Creating the IAM role in MediaConvert with configured permissions - MediaConvert
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Creating the IAM role in MediaConvert with configured permissions

This approach allows you to restrict the access that you grant MediaConvert to only specific S3 buckets, and to specify whether to alllow invoke access to your Amazon API Gateway endpoints.

To set up your MediaConvert role in MediaConvert, configured permissions
  1. Open the MediaConvert console at

  2. Choose Get started.

  3. On the Create job page, in the Job pane on the left, under Job settings, choose Amazon integration.

  4. In the Service access section, for Service role control, choose Create a new service role, configure permissions.

  5. For New role name, we suggest that you keep the default value MediaConvert_Default_Role. When you do, MediaConvert uses this role by default for your future jobs.

  6. For Input S3 locations and Output S3 locations, choose Add location. Select the S3 buckets that you created in the previous step of this tutorial, Step 2: Create storage for files.

  7. Optional. If you use features that require it, for API Gateway enpoint invocation, choose allow.

    MediaConvert requires this access for the following features:

    • Digital rights management with SPEKE

    • Nielsen non-linear watermarking

    If you prefer to allow MediaConvert invoke access only to a specific endpoint, you can modify these permissions in the role policy after you create it, using the Amazon Identity and Access Management (IAM) service. For more information, see Editing IAM policies in the Amazon Identity and Access Management User Guide.