User access for the complex option
Read this section if you decided that the complex option for the trusted entity is appropriate to your deployment. With this option, users work with trusted entity using the custom roles that you created.
Before you read this section, you should read the IAM permissions for MediaLive as a trusted entity and follow the procedure to create trusted entity roles for the complex option.
Permissions that users need
For users to work in the IAM Role section on the Channel and input details pane, they must be able to select options on this pane. The following screenshot shows the IAM Role section as it appears when you start to create a channel.
You must give users the access described in the following table. All the actions are in the IAM service.
Field on the console | Description | Actions |
---|---|---|
Select Use existing role | Users must not be able to view
the list in the selection field that accompanies the Use
existing role field. That list shows all the roles that are created in the AWS account. Users must not be able to select from this list. |
None |
Select Create role from template option |
Users must not be able to
select the Create role from template field.
Users don't create roles. Only administrators create roles. |
None |
Select Specify custom role ARN | Users must be able to enter a role into the entry field that accompanies the Specify custom role ARN field. They must then be able to pass that role to MediaLive. | iam:PassRole |
Select Update | Users do not need to be able
to choose the Update button because this button
only ever appears in implementations that use
MediaLiveAccessRole . The complex option does not use this
role; therefore, this button never appears. |
None |
Information that users need
When a user creates a channel, they will pass a role to MediaLive to set up MediaLive with the correct trusted policies. You created these policies when you set up the trusted entity. Specifically, when you created the trusted entity role, you made a note of the ARNs of all the roles that you created.
You must give each user a list of the roles (identified by an ARN) that they must use with each workflow (channel) that they work with.
-
Make sure that you give each user the correct roles for the workflows that they are responsible for. Each role gives MediaLive access the resources that apply for a specific workflow.
-
Each user probably has a different list of roles.
When the user selects Specify custom role ARN, the user will consult their list to find the workflow the channel applies to and the role ARN that therefore applies.