How AWS Elemental MediaPackage works with IAM - AWS Elemental MediaPackage

How AWS Elemental MediaPackage works with IAM

Before you use IAM to manage access to MediaPackage, you should understand what IAM features are available to use with MediaPackage. To get a high-level view of how MediaPackage and other AWS services work with IAM, see AWS services that work with IAM in the IAM User Guide.

MediaPackage identity-based policies

With IAM identity-based policies, you can specify allowed or denied actions and resources as well as the conditions under which actions are allowed or denied. MediaPackage supports specific actions, resources, and condition keys. To learn about all the elements that you use in a JSON policy, see IAM JSON policy elements reference in the IAM User Guide.


The Action element of an IAM identity-based policy describes the specific action or actions that will be allowed or denied by the policy. Policy actions usually have the same name as the associated AWS API operation. The action is used in a policy to grant permissions to perform the associated operation.

Policy actions in MediaPackage use the following prefix before the action: mediapackage:. For example, to grant someone permission to delete a MediaPackage endpoint with the MediaPackage DeleteOriginEndpoint API operation, you include the mediapackage:DeleteOriginEndpoint action in their policy. Policy statements must include either an Action or NotAction element. MediaPackage defines its own set of actions that describe tasks that you can perform with this service.

To specify multiple actions in a single statement, separate them with commas as follows:

"Action": [ "mediapackage:action1", "mediapackage:action2"

You can specify multiple actions using wildcards (*). For example, to specify all actions that begin with the word Describe, include the following action:

"Action": "mediapackage:Describe*"

For a list of MediaPackage actions, see Actions Defined by AWS Elemental MediaPackage in the IAM User Guide.


The Resource element specifies the object or objects to which the action applies. Statements must include either a Resource or a NotResource element. You specify a resource using an ARN or using the wildcard (*) to indicate that the statement applies to all resources.

MediaPackage has the following resource ARNs:

arn:${Partition}:mediapackage:${Region}:${Account}:channels/${channelID} arn:${Partition}:mediapackage:${Region}:${Account}:origin_endpoints/${endpointID}

For more information about the format of ARNs, see Amazon Resource Names (ARNs) and AWS service namespaces.

For example, to specify the 9a6b3953e242400eb805f324d95788e3 channel in your statement, use the following ARN:

"Resource": "arn:aws:mediapackage:us-east-1:111122223333:channels/9a6b3953e242400eb805f324d95788e3"

To specify all instances that belong to a specific account, use the wildcard (*):

"Resource": "arn:aws:mediapackage:us-east-1:111122223333:channels/*"

Some MediaPackage actions, such as those for creating resources, can't be performed on a specific resource. In those cases, you must use the wildcard (*).

"Resource": "*"

To see a list of MediaPackage resource types and their ARNs, see Resources Defined by AWS Elemental MediaPackage in the IAM User Guide. To learn with which actions you can specify the ARN of each resource, see Actions Defined by AWS Elemental MediaPackage.

Condition keys

MediaPackage doesn't provide any service-specific condition keys, but it does support using some global condition keys. To see all AWS global condition keys, see AWS global condition context keys in the IAM User Guide.


For examples of MediaPackage identity-based policies, see AWS Elemental MediaPackage identity-based policy examples.

MediaPackage resource-based policies

MediaPackage doesn't support resource-based policies.

Authorization based on MediaPackage tags

You can attach tags to MediaPackage resources or pass tags in a request to MediaPackage. To control access based on tags, you provide tag information in the condition element of a policy using the mediapackage:ResourceTag/key-name, aws:RequestTag/key-name, or aws:TagKeys condition keys. For more information about tagging MediaPackage resources, see Tagging AWS Elemental MediaPackage resources.

To view an example identity-based policy for limiting access to a resource based on the tags on that resource, see Viewing MediaPackage channels based on tags.

MediaPackage IAM roles

An IAM role is an entity within your AWS account that has specific permissions.

Using temporary credentials with MediaPackage

You can use temporary credentials to sign in with federation, assume an IAM role, or assume a cross-account role. You obtain temporary security credentials by calling AWS STS API operations such as AssumeRole or GetFederationToken.

MediaPackage supports using temporary credentials.

Service-linked roles

Service-linked roles allow AWS services to access resources in other services to complete an action on your behalf. Service-linked roles appear in your IAM account and are owned by the service. An IAM administrator can view but not edit the permissions for service-linked roles.

MediaPackage does not support service-linked roles.

Service roles

This feature allows a service to assume a service role on your behalf. This role allows the service to access resources in other services to complete an action on your behalf. Service roles appear in your IAM account and are owned by the account. This means that an IAM administrator can change the permissions for this role. However, doing so might break the functionality of the service.

MediaPackage supports service roles.

Choosing an IAM role in MediaPackage

When you create an asset resource in MediaPackage, you must choose a role to allow MediaPackage to access Amazon S3 on your behalf. If you previously created a service role or service-linked role, MediaPackage provides you with a list of roles to choose from. It's important to choose a role that allows access to read from the S3 bucket and retrieve content. For more information, see Allowing AWS Elemental MediaPackage to access other AWS services.