# Setting up MediaPackage This section provides procedures to set up your organization to use AWS Elemental MediaPackage. It also providers information about determining the IAM permissions that users and other AWS identities require. These permissions let you impose restricted controls on users and other AWS identities, in conformance with the security policies and procedures of your organization. **Topics** + [ # Signing up for AWS ](setting-up-aws-sign-up.md) + [ # Set up additional IAM permissions ](setting-up-iam-permissions.md) + [ # Allowing MediaPackage to access other AWS services ](setting-up-create-trust-rel.md) + [ # Download tools ](setting-up-tools.md) # Signing up for AWS **Topics** + [ ## Sign up for an AWS account ](#sign-up-for-aws) + [ ## Create a user with administrative access ](#create-an-admin) ## Sign up for an AWS account If you do not have an AWS account, complete the following steps to create one. **To sign up for an AWS account** 1. Open [https://portal.aws.amazon.com/billing/signup](https://portal.aws.amazon.com/billing/signup). 1. Follow the online instructions. Part of the sign-up procedure involves receiving a phone call or text message and entering a verification code on the phone keypad. When you sign up for an AWS account, an *AWS account root user* is created. The root user has access to all AWS services and resources in the account. As a security best practice, assign administrative access to a user, and use only the root user to perform [tasks that require root user access](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks). AWS sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to [https://aws.amazon.com/](https://aws.amazon.com/) and choosing **My Account**. ## Create a user with administrative access After you sign up for an AWS account, secure your AWS account root user, enable AWS IAM Identity Center, and create an administrative user so that you don't use the root user for everyday tasks. **Secure your AWS account root user** 1. Sign in to the [AWS Management Console](https://console.aws.amazon.com/) as the account owner by choosing **Root user** and entering your AWS account email address. On the next page, enter your password. For help signing in by using root user, see [Signing in as the root user](https://docs.aws.amazon.com/signin/latest/userguide/console-sign-in-tutorials.html#introduction-to-root-user-sign-in-tutorial) in the *AWS Sign-In User Guide*. 1. Turn on multi-factor authentication (MFA) for your root user. For instructions, see [Enable a virtual MFA device for your AWS account root user (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/enable-virt-mfa-for-root.html) in the *IAM User Guide*. **Create a user with administrative access** 1. Enable IAM Identity Center. For instructions, see [Enabling AWS IAM Identity Center](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-set-up-for-idc.html) in the *AWS IAM Identity Center User Guide*. 1. In IAM Identity Center, grant administrative access to a user. For a tutorial about using the IAM Identity Center directory as your identity source, see [ Configure user access with the default IAM Identity Center directory](https://docs.aws.amazon.com//singlesignon/latest/userguide/quick-start-default-idc.html) in the *AWS IAM Identity Center User Guide*. **Sign in as the user with administrative access** + To sign in with your IAM Identity Center user, use the sign-in URL that was sent to your email address when you created the IAM Identity Center user. For help signing in using an IAM Identity Center user, see [Signing in to the AWS access portal](https://docs.aws.amazon.com/signin/latest/userguide/iam-id-center-sign-in-tutorial.html) in the *AWS Sign-In User Guide*. **Assign access to additional users** 1. In IAM Identity Center, create a permission set that follows the best practice of applying least-privilege permissions. For instructions, see [ Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-started-create-a-permission-set.html) in the *AWS IAM Identity Center User Guide*. 1. Assign users to a group, and then assign single sign-on access to the group. For instructions, see [ Add groups](https://docs.aws.amazon.com//singlesignon/latest/userguide/addgroups.html) in the *AWS IAM Identity Center User Guide*. # Set up additional IAM permissions By default, users and roles don't have permission to create or modify MediaPackage resources. To grant users permission to perform actions on the resources that they need, an IAM administrator can create IAM policies. To learn how to create an IAM identity-based policy by using these example JSON policy documents, see [Create IAM policies (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html) in the *IAM User Guide*. For details about actions and resource types defined by MediaPackage, including the format of the ARNs for each of the resource types, see [Actions, resources, and condition keys for AWS Elemental MediaPackage](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalmediapackage.html) in the *Service Authorization Reference*. This section describes the permissions that you must assign to users and other AWS identities so that they can work with MediaPackage and other AWS services that your workflows use. After you have identified the required permissions, you will be able to design and create