What is authentication? - MediaConvert
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

What is authentication?

Authentication is how you sign in to Amazon using your credentials.

As a principal, you must be authenticated (signed in to Amazon) using an entity (root user, IAM user, or IAM role) to send a request to Amazon. An IAM user can have long-term credentials such as a user name and password or a set of access keys. When you assume an IAM role, you are given temporary security credentials.

To authenticate from the Amazon Web Services Management Console as a user, you must sign in with your user name and password. To authenticate from the Amazon CLI or Amazon API, you must provide your access key and secret key or temporary credentials. Amazon provides SDK and CLI tools to cryptographically sign your request using your credentials. If you don’t use Amazon tools, you must sign the request yourself. Regardless of the authentication method that you use, you might also be required to provide additional security information. For example, Amazon recommends that you use multi-factor authentication (MFA) to increase the security of your account.

As a principal, you can sign in to Amazon using the following entities (users or roles):

  • IAM user – An IAM user is an entity within your Amazon account that has specific permissions. MediaConvert supports Signature Version 4, a protocol for authenticating inbound API requests. For more information about authenticating requests, see Signature version 4 signing process in the Amazon General Reference.

  • IAM role – An IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user in that it is an Amazon identity with permissions policies that determine what the identity can and cannot do in Amazon. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session. IAM roles with temporary credentials are useful in the following situations:

    • Federated user access – To assign permissions to a federated identity, you create a role and define permissions for the role. When a federated identity authenticates, the identity is associated with the role and is granted the permissions that are defined by the role. For information about roles for federation, see Creating a role for a third-party Identity Provider in the IAM User Guide.

    • Temporary user permissions – An IAM user can assume a role to temporarily take on different permissions for a specific task.

    • Cross-account access – You can use an IAM role to allow a trusted principal in a different account to access resources in your account. Roles are the primary way to grant cross-account access. However, with some Amazon services, you can attach a policy directly to a resource (instead of using a role as a proxy). MediaConvert does not support these resource-based policies. For more information about choosing whether to use a role or a resource-based policy to allow cross-account access, see Controlling access to principals in a different account.

    • Amazon service access – A service role is an IAM role that a service assumes to perform actions on your behalf. An IAM administrator can create, modify, and delete a service role from within IAM. For more information, see Creating a role to delegate permissions to an Amazon Web Service in the IAM User Guide.

    • Applications running on Amazon EC2 – You can use an IAM role to manage temporary credentials for applications that are running on an EC2 instance and making Amazon CLI or Amazon API requests. This is preferable to storing access keys within the EC2 instance. To assign an Amazon role to an EC2 instance and make it available to all of its applications, you create an instance profile that is attached to the instance. An instance profile contains the role and enables programs that are running on the EC2 instance to get temporary credentials. For more information, see Using an IAM role to grant permissions to applications running on Amazon EC2 instances in the IAM User Guide.