Step 2: Set Up IAM Permissions - Amazon Interactive Video Service

Step 2: Set Up IAM Permissions

Next, you must create an AWS Identity and Access Management (IAM) user and add a policy that gives the user access to create an Amazon IVS channel. If you want to auto-record to Amazon S3, you also must add appropriate permissions for that.

You can either add permissions in conjunction with creating a new user or add permissions to an existing user. Both procedures are given below.

For more information (for example, to learn about IAM users and policies, how to attach a policy to a user, and how to constrain what users can do with Amazon IVS), see:

Create a New User and Add Permissions

Follow these steps:

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Users, then choose Add user.

  3. In the Add user window:

    1. Type the new user name to be created.

    2. Check Programmatic access and AWS Management Console access.

    3. Choose Next: Permissions.

  4. Under Set Permissions, turn on Attach existing policies directly, then choose Create Policy. A Create Policy window opens.

  5. In the Create Policy window, choose the JSON tab, and copy and paste the following IVS policy to the JSON tab. This policy covers both standard video and auto-record-to-S3 functionality.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ivs:CreateChannel", "ivs:CreateRecordingConfiguration", "ivs:GetChannel", "ivs:GetRecordingConfiguration", "ivs:GetStream", "ivs:GetStreamKey", "ivs:GetStreamSession", "ivs:ListChannels", "ivs:ListRecordingConfigurations", "ivs:ListStreamKeys", "ivs:ListStreams", "ivs:ListStreamSessions" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarms", "cloudwatch:GetMetricData", "s3:CreateBucket", "s3:GetBucketLocation", "s3:ListAllMyBuckets", "servicequotas:ListAWSDefaultServiceQuotas", "servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota", "servicequotas:ListServiceQuotas", "servicequotas:ListServices", "servicequotas:ListTagsForResource" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:AttachRolePolicy", "iam:CreateServiceLinkedRole", "iam:PutRolePolicy" ], "Resource": "arn:aws:iam::*:role/aws-service-role/ivs.amazonaws.com/AWSServiceRoleForIVSRecordToS3*" } { "Effect": "Allow", "Action": [ "cloudwatch:GetMetricData" ], "Resource": "*" } ] }
  6. Still in the Create Policy window, choose Next: Tags.

  7. On the Tags page, choose Review Policy. Give the policy a Name, then choose Create Policy. Then close this window and go back to the Add User window.

  8. Back in the Add user window, attach the new policy. First refresh the policy table by pressing the reload button above the table on the right. Filter the policy by typing the name. When your policy appears in the list, select it and choose Next: Tags. On the Tags page, choose Next: Review.

  9. On the Review page, choose Create User.

  10. The final Success screen contains your Access key ID, Secret access key, and Password. Store all of these for future reference. When you are done, choose Close.

Add Permissions to an Existing User

Follow these steps:

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Users, then choose an existing user name to be updated.

  3. On the Summary page, on the Permissions tab, choose Add Permissions.

  4. Under Add Permissions, turn on Attach existing policies directly, then choose Create Policy. A Create Policy window opens.

  5. In the Create Policy window, choose the JSON tab, and copy and paste the following IVS policy to the JSON tab. This policy covers both standard video and auto-record-to-S3 functionality.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ivs:CreateChannel", "ivs:CreateRecordingConfiguration", "ivs:GetChannel", "ivs:GetRecordingConfiguration", "ivs:GetStream", "ivs:GetStreamKey", "ivs:GetStreamSession", "ivs:ListChannels", "ivs:ListRecordingConfigurations", "ivs:ListStreamKeys", "ivs:ListStreams", "ivs:ListStreamSessions" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarms", "cloudwatch:GetMetricData", "s3:CreateBucket", "s3:GetBucketLocation", "s3:ListAllMyBuckets", "servicequotas:ListAWSDefaultServiceQuotas", "servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota", "servicequotas:ListServiceQuotas", "servicequotas:ListServices", "servicequotas:ListTagsForResource" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:AttachRolePolicy", "iam:CreateServiceLinkedRole", "iam:PutRolePolicy" ], "Resource": "arn:aws:iam::*:role/aws-service-role/ivs.amazonaws.com/AWSServiceRoleForIVSRecordToS3*" } { "Effect": "Allow", "Action": [ "cloudwatch:GetMetricData" ], "Resource": "*" } ] }
  6. Still in the Create Policy window, choose Next: Tags.

  7. On the Tags page, choose Review Policy. Give the policy a Name, then choose Create Policy. Then close this window and go back to the Add Permissions window.

  8. Back in the Add Permissions window, attach the new policy. First refresh the policy table by pressing the reload button above the table on the right. Filter the policy by typing the name. When your policy appears in the list, select it and choose Next: Review.

  9. On the Review page, choose Add Permissions.

  10. The Summary page appears, showing the updated Permission Policies. At this point, the user permissions are updated and you can close this window.