'AWS IAM Role Policy Issue on Media Convert Service [ Cannot open input file [Failed to read data: AssumeRole failed]]]

I am struggling with AWS IAM Role Policies, I am following a tutorial for Lambda function to read from s3 bucket event when a new file is uploaded and send it to AWS MediaConvert to convert the video file. Lambda function is being able to read from s3 in test but it fails the job at MediaConvert.

I have set the policies to the roles and also gave inline policies but still I am unable to get it working.

AWS Elemental MediaConvert Screenshot

Policies set for IAM ROLE

IAM Policies

Json for inline policy

lambda-s3-policy-inlinepolicy

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "ExampleStmt",
        "Action": [
            "s3:GetObject"
        ],
        "Effect": "Allow",
        "Resource": [
            "arn:aws:s3:::aws-mybucket-01/*"
        ]
    }
]
 }

Policy Summary PolicySummaryImg

VodLambdaRole

{
"Version": "2012-10-17",
"Statement": [
    {
        "Action": [
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
        ],
        "Resource": "*",
        "Effect": "Allow",
        "Sid": "Logging"
    },
    {
        "Action": [
            "iam:PassRole"
        ],
        "Resource": [
            "arn:aws:iam::myAccountID:role/my-lambda-role"
        ],
        "Effect": "Allow",
        "Sid": "PassRole"
    },
    {
        "Action": [
            "mediaconvert:*"
        ],
        "Resource": [
            "*"
        ],
        "Effect": "Allow",
        "Sid": "MediaConvertService"
    },
    {
        "Effect": "Allow",
        "Action": [
            "sts:AssumeRole"
        ],
        "Resource": "arn:aws:iam::myAccountID:role/my-lambda-role"
    }
]
}

PolicySummary

amazon-iamaws-media-convertaws-elemental


Solution 1:[1]

Make sure that the IAM Role assigned to the MediaConvert job has a Trust Policy that trusts MediaConvert:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "mediaconvert.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

This is normally generated automatically when you create an IAM Role in the management console and select MediaConvert as the Service.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 John Rotenstein

Related Questions

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Amazon AWS S3 to Force Download Mp3 File instead of Stream It

How to enable terraform module only with a specific workspace

AWS RDS Postgres: WAL_LEVEL not set to 'logical' after changing rds.logical_replication = 1

Use terraform to set up a lambda function triggered by a scheduled event source

Use terraform to set up a lambda function triggered by a scheduled event source

Self stopping EC2 once task complete?

AWS - SWF - Asynchronous method

Why my cloudformation template is over 1 MB?

AWS elastic beanstalk - WARN install EACCES: permission denied, access '/tmp/.npm'

Aws step functions - Resume from failed step function activity instead of starting a new execution

Redirect Elastic Beanstalk URL to domain name

node-lambda - TypeError: handler is not a function