0

I currently have a user policy that allows users to access the specific S3 bucket to which they are assigned. This functions perfectly. However, now I need to append instructions to this policy to grant the user access to an Elastic Transcoder pipeline that has been created for them. I've tried following the instructions here, but the policy keeps failing. I'm new to the IAM policy syntax, and could use a hand. See examples below:

Functional Policy Currently in Place:

{
    "Statement": [
        {
            "Effect": "Allow",
            "NotAction": [
                "s3:CreateBucket",
                "s3:DeleteBucket"
            ],
            "Resource": "arn:aws:s3:::org-b-bucket",
            "Condition": {}
        },
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::org-b-bucket/*",
            "Condition": {}
        },
        {
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "*",
            "Condition": {}
        }
    ]
}

Edited Policy Trying to Add Permissions (Dummy account info inserted):

{
        "Statement": [
            {
                "Effect": "Allow",
                "NotAction": [
                    "s3:CreateBucket",
                    "s3:DeleteBucket"
                ],
                "Resource": "arn:aws:s3:::org-b-bucket",
                "Condition": {}
            },
            {
                "Effect": "Allow",
                "Action": "s3:*",
                "Resource": "arn:aws:s3:::org-b-bucket/*",
                "Condition": {}
            },
            {
                "Effect": "Allow",
                "Action": "s3:ListAllMyBuckets",
                "Resource": "*",
                "Condition": {}
            },
{
         "Effect":"Allow",
         "Action":[
            "elastictranscoder:List*",
            "elastictranscoder:Read*",
            "elastictranscoder:CreateJob"
         ],
         "Resource":[
            "arn:aws:elastictranscoder:us-east-1:123456789123:pipeline/1234567891234-qwerty",
            "arn:aws:elastictranscoder:us-east-1:123456789123:job/*"
         ]
      }
        ]
    }
Jaemaz
  • 35
  • 1
  • 8
  • What does "the policy keeps failing" mean? Is it failing to parse, or parsing OK but failing to do what you want it to? Also, you need to have "Version":"2012-10-17". – jarmod Jun 20 '15 at 00:01
  • Thanks for the response. It is parsing fine, but failing to do what I need it to do. It is not allowing access to the specified pipeline, or the ability to create a job within that pipeline. – Jaemaz Jun 22 '15 at 05:16
  • Did you add "Version":"2012-10-17"? You could also modify the policy to allow elastictranscoder:* temporarily and then use the awscli to test oyur ability to manage the pipeline. This might help you understand if your problem is with your list of actions or your list of resources. – jarmod Jun 22 '15 at 11:31
  • Added the version line— has no effect. If I allow the elastictranscoder* access is granted but not limited like it needs to be. – Jaemaz Jun 23 '15 at 17:16
  • OK, that presumably means that the process using this policy is doing more than List*, Read* and CreateJob. Maybe the AWS documentation that you used when creating the policy is incorrect. One way to find out what call(s) are failing with access denied is to use CloudTrail. – jarmod Jun 23 '15 at 18:32

1 Answers1

0

You should check the region, choose same region for client that you set while creating pipeline. check it here for detailed ansewr

Chaudhary Naqash Subtain
  • 11
  • 4