# Resource-based policy examples
A resource policy is an access policy option available for granting permission to your MediaPackage resources. [Resource-based policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_resource-based) are JSON policy documents.
The topics in this section describe the key policy language elements, with focus on MediaPackage–specific details, and provide example resource policies. We recommend that you first review the introductory topics that explain the basic concepts and options available for you to manage access to your MediaPackage resources.
To learn how to attach a resource-based policy to a channel, see **[Creating a channel in AWS Elemental MediaPackageCreating a channel](channels-create.md)**.
**Topics**
+ [Policies and Permissions in MediaPackage](policies-permissions.md)
+ [Ingest authorization](ingest-auth.md)
+ [Origin endpoint authorization](endpoint-auth.md)
# Policies and Permissions in MediaPackage
This page provides an overview of resource policies in MediaPackage and describes the basic elements of a policy. Each listed element links to more details about that element and examples of how to use it.
For a complete list of MediaPackage actions, resources, and conditions, see [Actions, resources, and condition keys for AWS Elemental MediaPackage](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalmediapackage.html) in the *AWS General Reference*.
In its most basic sense, a policy contains the following elements:
+ **Resources** - Channels and origin endpoints are the MediaPackage resources for which you can allow or deny permissions. In a policy, you use the Amazon Resource Name (ARN) to identify the resource. For more information, see [MediaPackage resources](actions-resources-conditions-overview.md#resources-arn-format).
**Important**
Wildcards are not allowed in the resource ARN in [resource-based policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_resource-based). The policy must contain the explicit ARN for each resource that it applies to.
+ **Actions** - For each resource, MediaPackage supports a set of operations. You identify resource operations that you will allow (or deny) by using action keywords. For more information, see [IAM JSON Policy Elements: Action](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_action.html).
+ **Effect** - This determines what the effect will be when the user requests the specific action. This can be either *allow* or *deny*.
If you do not explicitly grant access to (allow) a resource, access is implicitly denied. You can also explicitly deny access to a resource. You might do this to make sure that a user can't access the resource, even if a different policy grants access. For more information, see [IAM JSON Policy Elements: Effect](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_effect.html).
+ **Principal** - The account or user who is allowed access to the actions and resources in the statement. In a resource policy, the principal is the user, account, service, or other entity that is the recipient of this permission. For more information, see [Principals](policy-principal.md) and [AWS JSON Policy Elements: Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html).
+ **Condition** - These are the conditions for when a policy is in effect. You can use AWS‐wide keys and MediaPackage‐specific keys to specify conditions in an MediaPackage access policy. For more information, see [IAM JSON Policy Elements: Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html).
To illustrate, consider the following `Allow` policy. With this policy in effect, Jane Doe has `mediapackagev2:GetObject` and `mediapackagev2:GetHeadObject` permissions on all objects from the specified origin endpoint under the condition that the request are made over HTTPS.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowJaneDoe",
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam::111122223333:user/JaneDoe" },
"Action": ["mediapackagev2:GetObject","mediapackagev2:GetHeadObject"],
"Resource": "arn:aws:mediapackagev2:us-east-1:111122223333:channelGroup/ChannelGroupName/channel/ChannelName/originEndpoint/OriginEndpointName",
"Condition": {
"Bool": { "aws:SecureTransport": "true" }
}
}
]
}
```
------
Resource policies are specific to the resources to which they are applied. You must apply the policy explicitly to each resource that requires it.
For example, applying a policy to a particular origin endpoint that allows anonymous `GetObject` doesn't automatically apply `GetObject` to other endpoints even if the ARN matches. For instance, if you apply a policy to origin endpoint `abcdef01234567890`, it only applies to that endpoint and not to another endpoint with a similar ARN, like `021345abcdef6789`.
For more, see the topics below. For complete policy language information, see [Policies and Permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) and [IAM JSON Policy Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) in the *IAM User Guide*.
**Topics**
+ [Principals](policy-principal.md)
+ [Actions, resources, and condition keys in MediaPackage](actions-resources-conditions-overview.md)
# Principals
The `Principal` element specifies the user, account, service, or other entity that is allowed or denied access to a resource. For more information, see [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html) in the *IAM User Guide*.
