Setting up IAM permissions - MediaConvert

Setting up IAM permissions

To run transcoding jobs with AWS Elemental MediaConvert, you need an IAM service role to allow MediaConvert access to your resources. Resources include things like your input files and the locations where your output files are stored.

Regardless of how you initially create your IAM service role, you can refine this role at any time using IAM. For more information, see Adding and removing IAM identity permissions in the IAM User Guide.

You can create your IAM service role in one of the following ways:

  • In the MediaConvert console, with some restrictions on the permissions that you grant. For instructions, see Creating the IAM role in MediaConvert.

    From the MediaConvert console, by configuring your role to allow MediaConvert access to only some of your Amazon S3 buckets. You can also choose whether to grant invoke access to your API Gateway endpoints.

  • In the IAM console. For instructions, see Creating a role in IAM.

    You can exercise fine control over exactly what access you grant to MediaConvert when you set up your IAM role in the IAM console. You can also use IAM through the AWS Command Line Interface (AWS CLI), or an API or SDK.


If you enable Amazon S3 default encryption on your Amazon S3 buckets, and you and specify your own key managed by AWS Key Management Service, you must grant additional permissions. For more information, see Granting permissions for MediaConvert to access encrypted Amazon S3buckets.

Set up a default role

If you use the name MediaConvert_Default_Role, then the MediaConvert console uses it by default when you create jobs in the future. This happens regardless of how you create the IAM service role for MediaConvert to use.