# Setting up IAM permissions
AWS Elemental MediaConvert simplifies setting up permissions to use the service.

You can create an AWS Identity and Access Management (IAM) role to grant permissions to the service, by following these steps within the MediaConvert console.

To run transcoding jobs with AWS Elemental MediaConvert, you need an IAM service role to allow MediaConvert access to your resources. Resources include things like your input files and the locations where your output files are stored. 

Regardless of how you initially create your IAM service role, you can refine this role at any time using IAM. For more information, see [Adding and removing IAM identity permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html#add-policies-console) in the *IAM User Guide*.

You can create your IAM service role in one of the following ways:
+ In the MediaConvert console, with some restrictions on the permissions that you grant. For instructions, see [Creating the IAM role within MediaConvert](creating-the-iam-role-in-mediaconvert-configured.md).

  From the MediaConvert console, by configuring your role to allow MediaConvert access to only some of your Amazon S3 buckets. You can also choose whether to grant invoke access to your API Gateway endpoints.
+ In the IAM console. For instructions, see [Creating a role in IAM](creating-the-iam-role-in-iam.md).

  You can exercise fine control over exactly what access you grant to MediaConvert when you set up your IAM role in the IAM console. You can also use IAM through the AWS Command Line Interface (AWS CLI), or an API or SDK.

**Note**  
If you enable Amazon S3 default encryption on your Amazon S3 buckets, and you and specify your own key managed by AWS Key Management Service, you must grant additional permissions. For more information, see [Granting permissions for MediaConvert to access encrypted Amazon S3 buckets](granting-permissions-for-mediaconvert-to-access-encrypted-s3-buckets.md).

## Using the default MediaConvert role
Using the default role

If you use the name `MediaConvert_Default_Role`, then the MediaConvert console uses it by default when you create jobs in the future. This happens regardless of how you create the IAM service role for MediaConvert to use.

# Creating the IAM role within MediaConvert
Creating the IAM role within MediaConvert

When you create the AWS Identity and Access Management (IAM) role in MediaConvert with configured permissions, you can restrict MediaConvert access to only specific Amazon S3 buckets. You can also specify whether to grant invoke access to your Amazon API Gateway endpoints.

**To set up the IAM role in MediaConvert with configured permissions**

1. Open the [Jobs](https://console.aws.amazon.com/mediaconvert/home#/jobs/list) page in the MediaConvert console.

1. Choose **Create job**.

1. Under **Job settings**, choose **AWS integration**.

1. In the **Service access** section, for **Service role control**, choose **Create a new service role, configure permissions**.

1. For **New role name**, we suggest that you keep the default value **MediaConvert\$1Default\$1Role**. When you do, MediaConvert uses this role by default for your future jobs.

1. For **Input S3 locations** and **Output S3 locations**, choose **Add location**. Select the Amazon S3 buckets that you will use for input or output locations.

1. (Optional) For **API Gateway endpoint invocation**, if you use features that require it, choose allow.

   MediaConvert requires this access for the following features:
   + Digital rights management with SPEKE
   + Nielsen non-linear watermarking

   To allow MediaConvert invoke access to a specific endpoint only, modify these permissions in the role policy after you create it by using the AWS Identity and Access Management (IAM) service. For more information, see [Editing IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-edit.html) in the *AWS Identity and Access Management User Guide*.

# Creating a role with the IAM console
Creating a role in IAM

Working directly with AWS Identity and Access Management (IAM), you can do actions that aren't available in the MediaConvert console. You can either do this when you create your role in IAM, or you can create your role in MediaConvert and then use IAM to refine it later.

The following procedure explains how to create a role with the IAM console. For information about accessing IAM programmatically, see the appropriate document in the [IAM documentation set](https://docs.aws.amazon.com/iam/).

**To create the service role for MediaConvert (IAM console)**

1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. In the navigation pane of the IAM console, choose **Roles**, and then choose **Create role**.

1. For **Trusted entity type**, choose **AWS service**.

1. For **Service or use case**, choose **MediaConvert**, and then choose the **MediaConvert** use case.

1. Choose **Next**.

1. Select the box next to the MediaConvert policy that you created in the previous procedure.

1. (Optional) Set a [permissions boundary](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html). This is an advanced feature that is available for service roles, but not service-linked roles.

   1. Open the **Set permissions boundary** section, and then choose **Use a permissions boundary to control the maximum role permissions**.

      IAM includes a list of the AWS managed and customer-managed policies in your account.

   1. Select the policy to use for the permissions boundary.

1. Choose **Next**.

1. Enter a role name or a role name suffix to help you identify the purpose of the role.
**Important**  
When you name a role, note the following:  
Role names must be unique within your AWS account, and can't be made unique by case.  
For example, don't create roles named both **PRODROLE** and **prodrole**. When a role name is used in a policy or as part of an ARN, the role name is case sensitive, however when a role name appears to customers in the console, such as during the sign-in process, the role name is case insensitive.
You can't edit the name of the role after it's created because other entities might reference the role.

1. (Optional) For **Description**, enter a description for the role.

1. (Optional) To edit the use cases and permissions for the role, in the **Step 1: Select trusted entities** or **Step 2: Add permissions** sections, choose **Edit**.

1. (Optional) To help identify, organize, or search for the role, add tags as key-value pairs. For more information about using tags in IAM, see [Tags for AWS Identity and Access Management resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide*.

1. Review the role, and then choose **Create role**.

**Note**  
For **New role name**, we suggest that you enter **MediaConvert\$1Default\$1Role**. When you do, MediaConvert uses this role by default for your future jobs.

# Granting permissions for MediaConvert to access encrypted Amazon S3 buckets
Granting permissions to access encrypted Amazon S3 buckets

When you [enable Amazon S3 default encryption](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html#bucket-encryption-how-to-set-up), Amazon S3 automatically encrypts your objects as you upload them. You can optionally choose to use AWS Key Management Service (AWS KMS) to manage the key. This is called SSE-KMS encryption.

If you enable SSE-KMS default encryption on the buckets that hold your AWS Elemental MediaConvert input or output files, you must [add inline policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html#add-policies-console) to your IAM service role. If you don't add inline policies, MediaConvert can't read your input files or write your output files. 

Grant these permissions in the following use cases:
+ If your input bucket has SSE-KMS default encryption, grant `kms:Decrypt`.
+ If your output bucket has SSE-KMS default encryption, grant `kms:GenerateDataKey`.

The following example inline policy grants both permissions.

## Example inline policy with kms:Decrypt and kms:GenerateDataKey
Example inline policy with kms:Decrypt and kms:GenerateDataKey

This policy grants permissions for both `kms:Decrypt` and `kms:GenerateDataKey`.

------
#### [ JSON ]

****  

```
{
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey"
      ],
      "Resource": "*",
      "Condition": {
        "StringLike":

{           "kms:ViaService": "s3.*.amazonaws.com"         }
      }
    }
  ]
}
```

------