## Grant permissions to an AWS account
To grant permissions to an AWS account, identify the account using the following format.
```
"AWS":"account-ARN"
```
The following are examples.
```
"Principal":{"AWS":"arn:aws:iam::AccountIDWithoutHyphens:root"}
```
```
"Principal":{"AWS":["arn:aws:iam::AccountID1WithoutHyphens:root","arn:aws:iam::AccountID2WithoutHyphens:root"]}
```
## Grant permissions to an IAM user
To grant permission to an IAM user within your account, you must provide an `"AWS":"user-ARN"` name-value pair.
```
"Principal":{"AWS":"arn:aws:iam::account-number-without-hyphens:user/username"}
```
**Note**
If an IAM identity is deleted after you update your resource policy, the resource policy will show a unique identifier in the principal element instead of an ARN. These unique IDs are never reused, so you can safely remove principals with unique identifiers from all of your policy statements. For more information about unique identifiers, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids) in the *IAM User Guide*.
## Grant anonymous permissions
To grant permission to everyone, also referred as anonymous access, you set the wildcard (`"*"`) as the `Principal` value. For example, if you want to use clients with no AWS authorization to their origin endpoints.
```
"Principal":"*"
```
```
"Principal":{"AWS":"*"}
```
Using `"Principal": "*"` with an `Allow` effect in a resource-based policy allows anyone, even if they’re not signed in to AWS, to access your resource.
Using `"Principal" : { "AWS" : "*" }` with an `Allow` effect in a resource-based policy allows any root user, IAM user, assumed-role session, or federated user in any account in the same partition to access your resource.
For anonymous users, these two methods are equivalent. For more information, see [All principals](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-anonymous) in the *IAM User Guide*.
You cannot use a wildcard to match part of a principal name or ARN.
**Important**
Because anyone can create an AWS account, the **security level** of these two methods is equivalent, even though they function differently.
**Warning**
Use caution when granting anonymous access to your MediaPackage origin endpoints. When you grant anonymous access, anyone in the world can access your bucket. We highly recommend that you never grant any kind of anonymous write access to your origin endpoints.
# Actions, resources, and condition keys in MediaPackage
AWS Elemental MediaPackage (service prefix: `mediapackagev2`) provides service-specific resources, actions, and condition context keys for use in IAM permission policies. For the full list, see [Actions, resources, and condition keys for AWS Elemental MediaPackage](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalmediapackage.html) in the *AWS General Reference*.
## MediaPackage Actions
MediaPackage defines a set of permissions that you can specify in a policy. These are keywords, each of which maps to a specific MediaPackage operation. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.
## MediaPackage resources
The following common Amazon Resource Name (ARN) format identifies resources in AWS:
```
arn:${Partition}:mediapackagev2:${Region}:${AccountID}:channelGroup/${ChannelGroupName}/channel/${ChannelName}/originEndpoint/${OriginEndpointName}
```
For information about ARNs, see [Amazon Resource Names (ARNs)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *AWS General Reference*.
For information about resources, see [IAM JSON Policy Elements: Resource](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_resource.html) in the *IAM User Guide*.
A MediaPackage ARN includes the following:
+ **Partition** ‐ `aws` is a common partition name. If your resources are in the China (Beijing) Region, `aws-cn` is the partition name.
+ **Region** ‐ The AWS Region.
+ **AccountID** ‐ Your AWS account number.
+ **ChannelGroupName** ‐ The name of the channel group.
+ **ChannelName** ‐ The name of the channel.
+ **OriginEndpointName** ‐ The name of the origin endpoint.
## MediaPackage Conditions keys
The access policy language enables you to specify conditions when granting permissions. To specify conditions for when a policy is in effect, you can use the optional Condition element, or Condition block, to specify conditions for when a policy is in effect. You can use predefined AWS‐wide keys and MediaPackage‐specific keys to specify conditions in an MediaPackage access policy. In the Condition element, you build expressions in which you use Boolean operators (equal, less than, etc.) to match your condition against values in the request.
