Permissions that users need Information that users need

User access for the complex option

Read this section if you decided that the complex option for the trusted entity is appropriate to your deployment. With this option, users work with trusted entity using the custom roles that you created.

Before you read this section, you should read the IAM permissions for MediaLive as a trusted entity and follow the procedure to create trusted entity roles for the complex option.

Permissions that users need

For users to work in the IAM Role section on the Channel and input details pane, they must be able to select options on this pane. The following screenshot shows the IAM Role section as it appears when you start to create a channel.

You must give users the access described in the following table. All the actions are in the IAM service.

Field on the console	Description	Actions
Select Use existing role	Users must not be able to view the list in the selection field that accompanies the Use existing role field. That list shows all the roles that are created in the AWS account. Users must not be able to select from this list.	None
Select Create role from template option	Users must not be able to select the Create role from template field. Users don't create roles. Only administrators create roles.	None
Select Specify custom role ARN	Users must be able to enter a role into the entry field that accompanies the Specify custom role ARN field. They must then be able to pass that role to MediaLive.	`iam:PassRole`
Select Update	Users do not need to be able to choose the Update button because this button only ever appears in implementations that use `MediaLiveAccessRole`. The complex option does not use this role; therefore, this button never appears.	None

Information that users need

When a user creates a channel, they will pass a role to MediaLive to set up MediaLive with the correct trusted policies. You created these policies when you set up the trusted entity. Specifically, when you created the trusted entity role, you made a note of the ARNs of all the roles that you created.

You must give each user a list of the roles (identified by an ARN) that they must use with each workflow (channel) that they work with.

Make sure that you give each user the correct roles for the workflows that they are responsible for. Each role gives MediaLive access the resources that apply for a specific workflow.
Each user probably has a different list of roles.

When the user selects Specify custom role ARN, the user will consult their list to find the workflow the channel applies to and the role ARN that therefore applies.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

User access for the simple option

Link