Using the call analytics resource access role
The calling account must create the resource access role used by a media insights pipeline configuration. You can't use cross-account roles.
Depending on the features that you enable when you create a call analytics configuration, you must use additional resource policies. Expand the following sections to learn more.
The role requires the following policy, at a minimum:
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "transcribe:StartCallAnalyticsStreamTranscription", "transcribe:StartStreamTranscription" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "kinesisvideo:GetDataEndpoint", "kinesisvideo:GetMedia" ], "Resource": "arn:aws:kinesisvideo:us-east-1:111122223333:stream/Chime*" }, { "Effect": "Allow", "Action": [ "kinesisvideo:GetDataEndpoint", "kinesisvideo:GetMedia" ], "Resource": "arn:aws:kinesisvideo:us-east-1:111122223333:stream/*", "Condition": { "StringLike": { "aws:ResourceTag/AWSServiceName": "ChimeSDK" } } }, { "Effect": "Allow", "Action": ["kms:Decrypt"], "Resource": "arn:aws:kms:us-east-1:111122223333:key/*", "Condition": { "StringLike": { "aws:ResourceTag/AWSServiceName": "ChimeSDK" } } } ] }
You must also use the following trust policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "mediapipelines.chime.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "111122223333" }, "ArnLike": { "aws:SourceARN": "arn:aws:chime:*:111122223333:*" } } } ] }
If you use the KinesisDataStreamSink, add the following policy:
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "kinesis:PutRecord" ], "Resource": [ "arn:aws:kinesis:us-east-1:111122223333:stream/output_stream_name" ] }, { "Effect": "Allow", "Action": [ "kms:GenerateDataKey" ], "Resource": [ "arn:aws:kms:us-east-1:111122223333:key/*" ], "Condition": { "StringLike": { "aws:ResourceTag/AWSServiceName": "ChimeSDK" } } } ] }
If you use the S3RecordingSink, add the following policy:
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectAcl", "s3:PutObjectTagging", ], "Resource": [ "arn:aws:s3:::input_bucket_path/*" ] }, { "Effect": "Allow", "Action": [ "kinesisvideo:GetDataEndpoint", "kinesisvideo:ListFragments", "kinesisvideo:GetMediaForFragmentList" ], "Resource": [ "arn:aws:kinesisvideo:us-east-1:111122223333:stream/*" ], "Condition": { "StringLike": { "aws:ResourceTag/AWSServiceName": "ChimeSDK" } } }, { "Effect": "Allow", "Action": [ "kinesisvideo:ListFragments", "kinesisvideo:GetMediaForFragmentList" ], "Resource": [ "arn:aws:kinesisvideo:us-east-1:111122223333:stream/Chime*" ] }, { "Effect": "Allow", "Action": [ "kms:GenerateDataKey" ], "Resource": [ "arn:aws:kms:us-east-1:111122223333:key/*" ], "Condition": { "StringLike": { "aws:ResourceTag/AWSServiceName": "ChimeSDK" } } } ] }
If you use the Post Call Analytics feature of the
AmazonTranscribeCallAnalyticsProcessor, add the following
policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::111122223333:role/transcribe_role_name" ], "Condition": { "StringEquals": { "iam:PassedToService": "transcribe.streaming.amazonaws.com" } } } ] }
If you use the VoiceEnhancementSinkConfiguration element, add the following policy:
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:GetObject", "s3:PutObject", "s3:PutObjectAcl", "s3:PutObjectTagging" ], "Resource":[ "arn:aws:s3:::input_bucket_path/*" ] }, { "Effect":"Allow", "Action":[ "kinesisvideo:GetDataEndpoint", "kinesisvideo:ListFragments", "kinesisvideo:GetMediaForFragmentList" ], "Resource":[ "arn:aws:kinesisvideo:us-east-1:111122223333:stream/*" ], "Condition":{ "StringLike":{ "aws:ResourceTag/AWSServiceName":"ChimeSDK" } } }, { "Effect":"Allow", "Action":[ "kinesisvideo:ListFragments", "kinesisvideo:GetMediaForFragmentList" ], "Resource":[ "arn:aws:kinesisvideo:us-east-1:111122223333:stream/Chime*" ] }, { "Effect":"Allow", "Action":[ "kms:GenerateDataKey" ], "Resource":[ "arn:aws:kms:us-east-1:111122223333:key/*" ], "Condition":{ "StringLike":{ "aws:ResourceTag/AWSServiceName":"ChimeSDK" } } } ] }
If you use the VoiceAnalyticsProcessor, add the policies for
LambdaFunctionSink, SqsQueueSink, and
SnsTopicSink depending on which sinks you have defined.
LambdaFunctionSinkpolicy:{ "Version": "2012-10-17", "Statement": [ { "Action": [ "lambda:InvokeFunction", "lambda:GetPolicy" ], "Resource": [ "arn:aws:lambda:us-east-1:111122223333:function:function_name" ], "Effect": "Allow" } ] }SqsQueueSinkpolicy{ "Version": "2012-10-17", "Statement": [ { "Action": [ "sqs:SendMessage", "sqs:GetQueueAttributes" ], "Resource": [ "arn:aws:sqs:us-east-1:111122223333:queue_name" ], "Effect": "Allow" }, { "Effect": "Allow", "Action": ["kms:GenerateDataKey", "kms:Decrypt"], "Resource": "arn:aws:kms:us-east-1:111122223333:key/*", "Condition": { "StringLike": { "aws:ResourceTag/AWSServiceName": "ChimeSDK" } } } ] }SnsTopicSinkpolicy:{ "Version": "2012-10-17", "Statement": [ { "Action": [ "sns:Publish", "sns:GetTopicAttributes" ], "Resource": [ "arn:aws:sns:us-east-1:111122223333:topic_name" ], "Effect": "Allow" }, { "Effect": "Allow", "Action": ["kms:GenerateDataKey", "kms:Decrypt"], "Resource": "arn:aws:kms:us-east-1:111122223333:key/*", "Condition": { "StringLike": { "aws:ResourceTag/AWSServiceName": "ChimeSDK" } } } ] }