the relevant policies, and attach those policies to groups of users or to roles. This section assumes that you have already performed these tasks: + You have signed up for MediaPackage and created an administrator. + You have read the recommendations in [Identity and Access Management for AWS Elemental MediaPackage](security-iam.md) about how to create administrators, users, and other AWS identities. **Topics** + [ ## Create a role in the IAM console ](#setting-up-create-role) + [ ## Assume the role from the IAM console or AWS CLI ](#setting-up-create-nonadmin-roles-assume-role) + [ ## Add permissions for tagging ](#requirements-for-tagging) ## Create a role in the IAM console Create a role in the IAM console for each policy that you create. This allows users to assume a role rather than attaching individual policies to each user. **To create a role in the IAM console** 1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 1. In the navigation pane of the IAM console, choose **Roles**, and then choose **Create role**. 1. Under **Select trusted entity**, choose **AWS account**. 1. Under **An AWS account**, select the account with the users that will be assuming this role. + If a third-party will be accessing this role, it's best practice to select **Require external ID**. For more information about external IDs, see [Using an external ID for third-party access](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html) in the *IAM User Guide*. + It's best practice to require multi-factor authentication (MFA). You can select the check box next to **Require MFA**. For more information about MFA, see [Multi-factor authentication (MFA)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html) in the *IAM User Guide*. 1. Choose **Next**. 1. Under **Permissions policies**, search for and add the policy with the appropriate MediaPackage permissions level. + For access to live functionality, choose one of the following options: + Use **AWSElementalMediaPackageFullAccess** to allow the user to perform all actions on all live resources in MediaPackage. + Use **AWSElementalMediaPackageReadOnly** to provide the user read-only rights for all live resources in MediaPackage. 1. Add policies to allow the MediaPackage console to make calls to Amazon CloudWatch on the user's behalf. Without these policies, the user is able to use the service's API only (not the console). Choose one of the following options: + Use **ReadOnlyAccess** to allow MediaPackage to communicate with CloudWatch, and also provide the user read-only access to all AWS services on your account. + Use **CloudWatchReadOnlyAccess**, **CloudWatchEventsReadOnlyAccess**, and **CloudWatchLogsReadOnlyAccess** to allow MediaPackage to communicate with CloudWatch, and limit the user's read-only access to CloudWatch. 1. (Optional) Set a [permissions boundary](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html). This is an advanced feature that is available for service roles, but not service-linked roles. 1. Expand the **Permissions boundary** section and choose **Use a permissions boundary to control the maximum role permissions**. IAM includes a list of the AWS managed and customer managed policies in your account. 1. Select the policy to use for the permissions boundary or choose **Create policy** to open a new browser tab and create a new policy from scratch. For more information, see [Creating IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html#access_policies_create-start) in the *IAM User Guide*. 1. After you create the policy, close that tab and return to your original tab to select the policy to use for the permissions boundary. 1. Verify that the correct policies are added to this group, and then choose **Next**. 1. If possible, enter a role name or role name suffix to help you identify the purpose of this role. Role names must be unique within your AWS account. They are not distinguished by case. For example, you cannot create roles named both **PRODROLE** and **prodrole**. Because various entities might reference the role, you cannot edit the name of the role after it has been created. 1. (Optional) For **Description**, enter a description for the new role. 1. Choose **Edit** in the **Step 1: Select trusted entities** or **Step 2: Select permissions** sections to edit the use cases and permissions for the role. 1. (Optional) Add metadata to the user by attaching tags as key-value pairs. For more information about using tags in IAM, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide*. 1. Review the role and then choose **Create role**. ## Assume the role from the IAM console or AWS CLI View the following resources for learning about granting permissions for users to assume the role and how users can switch to the role from the IAM console or AWS CLI. + For more information about granting a user permissions to switch roles, see [Granting a user permissions to switch roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html) in the *IAM User Guide*. + For more information about switching roles (console), see [Switching to a role (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-console.html) in the *IAM User Guide*. + For more information about switching roles (AWS CLI), see [Switching to an IAM role (AWS CLI)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-cli.html) in the *IAM User