How AWS Elemental MediaTailor works with IAM - AWS Elemental MediaTailor

How AWS Elemental MediaTailor works with IAM

To get a high-level view of how AWS Elemental MediaTailor and other AWS services work with IAM, see AWS Services That Work with IAM in the IAM User Guide.

AWS Elemental MediaTailor Identity-based policies

With IAM identity-based policies, you can specify allowed or denied actions and resources as well as the conditions under which actions are allowed or denied. AWS Elemental MediaTailor supports specific actions, resources, and condition keys. To learn about all of the elements, see IAM JSON Policy Elements Reference in the IAM User Guide.


The Action element of an IAM identity-based policy describes the specific action or actions that will be allowed or denied by the policy. Policy actions usually have the same name as the associated AWS API operation. The action is used in a policy to grant permissions to perform the associated operation.

Policy actions in AWS Elemental MediaTailor prefix the action with mediatailor:. For example, to grant someone permission to run the MediaTailor ListTagsForResource API operation, you include the mediatailor:ListTagsForResource action in their policy. Policy statements must include either an Action or NotAction element. MediaTailor defines its own set of actions that describe tasks that you can perform with this service.

To specify multiple actions in a single statement, separate them with commas as follows.

"Action": [ "mediatailor:action1", "mediatailor:action2" ]

You can specify multiple actions using wildcards (*). For example, to specify all actions that begin with the word List, include the following action:


For a list of AWS Elemental MediaTailor actions, see Actions Defined by AWS Elemental MediaTailor in the IAM User Guide.


AWS Elemental MediaTailor doesn't support specifying resource ARNs in a policy.

Condition keys

AWS Elemental MediaTailor doesn't provide service-specific condition keys, but it does support using some global condition keys. To see all AWS global condition keys, see AWS Global Condition Context Keys in the IAM User Guide.


To view examples of AWS Elemental MediaTailor identity-based policies, see Identity-based policy examples.

AWS Elemental MediaTailor resource-based policies

AWS Elemental MediaTailor doesn't support resource-based policies.

Authorization based on AWS Elemental MediaTailor tags

You can attach tags to AWS Elemental MediaTailor resources and pass tags in a request to MediaTailor. To control access using tags, you provide tag information in the condition element of a policy using the mediatailor:ResourceTag/key-name, aws:RequestTag/key-name, or aws:TagKeys condition keys. For more information about tagging MediaTailor resources, see Tagging AWS Elemental MediaTailor resources.

To view an example identity-based policy for limiting access to a resource based on the tags on that resource, see Viewing AWS Elemental MediaTailor configurations based on tags.

AWS Elemental MediaTailor IAM roles

An IAM role is an entity within your AWS account that has specific permissions.

Using temporary credentials with AWS Elemental MediaTailor

You can use temporary credentials to sign in with federation, assume an IAM role, or to assume a cross-account role. You obtain temporary security credentials by calling AWS STS API operations such as AssumeRole or GetFederationToken.

AWS Elemental MediaTailor supports using temporary credentials.

Service-linked roles

Service-linked roles allow AWS services to access resources in other services to complete an action on your behalf. Service-linked roles appear in your IAM account and are owned by the service. An IAM administrator can view but not edit the permissions for service-linked roles. For information about using service-linked roles with MediaTailor, see Using service-linked roles for MediaTailor.

Service roles

This feature allows a service to assume a service role on your behalf. This role allows the service to access resources in other services to complete an action on your behalf. Service roles appear in your IAM account and are owned by the account. This means that an IAM administrator can change the permissions for this role. However, doing so might break the functionality of the service.

AWS Elemental MediaTailor doesn't support service roles.