Step 3: Set Up IAM Permissions - Amazon Interactive Video Service

Step 3: Set Up IAM Permissions

Next, you must create an AWS Identity and Access Management (IAM) policy that gives users a basic set of permissions (e.g., to create an Amazon IVS channel, get streaming information, and auto-record-to-S3) and assign that policy to users. You can either assign the permissions when creating a new user or add permissions to an existing user. Both procedures are given below.

For more information (for example, to learn about IAM users and policies, how to attach a policy to a user, and how to constrain what users can do with Amazon IVS), see:

Create a New Policy for Amazon IVS Permissions

Follow these steps:

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Policies, then choose Create policy. A Create policy window opens.

  3. Choose the JSON tab, and copy and paste the following IVS policy to the JSON tab. (The policy does not include all Amazon IVS actions. You can choose which permissions are relevant to your scope; see Amazon IVS API Reference.)

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ivs:CreateChannel", "ivs:CreateRecordingConfiguration", "ivs:GetChannel", "ivs:GetRecordingConfiguration", "ivs:GetStream", "ivs:GetStreamKey", "ivs:GetStreamSession", "ivs:ListChannels", "ivs:ListRecordingConfigurations", "ivs:ListStreamKeys", "ivs:ListStreams", "ivs:ListStreamSessions" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarms", "cloudwatch:GetMetricData", "s3:CreateBucket", "s3:GetBucketLocation", "s3:ListAllMyBuckets", "servicequotas:ListAWSDefaultServiceQuotas", "servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota", "servicequotas:ListServiceQuotas", "servicequotas:ListServices", "servicequotas:ListTagsForResource" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:AttachRolePolicy", "iam:CreateServiceLinkedRole", "iam:PutRolePolicy" ], "Resource": "arn:aws:iam::*:role/aws-service-role/ivs.amazonaws.com/AWSServiceRoleForIVSRecordToS3*" }, { "Effect": "Allow", "Action": [ "cloudwatch:GetMetricData" ], "Resource": "*" } ] }
  4. Still in the Create policy window, choose Next: Tags (scroll to the bottom of the window to see this).

  5. On the Tags page, select Next: Review (at the bottom of the window).

  6. On the Review policy window, give the policy a Name and optionally add a Description. Make a note of the policy name, as you will need it when creating users (below). Choose Create policy (at the bottom of the window).

  7. You are returned to the IAM console window, where you should see a banner confirming that your new policy was created.

Create a New User and Add Permissions

IAM User Access Keys

IAM Access keys consist of an access key ID and a secret access key. They are used to sign programmatic requests that you make to AWS. If you don't have access keys, you can create them from the AWS Management Console. As a best practice, do not create root-user access keys.

The only time that you can view or download a secret access key is when you create access keys. You cannot recover them later. However, you can create new access keys at any time; you must have permissions to perform the required IAM actions.

Always store access keys securely. Never share them with third parties (even if an inquiry seems to come from Amazon). For more information, see Managing access keys for IAM users in the IAM User Guide.

Procedure

Follow these steps:

  1. In the navigation pane, choose Users, then choose Add user.

  2. In the Add user window:

    1. Type the new user name to be created.

    2. Check Access key - Programmatic access and Password - AWS Management Console access.

    3. For Console password, select Autogenerated password (recommended).

    4. Select Require password reset (recommended).

    5. Choose Next: Permissions.

  3. Under Set Permissions, select Attach existing policies directly. A Grant Permissions window opens.

  4. In the search box, enter your previously created IVS policy name. When it is found, check the box to select the policy.

  5. Choose Next: Tags (at the bottom of the window).

  6. On the Add Tags page, select Next: Review (at bottom of window).

  7. On the Review window, confirm that all user details are correct, then choose Create user (at the bottom of window).

  8. The Success screen appears, containing your Access key ID, Secret access key, and Password. Save all of these securely for future reference. When you are done, choose Close.

Add Permissions to an Existing User

Follow these steps:

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Users, then choose an existing user name to be updated. (Choose the name by clicking on it; do not check the selection box.)

  3. On the Summary page, on the Permissions tab, choose Add Permissions.

  4. Select Attach existing policies directly. A Grant Permissions window opens.

  5. In the search box, enter your previously created IVS policy name. When the policy is found, check the box to select the policy.

  6. Choose Next: Review (at the bottom of the window).

  7. On the Permissions summary page, select Add permissions (at the bottom of the window).

  8. On the Summary page, confirm that the IVS policy was added.