# Create the trusted entity - complex option
Read this section if you decided that you should use the [complex option](scenarios-for-medialive-role.md) for setting up the trusted entity.
With the complex option, you must perform these tasks:
+ Create policies and roles, and use those policies and roles to set up MediaLive as a trusted entity. This task is covered in steps A, B, and C.
+ Set up all MediaLive users with permissions that let them attach a specific trust policy to a channel, when they create or edit the channel. This task is covered in step D.
**Topics**
+ [Identify the access requirements](complex-scenario-create-trusted-entity-role-step1.md)
+ [Create policies](complex-scenario-create-trusted-entity-role-step2.md)
+ [Create roles](complex-scenario-create-trusted-entity-role-step3.md)
+ [Set up user permissions](requirements-medialiverole-complex-permissions.md)
+ [Access requirements for the trusted entity](trusted-entity-requirements.md)
# Identify the access requirements
You must identify the services that MediaLive will interact with in your deployment. Then within each service, you must identify the operations and resources that MediaLive needs access to. Finally, you must design the IAM policies that handle these requirements.
This requirements analysis must be performed by a person in your organization who understands your organization's requirements for access to resources. This person must understand whether there is a requirement that MediaLive channels should be restricted in their access to resources in other AWS services. For example, this person should determine whether channels should be restricted in their access to buckets in Amazon S3 so that a specified channel can access some buckets and not others.
**To determine the access requirements for MediaLive**
1. See the table in [Access requirements for the trusted entity](trusted-entity-requirements.md) for information about the services that MediaLive typically needs access to. Determine which of those services your deployment uses and which operations it needs.
1. Within a service, determine the number of policies that you need to create. Do you need several different combinations of objects and operations for different workflows, and do you need to keep those combinations separate from each for security reasons?
Specifically, determine whether you need access to different resources for different workflows, and whether it's important to restrict access to specific resources. For example, in AWS Systems Manager Parameter Store you might have passwords that belong to different workflows, and you might want to allow only specific users to access the passwords for any given workflow.
If different workflows have different requirements for objects, operations, and resources, then for that service you need separate policies for each workflow.
1. Design each policy: identify the allowed (or not allowed) objects, operations, and the allowed (or not allowed) resources in the policy.
1. Determine if any of the policies that you have identified are covered by a managed policy.
1. For each workflow, identify the policies that you need for all the services that the workflow uses. When you create the policy, you will be able to include several services in the policy. You don't need to create a policy for each separate service.
1. Identify the number of roles that you need. You need one role for each unique combination of policies.
1. Assign names to all the policies and roles that you have identified. Make sure that you don't include sensitive identifying information (such as a customer account name) in these names.
# Create policies
After you have followed [Step A](complex-scenario-create-trusted-entity-role-step1.md) to identify the policies that you need, you must create them on the IAM console.
Follow this procedure for each policy.
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane on the left, choose **Policies**. Then choose **Create policy**. The **Create policy** wizard appears. This wizard walks you through the steps, including these key steps:
+ Select a service.
+ Select actions for that service.
Typically (and by default), you specify the actions that you want to allow.
But you can also choose the **Switch to deny permissions** button to deny the chosen actions instead. We recommend as a security best practice that you deny permissions only if you want to override a permission separately allowed by another statement or policy. We recommend that you limit the number of deny permissions to a minimum because they can increase the difficulty of troubleshooting permissions.
+ [Specify resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_controlling.html#access_controlling-resources) for each action (if supported for the action). For example, if you choose the MediaLive `DescribeChannel` ARN you can specify the ARNs of specific channels.
+ Specify conditions (optional). For example:
+ You can specify that a user is allowed to perform an actions only when that user's request happens within a certain time range.
+ You can specify that the user must use a multi-factor authentication (MFA) device to authenticate.
+ You can specify that the request must originate from a range of IP addresses.
For lists of all of the context keys that you can use in a policy condition, see [Actions, resources, and condition keys for AWS services](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html) in the *Service Authorization Reference*.
1. Choose **Create policy**.
# Create roles
Any person who is an administrator can perform the procedure to create a role and attach policies to the role.
In [Identify the access requirements](complex-scenario-create-trusted-entity-role-step1.md), someone in your organization identified the roles that you need to create. Create those roles now using IAM.
In this step, you create a role that consists of a trust policy ("let MediaLive call the `AssumeRole` action") and one or more policies (the [policies that you just created](complex-scenario-create-trusted-entity-role-step2.md)). In this way, MediaLive has permission to assume the role. When it assumes the role, it acquires the permissions specified in the policies.
