Permissions must sometimes be added to the role when a new feature is added to MediaLive. | `GetRolePolicy` `PutRolePolicy` `AttachRolePolicy` | # Create the trusted entity - complex option Set up with complex option Read this section if you decided that you should use the [complex option](scenarios-for-medialive-role.md) for setting up the trusted entity. With the complex option, you must perform these tasks: + Create policies and roles, and use those policies and roles to set up MediaLive as a trusted entity. This task is covered in steps A, B, and C. + Set up all MediaLive users with permissions that let them attach a specific trust policy to a channel, when they create or edit the channel. This task is covered in step D. **Topics** + [ # Identify the access requirements ](complex-scenario-create-trusted-entity-role-step1.md) + [ # Create policies ](complex-scenario-create-trusted-entity-role-step2.md) + [ # Create roles ](complex-scenario-create-trusted-entity-role-step3.md) + [ # Set up user permissions ](requirements-medialiverole-complex-permissions.md) + [ # Access requirements for the trusted entity ](trusted-entity-requirements.md) # Identify the access requirements Step 1: Identify requirements You must identify the services that MediaLive will interact with in your deployment. Then within each service, you must identify the operations and resources that MediaLive needs access to. Finally, you must design the IAM policies that handle these requirements. This requirements analysis must be performed by a person in your organization who understands your organization's requirements for access to resources. This person must understand whether there is a requirement that MediaLive channels should be restricted in their access to resources in other AWS services. For example, this person should determine whether channels should be restricted in their access to buckets in Amazon S3 so that a specified channel can access some buckets and not others. **To determine the access requirements for MediaLive** 1. See the table in [Access requirements for the trusted entity](trusted-entity-requirements.md) for information about the services that MediaLive typically needs access to. Determine which of those services your deployment uses and which operations it needs. 1. Within a service, determine the number of policies that you need to create. Do you need several different combinations of objects and operations for different workflows, and do you need to keep those combinations separate from each for security reasons? Specifically, determine whether you need access to different resources for different workflows, and whether it's important to restrict access to specific resources. For example, in AWS Systems Manager Parameter Store you might have passwords that belong to different workflows, and you might want to allow only specific users to access the passwords for any given workflow. If different workflows have different requirements for objects, operations, and resources, then for that service you need separate policies for each workflow. 1. Design each policy: identify the allowed (or not allowed) objects, operations, and the allowed (or not allowed) resources in the policy. 1. Determine if any of the policies that you have identified are covered by a managed policy. 1. For each workflow, identify the policies that you need for all the services that the workflow uses. When you create the policy, you will be able to include several services in the policy. You don't need to create a policy for each separate service. 1. Identify the number of roles that you need. You need one role for each unique combination of policies. 1. Assign names to all the policies and roles that you have identified. Make sure that you don't include sensitive identifying information (such as a customer account name) in these names. # Create policies Step 2: Create policies After you have followed [Step A](complex-scenario-create-trusted-entity-role-step1.md) to identify the policies that you need, you must create them on the IAM console. Follow this procedure for each policy. 1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 1. In the navigation pane on the left, choose **Policies**. Then choose **Create policy**. The **Create policy** wizard appears. This wizard walks you through the steps, including these key steps: + Select a service. + Select actions for that service. Typically (and by default), you specify the actions that you want to allow. But you can also choose the **Switch to deny permissions** button to deny the chosen actions instead. We recommend as a security best practice that you deny permissions only if you want to override a permission separately allowed by another statement or policy. We recommend that you limit the number of deny permissions to a minimum because they can increase the difficulty of troubleshooting permissions. + [Specify resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_controlling.html#access_controlling-resources) for each action (if supported for the action). For example, if you choose the MediaLive `DescribeChannel` ARN you can specify the ARNs of specific channels. + Specify conditions (optional). For example: + You can specify that a user is allowed to perform an actions only when that user's request happens within a certain time range. + You can specify that the user must use a multi-factor authentication (MFA) device to authenticate. + You can specify that the request must originate from a range of IP addresses. For lists of all of the context keys that you can use in a policy condition, see [Actions, resources, and condition keys for AWS services](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html) in the *Service Authorization Reference*. 