Job attachments enable you to transfer files back and forth between your workstation and AWS Deadline Cloud. With job attachments, you don't need to manually set up an Amazon S3 bucket for your files. Instead, when you create a queue with the Deadline Cloud console, you choose the bucket for your job attachments.
The first time that you submit a job to Deadline Cloud, all of the files for the job are transferred to Deadline Cloud. For subsequent submissions, only the files that have changed are transferred, saving both time and bandwidth.
After processing is complete, you can download the result from the job detail page, or by
using the Deadline Cloud CLI deadline job download-output
command.
You can use the same S3 bucket for multiple queues. Set a different root prefix for each queue to organize the attachments in the bucket.
When you create a queue with the console, you can either choose an existing AWS Identity and Access Management (IAM) role or you can have the console create a new role. If the console creates the role, it sets permissions to access the bucket that's specified for the queue. If you choose an existing role, you must grant the role permissions to access the S3 bucket.
Encryption for job attachment S3
buckets
Job attachment files are encrypted in your S3 bucket by default. This helps secure your information from unauthorized access. You don't need to do anything to have your files encrypted with keys provided by Deadline Cloud. For more information, see Amazon S3 now automatically encrypts all new objects in the Amazon S3 User Guide.
You can use your own customer managed AWS Key Management Service key to encrypt the S3 bucket that contains your job attachments. To do so, you must modify the IAM role for the queue associated with the bucket to allow access to the AWS KMS key.
To open the IAM policy editor for the queue role
-
Sign in to the AWS Management Console and open the Deadline Cloud console
. From the main page, in the Get started section, choose View farms. -
From the list of farms, choose the farm that contains the queue to modify.
-
From the list of queues, choose the queue to modify.
-
In the Queue details section, choose the Service role to open the IAM console for the service role.
Next, complete the following procedure.
To update the role policy with permission for AWS KMS
-
From the list of Permissions policies, choose the policy for the role.
-
In the Permissions defined in this policy section, choose Edit.
-
Choose Add new statement.
-
Copy and paste the following policy into the editor. Change the
Region
,
, andaccountID
keyID
to your own values.
{ "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:DescribeKey", "kms:GenerateDataKey" ], "Resource": [ "arn:aws:kms:
Region
:accountID
:key/keyID
" ] } -
Choose Next.
-
Review the changes to the policy, and then when you're satisfied, choose Save changes.
Managing job attachments in S3
buckets
Deadline Cloud stores the job attachment files required for your job in an S3 bucket. These files accumulate over time, leading to increased Amazon S3 costs. To reduce costs, you can apply an S3 Lifecycle configuration to your S3 bucket. This configuration can automatically delete files in the bucket. Because the S3 bucket is in your account, you can choose to modify or remove the S3 Lifecycle configuration at any time. For more information, see Examples of S3 Lifecycle configuration in the Amazon S3 User Guide.
For a more granular S3 bucket management solution, you can set up your AWS account to
expire objects in an S3 bucket based on the last time that they were accessed. For more
information, see
Expiring Amazon S3 objects based on last accessed date to decrease costs