Guide*. ## Add permissions for tagging Resource Groups—tagging When users create channel groups, channels, or origin endpoints, they can optionally attach tags to the resource during creation. Typically, your organization has a policy to tag or to omit tags. There are two services that control permissions for tagging, for two different scenarios: + The ability to tag during channel creation is controlled by actions within MediaPackage. + The ability to modify tags in existing resources is controlled by actions within Resource Group Tagging. See [Working with Tag Editor](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/tag-editor.html) in [Getting Started with the AWS Management Console](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/getting-started.html). # Allowing MediaPackage to access other AWS services Some features require you to allow MediaPackage to access other AWS services, such as Amazon S3 and AWS Secrets Manager (Secrets Manager). To allow this access, create an IAM role and policy with the appropriate permissions. The following steps describe how to create roles and policies for MediaPackage features. **Topics** + [ ## Step 1: Create a policy ](#setting-up-create-trust-rel-policy) + [ ## Step 2: Create a role ](#setting-up-create-trust-rel-role) + [ ## Step 3: Modify the trust relationship ](#setting-up-create-trust-rel-trust) ## Step 1: Create a policy The IAM policy defines the permissions that AWS Elemental MediaPackage (MediaPackage) requires to access other services. + For live-to-VOD workflows, create a policy that allows MediaPackage to read from the Amazon S3 bucket and store the live-to-VOD asset in it. + For content delivery network (CDN) authorization with static headers, create a policy that allows MediaPackage to read from a secret in Secrets Manager and a key in AWS Key Management Service (AWS KMS). This policy is *not* needed if you're using AWS Signature Version 4 (SigV4) authentication. Use the following instructions to set up the policies that you need. ### Amazon S3 access for live-to-VOD workflows If you use MediaPackage to harvest a live-to-VOD asset from a live stream, you need a policy that allows you to do these things in Amazon S3: + `PutObject`: MediaPackage can save the VOD asset in the bucket. + `GetBucketLocation`: MediaPackage can retrieve the Region for the bucket. The bucket must be in the same AWS Region as the MediaPackage VOD resources. **To use the JSON policy editor to create a policy** 1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 1. In the navigation pane on the left, choose **Policies**. If this is your first time choosing **Policies**, the **Welcome to Managed Policies** page appears. Choose **Get Started**. 1. At the top of the page, choose **Create policy**. 1. In the **Policy editor** section, choose the **JSON** option. 1. Enter the following JSON policy document: ``` { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:PutObject", "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::bucket_name/*", "arn:aws:s3:::bucket_name" ], "Effect": "Allow" } ] } ``` 1. Choose **Next**. **Note** You can switch between the **Visual** and **JSON** editor options anytime. However, if you make changes or choose **Next** in the **Visual** editor, IAM might restructure your policy to optimize it for the visual editor. For more information, see [Policy restructuring](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_policies.html#troubleshoot_viseditor-restructure) in the *IAM User Guide*. 1. On the **Review and create** page, enter a **Policy name** and a **Description** (optional) for the policy that you are creating. Review **Permissions defined in this policy** to see the permissions that are granted by your policy. 1. Choose **Create policy** to save your new policy. ### Secrets Manager and AWS KMS access for CDN authorization If you use content delivery network (CDN) authorization headers to restrict access to your endpoints in MediaPackage, you need a policy that allows you to do these things in Secrets Manager: + `GetSecretValue` - MediaPackage can retrieve the encrypted authorization code from a version of the secret that's in Secrets Manager. + `DescribeSecret` - MediaPackage can retrieve the details of the secret from Secrets Manager, excluding encrypted fields. + `BatchGetSecretValue` - MediaPackage can retrieve a list of secrets from Secrets Manager. The following permissions are required only if you customer-managed AWS KMS key. If you use the default key that AWS KMS creates, you don't need to manually add permissions. AWS KMS automatically adds the appropriate permissions for default keys. + `Decrypt`: MediaPackage can decrypt the key from AWS KMS. + `DescribeKey`: MediaPackage can retrieve the details of the key from AWS KMS. **To use the JSON policy editor to create a policy** 1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 1. In the navigation column on the left, choose **Policies**. If this is your first time choosing **Policies**, the **Welcome to Managed Policies** page appears. Choose **Get Started**. 1. At the top of the page, choose **Create policy**. 