0

I have a problem with using API of the AWS MediaConvert

When we create a job in MediaConvert we must define an IAM role. The role supposed to give access to s3 and AmazonAPIGatewayInvokeFullAccess. This role will be automatically be created when we use the AWS Console of MediaConvert. I am trying to create a job using MediaConvert API but it returns an error "Cross-account pass role is not allowed.".

The API credentials are a user's secret key and id which is in the same account that MediaConvert is. From what I figured from googling. this error happens when another account is trying to use the role. Therefore, knowing that the user is one of the users defined in the same account, I tried to add the user to the trust relationship of the role. but it didn't work. The user that I am using has full access to MediaConvert.

I am using PHP and this is how my code is:

$accountId = "xxxxxxxx";

    $client = new MediaConvertClient([
        'version' => "2017-08-29",
        'region' => 'us-east-3',
        'credentials' => new Credentials('xxxxxxxxx', 'xxxxxxxxx'),
        'endpoint' => "https://xxxxx.mediaconvert.us-east-2.amazonaws.com",
    ]);

    $settings = [
        "OutputGroups"=> [
            [
              'CustomName' => 'mp3-converter',
              "Name"=> "File Group",
              "Outputs"=> [
                [
                  "ContainerSettings"=> [
                    "Container"=> "RAW"
                  ],
                  "AudioDescriptions"=> [
                    [
                      "AudioSourceName"=> "Audio Selector 1",
                      "CodecSettings"=> [
                        "Codec"=> "MP3",
                        "Mp3Settings"=> [
                          "Bitrate"=> 96000,
                          "RateControlMode"=> "CBR",
                          "SampleRate"=> 48000
                        ]
                      ]
                    ]
                  ],
                  "Extension"=> "mp3",
                  "NameModifier"=> "2"
                ]
              ],
              "OutputGroupSettings"=> [
                "Type"=> "FILE_GROUP_SETTINGS",
                "FileGroupSettings"=> [
                  "Destination"=> "test/audio.mp3"
                ]
              ]
            ]
          ],
        "Inputs"=> [
        [
            "AudioSelectors"=> [
            "Audio Selector 1"=> [
                "DefaultSelection"=> "DEFAULT"
            ]
            ],
            "TimecodeSource"=> "ZEROBASED",
            "FileInput"=> "test/audio.webm"
        ]
        ]
        ];

    $job = $client->createJob([
        'Role' => "arn:aws:iam::$accountId:role/service-role/MediaConvert_Default_Role",
        'Settings' => $settings,
        'Queue' => "arn:aws:mediaconvert:us-east-2:$accountId:queues/Default",
        'UserMetadata' => [],
        'Tags' => [],
        'StatusUpdateInterval' => 'SECONDS_60',
        'Priority' => 0,
    ]);

What do you think my problem is?

Hadi Aghandeh
  • 765
  • 6
  • 24

1 Answers1

0

This question is better directed to the IAM team since it involves Roles, policies and permissions.

In general, whichever IAM Role will be assumed by the external account needs permissions to run MediaConvert jobs, and needs read/write access to at least one S3 bucket. These permissions are controlled by Policies attached to the IAM Role.

One suggestion for debugging is to manually execute each step of the process from the AWS CLI or CloudShell prompt, and debug each step until it succeeds; then use the correlating API commands in your scripts. This method will help identify any gaps in permissions or syntax errors.

Start with 'aws sts assume-role' , then 'aws s3 cp localfile s3://mybucket/myfile'. Finally, run a sample MediaConvert job from cli with a command like: 'aws mediaconvert --endpoint $EP create-job --cli-input-json file:///tmp/job.json' - - You can use this job file as an example: https://docs.aws.amazon.com/mediaconvert/latest/ug/example-job-settings.html#mp4-example)

Once you have each of those commands succeeding as expected, moving them to the API syntax should be straightforward.

aws-robclem
  • 324
  • 2
  • 5