# Setting up access for other Amazon accounts to your AWS Elemental MediaConvert outputs
<a name="setting-up-access-for-other-aws-accounts"></a>

When you follow the usual setup for permissions as described in [Setting up IAM permissions](iam-role.md), only users that belong to your Amazon account can access your output files.

In some cases, you might want to allow users of other Amazon accounts access to the outputs of your jobs. For example, you might run transcoding jobs on behalf of one of your customers, and you might want that customer to have access to the outputs of the jobs. You can do this in one of the following ways:
+ **Grant access to your Amazon S3 bucket.**

  When you do this, MediaConvert writes your output files to your bucket, and you grant another account access to your bucket.
+ **Have MediaConvert write your output files to a bucket owned by another account. **

  You can have MediaConvert apply an Amazon S3 canned access control list (ACL) to your outputs. A canned ACL is a predefined ACL that includes the necessary permissions.

  When you do this, you still own the output file, but MediaConvert grants access to the outputs to the owner of the bucket.

**Topics**
+ [Granting access to your output Amazon S3 bucket](granting-access-to-your-output-amazon-s3-bucket.md)
+ [Writing your outputs to an Amazon S3 bucket in another account](write-your-outputs-to-another-accounts-amazon-s3-bucket.md)

# Granting access to your output Amazon S3 bucket
<a name="granting-access-to-your-output-amazon-s3-bucket"></a>

Suppose that you want the outputs of your MediaConvert jobs to reside in an Amazon S3 bucket that you own, but you want users that belong to another Amazon account to have access to them. To grant access, you can add an Amazon S3 bucket policy to your output bucket.

For a tutorial about how to grant this access, see [Example 2: Bucket owner granting cross-account bucket permissions](https://docs.amazonaws.cn/AmazonS3/latest/userguide/example-walkthroughs-managing-access-example2.html) in the *Amazon Simple Storage Service User Guide*.

The following example bucket policy grants access to your output bucket:

```
{
    "Id": "Policy1572454561447",
    "Version": "2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "Stmt1572454547712",
            "Action": [
                "s3:GetObject"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*",
            "Principal": {
                "AWS": [
                    "111122223333"
                ]
            }
        }
    ]
}
```

# Writing your outputs to an Amazon S3 bucket in another account
<a name="write-your-outputs-to-another-accounts-amazon-s3-bucket"></a>

When you want the outputs of your MediaConvert jobs to reside in an Amazon S3 bucket that is owned by another Amazon account, you work together with the administrator of that account to add a bucket permissions policy that grants you access to write the files and to add an Amazon S3 canned access control list (ACL) to the outputs. Then you set up your MediaConvert job to write to that bucket and to automatically add the canned ACL `bucket-owner-full-control` as it does so.

The result of this setup is that you own the files, but they reside in another account's bucket. The owner of the bucket has full access to the files.

**To write your outputs to a bucket owned by another account**

1. Work with an administrator of the other account to add a bucket policy to the Amazon S3 bucket that you want to write your output files to. For more information, see [How do I add an S3 Bucket policy?](https://docs.amazonaws.cn/AmazonS3/latest/userguide/add-bucket-policy.html) in the *Amazon Simple Storage Service User Guide*.

   The following example bucket policy grants the necessary permissions:

   ```
   {
       "Version": "2012-10-17",		 	 	 
       "Id": "Policy1570060985561",
       "Statement": [
           {
               "Sid": "Stmt1570060984261",
               "Effect": "Allow",
               "Principal": {
                   "AWS": [
                       "arn:aws:iam::111122223333:role/MediaConvertRole"
                   ]
               },
               "Action": [
                   "s3:GetObject",
                   "s3:GetObjectAcl",
                   "s3:ListBucket",
                   "s3:PutObject",
                   "s3:PutObjectAcl"
               ],
               "Resource": [
                   "arn:aws:s3:::bucket",
                   "arn:aws:s3:::bucket/*"
               ]
           }
       ]
   }
   ```

1. For any job that writes outputs to that bucket, apply the **Bucket owner full control** ACL as follows:

   1. Set up your job as usual. For more information, see [Tutorial: Configuring job settings](setting-up-a-job.md).

   1. Specify the other account's Amazon S3 bucket for your output **Destination**. On the **Create job** page, in the **Job** pane on the left, choose an output group. In the group settings section on the right, find **Destination**.

   1. Enable **Access control**, and then choose **Bucket owner full control** for **Canned access control list**.