1

I am trying to create elemental media converter job, in order to transcode some video files in my S3 bucket.

This is my backend code

    const client = new MediaConvertClient({
      region: 'us-east-1',
      endpoint: 'https://abcdefghi.mediaconvert.us-east-1.amazonaws.com',
      credentials: fromCognitoIdentityPool({
        clientConfig: { region: 'us-east-1' },
        identityPoolId: 'us-east-1:xxxx-xxx-xxx-xxx-xxxxxxx',
      })
    });
    const command = new CreateJobCommand(job);
    const response = await client.send(command);

as job object I'm using the JSON object copied from media convert console, of an successfully finished job. Once I run this code, I'm getting the following error:

Error: AccessDeniedException: User: arn:aws:sts::XXXXX:assumed-role/Cognito_MyAppElementalMediaConverterUnauth_Role/CognitoIdentityCredentials is not authorized to perform: mediaconvert:CreateJob on resource: *

I've created Cognito identity pool in console, and attached following policies to Unauthenticated roles:

Unauth Cognito Role

UPDATE:

After adding endpoint uri, to MediaConvertClient(), I was able to authenticate, but now I'm getting

AccessDeniedException: User: arn:aws:sts::XXXXXXX:assumed-role/Cognito_MyAppeElementalMediaaConverterUnauth_Role/CognitoIdentityCredentials is not authorized to perform: iam:PassRole on resource: arn:aws:iam::XXXXX:role/*

Even though I've added those permissions for Cognito_MyAppeElementalMediaaConverterUnauth_Role in AWS console

enter image description here

dzona
  • 3,323
  • 3
  • 31
  • 47

1 Answers1

1

This looks like an IAM configuration issue or auth issue. I suggest trying a command which does not need write permissions, such as the 'list-jobs' call to MediaConvert, in order to debug the auth chain first. I also suggest trying the commands individually from the local AWS CLI or CloudShell with verbose flag set, so that you can see more details about the error.

Regarding the PassRole command, more info can be had here: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html

aws-robclem
  • 324
  • 2
  • 5
  • I switched from Cognito to AWS Credentials using same policy as described in question, and it was OK, so I abandoned Cognito identity pool as a solution for now. Only issue I may think of at the moment (haven't test it though) is that `Cognito` is in different region from `S3`. May that be the problem @aws-robclem? – dzona Jan 23 '23 at 09:53