1. Choose the **JSON** tab. 1. Enter the following JSON policy document, replacing *region*, *account-id*, *secret-name*, and *key-name* with your own information: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ], "Resource": "arn:aws:secretsmanager:us-east-1:111122223333:secret:secret-name-AbCDeF" }, { "Effect": "Allow", "Action": [ "secretsmanager:BatchGetSecretValue" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:DescribeKey" ], "Resource": "arn:aws:kms:us-east-1:111122223333:key/key-name" } ] } ``` ------ 1. Choose **Review policy**. **Note** You can switch between the **Visual editor** and **JSON** tabs any time. However, if you make changes or choose **Review policy** in the **Visual editor** tab, IAM might restructure your policy to optimize it for the visual editor. For more information, see [Policy restructuring](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_policies.html#troubleshoot_viseditor-restructure) in the *IAM User Guide*. 1. On the **Review policy** page, enter a **Name** and an optional **Description** for the policy that you are creating. Review the policy **Summary** to see the permissions that are granted by your policy. Then choose **Create policy** to save your work. ## Step 2: Create a role An [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user in that it is an AWS identity with permissions policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session. Create a role that AWS Elemental MediaPackage assumes when ingesting source content or reading secrets and keys for CDN authorization. When you create the role, MediaPackage isn't available to pick as the trusted entity to assume the role. Choose Amazon Elastic Compute Cloud (Amazon EC2) temporarily instead. In the [next step](#setting-up-create-trust-rel-trust), you change the trusted entity to MediaPackage. For information about creating a service role, see [Creating a Role to Delegate Permissions to an AWS Service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html) in the *IAM User Guide*. ## Step 3: Modify the trust relationship The trust relationship defines what entities can assume the role that you created in [Step 2: Create a role](#setting-up-create-trust-rel-role). When you created the role and established the trusted relationship, you chose Amazon EC2 as the trusted entity. Modify the role so that the trusted relationship is between your AWS account and AWS Elemental MediaPackage. **To change the trust relationship to MediaPackage** 1. Access the role that you created in [the previous step](#setting-up-create-trust-rel-role). If you're not already displaying the role, in the navigation pane of the IAM console, choose **Roles**. Search for and choose the role that you created. 1. On the **Summary** page for the role, choose **Trust relationships**. 1. Choose **Edit trust relationship**. 1. On the **Edit Trust Relationship** page, in the **Policy Document**, change `ec2.amazonaws.com` to `mediapackagev2.amazonaws.com`. The policy document should now look like this: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "mediapackagev2.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } ``` ------ If you're using MediaPackage and related services in an opt-in Region, the Region must be listed in the `Service` section of the policy document. For example, if you're using services in the Asia Pacific (Melbourne) Region, the policy document looks like this: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": ["mediapackagev2.amazonaws.com","mediapackagev2.ap-southeast-4.amazonaws.com"] }, "Action": "sts:AssumeRole" } ] } ``` ------ For a list of opt-in Regions, see [AWS opt-in Regions](regions-and-endpoints.md#opt-in-region-considerations). 1. Choose **Update Trust Policy**. 1. On the **Summary** page, make a note of the value in **Role ARN**. You use this ARN when you ingest source content for video on demand (VOD) workflows or set up CDN authorization. The ARN looks like this: `arn:aws:iam::111122223333:role/role-name` In the example, *111122223333* is your AWS account number. # Download tools The AWS Management Console includes a console for MediaPackage, but if you want to access the services programmatically, see the following: + The API guides document the operations that the services support and provide links to the related SDK and CLI documentation: + [AWS Elemental MediaPackage API Reference](https://docs.aws.amazon.com/mediapackage/latest/apireference/) + To call an API without having to handle low-level details like assembling raw HTTP requests, you can use an AWS SDK. The AWS SDKs provide functions and data types that encapsulate the functionality of AWS services. To download an AWS SDK and access installation instructions, see the applicable page: + [Go](https://aws.amazon.com/sdk-for-go/) + [JavaScript](http://aws.amazon.com/sdkforbrowser/) + [.NET](https://aws.amazon.com/sdk-for-net/) + [Node.js](https://aws.amazon.com/sdk-for-node-js/) + [Python](https://github.com/boto/boto) + [Ruby](https://aws.amazon.com/sdk-for-ruby/) For a complete list of AWS SDKs, see [Tools for Amazon Web Services](http://aws.amazon.com/tools/). + You can use the AWS Command Line Interface (AWS CLI) to control multiple AWS services from the command line. You can also automate your commands using scripts. For more information, see [AWS Command Line Interface](https://aws.amazon.com/cli/). + AWS Tools for Windows PowerShell supports these AWS services. For more information, see [AWS Tools for PowerShell Cmdlet Reference](http://aws.amazon.com/documentation/powershell/).