Policies and Permissions in MediaPackage
This page provides an overview of resource policies in MediaPackage and describes the basic elements of a policy. Each listed element links to more details about that element and examples of how to use it.
For a complete list of MediaPackage actions, resources, and conditions, see Actions, resources, and condition keys for AWS Elemental MediaPackage in the AWS General Reference.
In its most basic sense, a policy contains the following elements:
-
Resources - Channels and origin endpoints are the MediaPackage resources for which you can allow or deny permissions. In a policy, you use the Amazon Resource Name (ARN) to identify the resource. For more information, see MediaPackage resources.
-
Actions - For each resource, MediaPackage supports a set of operations. You identify resource operations that you will allow (or deny) by using action keywords. For more information, see IAM JSON Policy Elements: Action.
-
Effect - This determines what the effect will be when the user requests the specific action. This can be either allow or deny.
If you do not explicitly grant access to (allow) a resource, access is implicitly denied. You can also explicitly deny access to a resource. You might do this to make sure that a user can't access the resource, even if a different policy grants access. For more information, see IAM JSON Policy Elements: Effect.
-
Principal - The account or user who is allowed access to the actions and resources in the statement. In a resource policy, the principal is the user, account, service, or other entity that is the recipient of this permission. For more information, see Principals and AWS JSON Policy Elements: Principal.
-
Condition - These are the conditions for when a policy is in effect. You can use AWS‐wide keys and MediaPackage‐specific keys to specify conditions in an MediaPackage access policy. For more information, see IAM JSON Policy Elements: Condition.
To illustrate, consider the following Allow
policy. With this policy in effect, Jane Doe has
mediapackagev2:GetObject
and mediapackagev2:GetHeadObject
permissions on all objects from the specified origin endpoint under the condition that the request are made over HTTPS.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowJaneDoe", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::
accountID
:user/JaneDoe" }, "Action": ["mediapackagev2:GetObject","mediapackagev2:GetHeadObject"], "Resource": "arn:aws:mediapackagev2:Region
:AccountID
:channelGroup/ChannelGroupName
/channel/ChannelName
/originEndpoint/OriginEndpointName
", "Condition": { "Bool": { "aws:SecureTransport": "true" } } } ] }
Resource policies are specific to the resources to which they are applied. Applying a policy to a particular origin endpoint
that allows anonymous GetObject
doesn't automatically apply GetObject
to other endpoints even if the
ARN matches. For instance, if you apply a policy to origin endpoint abcdef01234567890
, it only applies to that endpoint
and not to another endpoint with a similar ARN, like 021345abcdef6789
. This means that the policy is not automatically applied to any other resource
with a matching ARN, and you must apply the policy explicitly to each resource that requires it.
For more, see the topics below. For complete policy language information, see Policies and Permissions and IAM JSON Policy Reference in the IAM User Guide.