# Ingest authorization
MediaPackage ingest requests usually originate from a video encoder.
**Topics**
+ [AWS Elemental MediaLive](#ingest-medialive)
+ [AWS Elemental Live](#ingest-elemental-live)
+ [Third-party encoders](#ingest-third-party)
## AWS Elemental MediaLive
This example illustrates a channel policy that permits MediaLive to ingest MediaPackage.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "AllowMediaLiveChannelToIngestToEmpChannel",
"Statement": [
{
"Sid": "AllowMediaLiveRoleToAccessEmpChannel",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/MediaLiveAccessRole"
},
"Action": "mediapackagev2:PutObject",
"Resource": "arn:aws:mediapackagev2:us-east-1:111122223333:channelGroup/ChannelGroupName/channel/ChannelName"
}
]
}
```
------
## AWS Elemental Live
If you provide Elemental Live with an access key ID and secret access key, it can request access as an IAM identity. To grant your Elemental Live encoder access to your MediaPackage channel, you can apply the following `Allow` policy.
1. In IAM, create an IAM user such as `ElementalLiveMediaPackageUser` with **Programmatic access**.
1. In MediaPackage, create or edit a channel to include the following channel policy.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "AllowIamUser",
"Statement": [
{
"Sid": "AllowIamUserToEmpChannel",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:user/ElementalLiveMediaPackageUser"
},
"Action": "mediapackagev2:PutObject",
"Resource": "arn:aws:mediapackagev2:us-east-1:111122223333:channelGroup/ChannelGroupName/channel/ChannelName"
}
]
}
```
------
1. In IAM, create an access key for `ElementalLiveMediaPackageAccessUser`. Save the access key .csv file in a secure location to retain a permanent record of the access key ID and secret access key.
The access key ID looks like this: AKIAIOSFODNN7EXAMPLE
The secret access key looks like this: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
For more information, see [Programmatic access](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys) in the *AWS General Reference*.
1. Share the access key ID and the secret access key with the Elemental Live operator. Do *not* give the username and password to the operator.
By following these steps, you'll create an AWS user with the necessary permissions required to allow Elemental Live to make requests to MediaPackage. When the operator sets up the output with MediaPackage as the destination, they will enter the access key ID and secret access key. During the Elemental Live event, Elemental Live sends these two IDs to the AWS service instead of the username and password, providing authorization to AWS for the Elemental Live node to make requests to MediaPackage.
## Third-party encoders
Third-party encoders that support AWS authorization operate similarly to Elemental Live, as described earlier. To grant access, create an IAM user and a MediaPackage channel resource policy that permits the user to call `PutObject`. On the encoder's side, use the IAM user access key ID and secret access key to sign the requests.
# Origin endpoint authorization
MediaPackage egress requests usually originate from CDNs, but they may also come from other sources such as customer-owned monitoring scripts or operators using web browsers like Safari or Chrome to view the video stream and identify any issues.
**Topics**
+ [MediaPackage L2V Harvester](#mediapackage-endpoint)
+ [Third-party CDNs that support AWS authorization](#endpoint-third-party)
+ [Clients that don't support AWS authorization](#endpoint-no-aws)
## MediaPackage L2V Harvester
To allow MediaPackage harvest jobs to get content from your origin endpoint, create or edit an origin endpoint with the following endpoint policy. For more information about harvest jobs, see [Creating live-to-VOD assets with MediaPackage](live-to-vod.md).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "MediaPackageHarvesterAccessPolicy",
"Statement": [
{
"Sid": "AllowMediaPackageHarvestObjectAccess",
"Effect": "Allow",
"Principal": {
"Service": "mediapackagev2.amazonaws.com"
},
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "111122223333"
}
},
"Action": [
"mediapackagev2:HarvestObject",
"mediapackagev2:GetObject"
],
"Resource": "arn:aws:mediapackagev2:us-east-1:111122223333:channelGroup/ChannelGroupName/channel/ChannelName/originEndpoint/OriginEndpointName"
}
]
}
```
------
## Third-party CDNs that support AWS authorization
To authorize an external CDN that supports AWS authorization, you need to create a specific IAM user for the CDN, allow access in their origin endpoint policy, and provide the CDN with the AWS access key ID and secret access key for the IAM user. For example, if you want to give your CDN provider access to your MediaPackage origin endpoint, you can follow the following procedure.
