2

This message was originally posted on the AWS Developer Forums, but it seems like the AWS crowd is on SO, so I'm duplicating it here.

Hi there, I'm an absolute AWS beginner so I'll try to be as clear as possible.

I'm trying to use the JS API to allow any user on my site to upload videos to S3 (this works well) and then convert the uploaded files to other formats (with Elastic Transcoder).

I've set up:

  • an input (not public) and an output (public) buckets on S3. The input receives the user-submitted videos, that part works :)
  • an Elastic Transcoder pipeline (video-converter-test-pipeline-01)
  • a federated identity on Cognito (video_converter_test_02)
  • matching Auth and Unauth roles on IAM (Cognito_video_converter_test_02Auth_Role and Cognito_video_converter_test_02Unauth_Role)

The pipeline has the following permission summary: "The following IAM roles have been granted access to this pipeline: arn:aws:iam::529773801731:role/Elastic_Transcoder_Default_Role"

Cognito_video_converter_test_02Unauth_Role has two attached policies:

  • oneClick_Cognito_video_converter_test_02Unauth_Role_1522923667877
  • video-converter-policy, that I made myself.

Here's its JSON representation:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "elastictranscoder:CreateJob",
            "Resource": [
                "arn:aws:elastictranscoder:*:*:pipeline/*",
                "arn:aws:elastictranscoder:*:*:preset/*"
            ]
        }
    ]
}

Here's how I try to create a transcoding job using the JS API:

function createJob(uploadedFileKey) {
    console.log("Create job", uploadedFileKey);
    var params = {
        PipelineId: PipelineId,
        Input: {
            Key: uploadedFileKey
        },
        Output: {
            PresetId: PresetId
        }
    };
    elastictranscoder.createJob(params, function (err, data) {
        if (err) console.error(err, err.stack); // an error occurred
        else console.log(data);           // successful response
    });
}

When executing it, I get the following error:

Error: User: arn:aws:sts::529773801731:assumed-role/Cognito_video_converter_test_02Unauth_Role/CognitoIdentityCredentials is not authorized to perform: elastictranscoder:CreateJob on resource: arn:aws:elastictranscoder:eu-west-1:529773801731:pipeline/1522763370759-mmowmr

I tried using IAM Policy Simulator to understand what was wrong, but when doing so with the same parameters, I get "allowed"...

I'm sure I'm doing something wrong here, but can't understand what. I've tried many things but nothing worked. Any help would be appreciated :)

Thanks in advance, bye!

Quentin
  • 183
  • 1
  • 15

1 Answers1

-1

I contacted AWS Developer Support and the solution seems to be to have these in the IAM Policy:

{
    "Sid": "VisualEditor3",
    "Effect": "Allow",
    "Action": "cognito-sync:*",
    "Resource": "*"
},
{
    "Sid": "VisualEditor3",
    "Effect": "Allow",
    "Action": "mobileanalytics:PutEvents",
    "Resource": "*"
}
Darrell Brogdon
  • 6,843
  • 9
  • 47
  • 62
  • 1
    That's very kind of you, but I ended up using another video converting service since Amazon was way too frustrating. Even your suggestion (which again, I thank you for) isn't un-frustrating: where does this snippet come from and what does it mean? Also, how come AWS Dev Support is the place to go for an issue like that, shouldn't that be documented somehow? Or isn't IAM Policy Simulator doing its job. Feeling confused :/ – Quentin Jun 29 '18 at 08:59
  • 1
    I 100% agree with you and will likely be moving off of AWS in the future for those very reasons. – Darrell Brogdon Jun 29 '18 at 18:44
  • I have the same issue, AWS adds this policy automatically now and still I'm experiencing the problem. – akerra May 30 '21 at 13:55