Follow this procedure for each role.
1. On the IAM console, in the navigation pane on the left, choose **Roles**, then **Create Role**. The **Create role** wizard appears. This wizard walks you through the steps of setting up a trusted entity, and adding permissions (by adding a policy).
1. On the **Select trusted entity** page, choose the **Custom trust policy** card. The **Custom trust policy **section appears, with a sample policy.
1. Erase the sample, copy the following text, and paste the text in the **Custom trust policy **section. The **Custom trust policy **section now looks like this:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "medialive.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
```
------
1. Choose **Next**.
1. On the **Add Permissions** page, find the policy or policies that you created (for example, `MedialiveForCurlingEvents`), and select the checkbox for each. Then choose **Next**.
1. On the review page, enter a name for the role. We recommend that you don't use the name `MediaLiveAccessRole` because it is reserved for the [simple option](scenarios-for-medialive-role.md#about-simple-scenario).
Instead, use a name that includes `Medialive` and describes this role's purpose. For example, `MedialiveAccessRoleForSports`.
1. Choose **Create role**.
1. On the **Summary** page for the role, make a note of the value in **Role ARN**. It looks like this:
`arn:aws:iam::111122223333:role/medialiveWorkflow15`
In the example, `111122223333` is your AWS account number.
1. After you have created all the roles, make a list of the role ARNs. Include the following information in each item:
+ The role ARN.
+ A description of the workflow that the ARN applies to.
+ The users who can work with this workflow and therefore need the ability to attach this trust policy to the channels that they create and edit.
You will need this list when you [set up trusted entity access](requirements-medialiverole-complex-permissions.md) for users.
# Set up user permissions
With the complex option, MediaLive users must have permissions to use the trusted entity wizard. This wizard is in the **IAM Role** section on the **Channel and input details** pane:
![\[IAM role configuration options for AWS Elemental MediaLive channel access permissions.\]](http://docs.aws.amazon.com/medialive/latest/ug/images/medialiveaccessrole_withUpdateButton.png)
Topics
## Set up wizard permissions
You must set up all MediaLive users with permission to use the wizard to type a trusted entity role into the wizard. Users will refer to the list of roles that you will give them.
You must give all users the access described in the following table. The action is in the IAM service. Include this action in the policy (or in one of the policies) that you create for the users.
| Fields in the wizard | Description | Actions |
| --- | --- | --- |
| Use existing role | Users must not be able to view the list in the selection field that accompanies the Use existing role field. That list shows all the roles that are created in the AWS account. Users must not be able to select from this list. Instead of selecting an existing role, users will type a role into the **Specify custom role ARN** field. | None |
| **Create role from template option** | Users must not be able to select the Create role from template field. Users don't create roles. Only administrators create roles. | None |
| Specify custom role ARN | Users must be able to type a role into the entry field that accompanies the Specify custom role ARN field. They must then be able to pass that role to MediaLive. | iam:PassRole |
| Update | Users do not need to be able to choose the Update button because this button only ever appears in implementations that use MediaLiveAccessRole. The complex option does not use this role; therefore, this button never appears. | None |
## Information that users need
When a user creates a channel, they will pass a role to MediaLive to set up MediaLive with the correct trusted policies. You created these policies when you [set up the trusted entity](setup-trusted-entity-complex.md). Specifically, when you [created the trusted entity role](complex-scenario-create-trusted-entity-role-step3.md), you made a note of the ARNs of all the roles that you created.
You must give each user a list of the roles (identified by an ARN) that they must use with each workflow (channel) that they work with.
+ Make sure that you give each user the correct roles for the workflows that they are responsible for. Each role gives MediaLive access the resources that apply for a specific workflow.
+ Each user probably has a different list of roles.
When the user selects **Specify custom role ARN**, the user will consult their list to find the workflow the channel applies to and the role ARN that therefore applies.
# Access requirements for the trusted entity
The following table shows all the types of permissions that the MediaLive trusted entity might need. Refer to this table when you [identify the access requirements for the MediaLive trusted entity](complex-scenario-create-trusted-entity-role-step1.md).
Each row in the column describes a task or set of related tasks that the MediaLive trusted entity might need to perform for a user. The third column describes the type of access that the trusted entity requires to perform that task. The last column lists the IAM actions or policy that control that access.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/medialive/latest/ug/trusted-entity-requirements.html)