1. In IAM, create an IAM user such as `CDNProviderMediaPackageAccessUser` with **Programmatic access**.
1. In MediaPackage, create or edit an origin endpoint to include the following endpoint policy.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "PolicyForCDNProviderPrivateContent",
"Statement": [
{
"Sid": "AllowCDNProviderUser",
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam::111122223333:user/CDNProviderMediaPackageAccessUser" },
"Action": "mediapackagev2:GetObject",
"Resource": "arn:aws:mediapackagev2:us-east-1:111122223333:channelGroup/ChannelGroupName/channel/ChannelName/originEndpoint/OriginEndpointName"
}
]
}
```
------
1. In IAM, create an access key for `CDNProviderMediaPackageAccessUser`. Save the access key .csv file in a secure location to retain a permanent record of the access key ID and secret access key.
The access key ID looks like this: AKIAIOSFODNN7EXAMPLE
The secret access key looks like this: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
For more information, see [Programmatic access](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys) in the *AWS General Reference*.
1. Follow the instructions in your CDN provider's documentation for authenticating with AWS access keys.
By following these steps, you'll create an AWS user with the necessary permissions required to allow the external CDN make requests to MediaPackage. When the CDN provider sets up the output with MediaPackage as the destination, they will enter the access key ID and secret access key. During the event, the provider sends these two IDs to the AWS service instead of the username and password, providing authorization to make requests to MediaPackage.
## Clients that don't support AWS authorization
Clients without AWS authorization support can be granted access to origin endpoints either by enabling anonymous access or by restricting access to specific IP ranges using the `aws:SourceIp` condition key. This is useful for clients such as external CDNs that don't support AWS authorization, as well as monitoring scripts and human operators who may use web browsers to visually inspect a video stream. For information about condition keys, see [IAM JSON Policy Elements: Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html).
### Anonymous access
Consider the following `Allow` policy. With this policy in effect, MediaPackage allows anonymous access to the `mediapackagev2:GetObject` action on the channel resource in the policy.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "AnonymousAccessPolicy",
"Statement": [
{
"Sid": "AllowAnonymousAccess",
"Effect": "Allow",
"Principal": "*",
"Action": "mediapackagev2:GetObject",
"Resource": "arn:aws:mediapackagev2:us-east-1:111122223333:channelGroup/ChannelGroupName/channel/ChannelName/originEndpoint/OriginEndpointName"
}
]
}
```
------
MediaPackage doesn't support anonymous access for `PutObject` API calls.
### Cross-account access
Consider the following `Allow` policy. With this policy in effect, MediaPackage allows, across accounts (`accountID` and `differentAccountID`), the `mediapackagev2:GetObject` action on the channel resource in the policy.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowCrossAccountAccess",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::444455556666:root"},
"Action": "mediapackagev2:GetObject",
"Resource": "arn:aws:mediapackagev2:us-east-1:111122223333:channelGroup/ChannelGroupName/channel/ChannelName"
}
]
}
```
------
### Restrict access by IP range
Consider the following `Allow` policy. With this policy in effect, MediaPackage restricts access to IP addresses in the range `203.0.113.0` to `203.0.113.255` using the `aws:SourceIp` condition key. For information about condition keys, see [IAM JSON Policy Elements: Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "IpRangePolicy",
"Statement": [
{
"Sid": "RestrictByIpRange",
"Effect": "Allow",
"Principal": "*",
"Action": "mediapackagev2:GetObject",
"Resource": "arn:aws:mediapackagev2:us-east-1:111122223333:channelGroup/ChannelGroupName/channel/ChannelName/originEndpoint/OriginEndpointName",
"Condition": {
"IpAddress": { "aws:SourceIp": "203.0.113.0/24" }
}
}
]
}
```
------