1. Choose **Create policy**. # Create roles Step 3: Create roles Any person who is an administrator can perform the procedure to create a role and attach policies to the role. In [Identify the access requirements](complex-scenario-create-trusted-entity-role-step1.md), someone in your organization identified the roles that you need to create. Create those roles now using IAM. In this step, you create a role that consists of a trust policy ("let MediaLive call the `AssumeRole` action") and one or more policies (the [policies that you just created](complex-scenario-create-trusted-entity-role-step2.md)). In this way, MediaLive has permission to assume the role. When it assumes the role, it acquires the permissions specified in the policies. Follow this procedure for each role. 1. On the IAM console, in the navigation pane on the left, choose **Roles**, then **Create Role**. The **Create role** wizard appears. This wizard walks you through the steps of setting up a trusted entity, and adding permissions (by adding a policy). 1. On the **Select trusted entity** page, choose the **Custom trust policy** card. The **Custom trust policy **section appears, with a sample policy. 1. Erase the sample, copy the following text, and paste the text in the **Custom trust policy **section. The **Custom trust policy **section now looks like this: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "medialive.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } ``` ------ 1. Choose **Next**. 1. On the **Add Permissions** page, find the policy or policies that you created (for example, `MedialiveForCurlingEvents`), and select the checkbox for each. Then choose **Next**. 1. On the review page, enter a name for the role. We recommend that you don't use the name `MediaLiveAccessRole` because it is reserved for the [simple option](scenarios-for-medialive-role.md#about-simple-scenario). Instead, use a name that includes `Medialive` and describes this role's purpose. For example, `MedialiveAccessRoleForSports`. 1. Choose **Create role**. 1. On the **Summary** page for the role, make a note of the value in **Role ARN**. It looks like this: `arn:aws:iam::111122223333:role/medialiveWorkflow15` In the example, `111122223333` is your AWS account number. 1. After you have created all the roles, make a list of the role ARNs. Include the following information in each item: + The role ARN. + A description of the workflow that the ARN applies to. + The users who can work with this workflow and therefore need the ability to attach this trust policy to the channels that they create and edit. You will need this list when you [set up trusted entity access](requirements-medialiverole-complex-permissions.md) for users. # Set up user permissions Step 4: Set up user permissions With the complex option, MediaLive users must have permissions to use the trusted entity wizard. This wizard is in the **IAM Role** section on the **Channel and input details** pane: ![\[IAM role configuration options for AWS Elemental MediaLive channel access permissions.\]](http://docs.aws.amazon.com/medialive/latest/ug/images/medialiveaccessrole_withUpdateButton.png) Topics ## Set up wizard permissions You must set up all MediaLive users with permission to use the wizard to type a trusted entity role into the wizard. Users will refer to the list of roles that you will give them. You must give all users the access described in the following table. The action is in the IAM service. Include this action in the policy (or in one of the policies) that you create for the users. | Fields in the wizard | Description | Actions | | --- | --- | --- | | Use existing role | Users must not be able to view the list in the selection field that accompanies the Use existing role field. That list shows all the roles that are created in the AWS account. Users must not be able to select from this list. Instead of selecting an existing role, users will type a role into the **Specify custom role ARN** field. | None | | **Create role from template option** | Users must not be able to select the Create role from template field. Users don't create roles. Only administrators create roles. | None | | Specify custom role ARN | Users must be able to type a role into the entry field that accompanies the Specify custom role ARN field. They must then be able to pass that role to MediaLive. | iam:PassRole | | Update | Users do not need to be able to choose the Update button because this button only ever appears in implementations that use MediaLiveAccessRole. The complex option does not use this role; therefore, this button never appears. | None | ## Information that users need When a user creates a channel, they will pass a role to MediaLive to set up MediaLive with the correct trusted policies. You created these policies when you [set up the trusted entity](setup-trusted-entity-complex.md). Specifically, when you [created the trusted entity role](complex-scenario-create-trusted-entity-role-step3.md), you made a note of the ARNs of all the roles that you created. You must give each user a list of the roles (identified by an ARN) that they must use with each workflow (channel) that they work with. + Make sure that you give each user the correct roles for the workflows that they are responsible for. Each role gives MediaLive access the resources that apply for a specific workflow. + Each user probably has a different list of roles. When the user selects **Specify custom role ARN**, the user will consult their list to find the workflow the channel applies to and the role ARN that therefore applies. # Access requirements for the trusted entity Access requirementsPermissions for trusted entity for Elemental Inference The information about permissions for the trusted entity has been updated to include the permissions that MediaLive needs if you use any of the Elemental Inference features. The following table shows all the types of permissions that the MediaLive trusted entity might need. Refer to this table when you [identify the access requirements for the MediaLive trusted entity](complex-scenario-create-trusted-entity-role-step1.md). Each row in the column describes a task or set of related tasks that the MediaLive trusted entity might need to perform for a user. The third column describes the type of access that the trusted entity requires to perform that task. The last column lists the IAM actions or policy that control that access. **** [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/medialive/latest/ug/trusted-entity-requirements.html)