[英]AWS MediaConvert Python AccessDeniedException: when calling the CreateJob operation
I am trying to create a simple MediaConnect job with Python.我正在尝试使用 Python 创建一个简单的 MediaConnect 作业。 My pipeline is simple.
我的管道很简单。
S3Put
triggers a Python lambda
, and I am trying to create a simple job. S3Put
触发Python lambda
,我正在尝试创建一个简单的作业。 I created a simple job using AWS Console and the json job is this -我使用 AWS 控制台创建了一个简单的作业,而 json 作业是这样的 -
{
"Queue": "arn:aws:mediaconvert:ap-south-1:----:queues/Default",
"UserMetadata": {},
"Role": "arn:aws:iam::----:role/mediaConverterRole",
"Settings": {
"TimecodeConfig": {
"Source": "ZEROBASED"
},
"OutputGroups": [
{
"Name": "File Group",
"Outputs": [
{
"Preset": "System-Generic_Hd_Mp4_Av1_Aac_16x9_640x360p_24Hz_250Kbps_Qvbr_Vq6",
"Extension": ".mp4",
"NameModifier": "converted"
}
],
"OutputGroupSettings": {
"Type": "FILE_GROUP_SETTINGS",
"FileGroupSettings": {
"Destination": "s3://----/"
}
}
}
],
"Inputs": [
{
"AudioSelectors": {
"Audio Selector 1": {
"DefaultSelection": "DEFAULT"
}
},
"VideoSelector": {},
"TimecodeSource": "ZEROBASED",
"FileInput": "s3://----/videos/sample786.mp4"
}
]
},
"AccelerationSettings": {
"Mode": "DISABLED"
},
"StatusUpdateInterval": "SECONDS_60",
"Priority": 0
}
Please note that the Role
worked fine while using on AWS console.请注意,
Role
在 AWS 控制台上使用时运行良好。 So far this is ok.到目前为止,这还可以。
Now coming to my pipeline with s3Put -> Python Lambda -> MediaConnect
, the infrastructure is written using Terraform
.现在使用
s3Put -> Python Lambda -> MediaConnect
进入我的管道,基础设施是使用Terraform
编写的。 My iam.tf
file -我的
iam.tf
文件 -
# create a role
# reseource_type - resource_name
resource "aws_iam_role" "lambda_role" {
name = "${local.resource_component}-lambda-role"
assume_role_policy = jsonencode({
"Version": "2012-10-17",
"Statement": [{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
},
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "mediaconvert.amazonaws.com"
},
"Sid": "",
"Effect": "Allow",
}
]
})
}
# create policy
resource "aws_iam_policy" "policy" {
name = "${local.resource_component}-lambda-policy"
policy = jsonencode({
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:*"
],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": "arn:aws:s3:::*"
}
]
})
}
# attach policy to the role
resource "aws_iam_role_policy_attachment" "policy_attachment" {
role = "${aws_iam_role.lambda_role.name}"
policy_arn = "${aws_iam_policy.policy.arn}"
}
The lambda code gets triggered by S3Put
successfully. lambda 代码被
S3Put
成功触发。 But the lambda throws error -但是 lambda 抛出错误 -
(AccessDeniedException) when calling the CreateJob operation: User: arn:aws:sts::---:assumed-role/vidstream-inputVideoProcessor-lambda-role/vidstream-inputVideoProcessor is not authorized to perform: iam:PassRole on resource: arn:aws:iam::---:role/mediaConverterRole
I have tried to find boto3
simple examples but nothing simpler is found online.我试图找到
boto3
的简单示例,但在网上找不到更简单的示例。 The lambda Python Code is here - lambda Python 代码在这里 -
import json
import logging
import boto3
# initialize logger
logger = logging.getLogger()
logger.setLevel(logging.INFO)
def handler(event, context):
# get input bucket
input_bucket_name = event['Records'][0]['s3']['bucket']['name']
# get file/object name
media_object = event['Records'][0]['s3']['object']['key']
# open json mediaconvert template
with open("job.json", "r") as jsonfile:
job_object = json.load(jsonfile)
# prepare data for mediaconvert job
input_file = f's3://{input_bucket_name}/{media_object}'
# edit job object
job_object['Settings']['Inputs'][0]['FileInput'] = input_file
# updated job object
logger.info("updated job object")
# Create MediaConvert client
mediaconvert_client = boto3.client('mediaconvert')
try:
# try to create a job
mediaconvert_client.create_job(**job_object)
except Exception as e:
logger.error(e)
return {
'statusCode': 200,
'body': json.dumps(event)
}
The boto3 MediaConvert
documentation is provided by AWS boto3 MediaConvert
文档由AWS提供
I am at a loss, no idea what to do.我很茫然,不知道该怎么办。 Is there any simpler example anyone can help me with?
有没有人可以帮助我的更简单的例子? I just need to create a simple job with Lambda that works , no complexity.
我只需要使用 Lambda 创建一个简单的工作即可,没有复杂性。
Any kind of help will be highly appreciated.任何形式的帮助将不胜感激。
Okay I solved this issue by putting iam:PassRole
to lambda policy.好的,我通过将
iam:PassRole
为 lambda 策略解决了这个问题。
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "*"
}
So the updated iam.tf
file is -所以更新后的
iam.tf
文件是 -
# create a role
# reseource_type - resource_name
resource "aws_iam_role" "lambda_role" {
name = "${local.resource_component}-lambda-role"
assume_role_policy = jsonencode({
"Version": "2012-10-17",
"Statement": [{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
},
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "mediaconvert.amazonaws.com"
},
"Sid": "",
"Effect": "Allow",
}
]
})
}
# create policy
resource "aws_iam_policy" "policy" {
name = "${local.resource_component}-lambda-policy"
policy = jsonencode({
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:*"
],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "*"
}
]
})
}
# attach policy to the role
resource "aws_iam_role_policy_attachment" "policy_attachment" {
role = "${aws_iam_role.lambda_role.name}"
policy_arn = "${aws_iam_policy.policy.arn}"
}
I first added this to lambda policy from aws console.我首先从 aws 控制台将此添加到 lambda 策略中。 After that worked I added this on my tf file.
在那之后,我在我的 tf 文件中添加了这个。 Be careful when editing something on console while the main infrastructure is written in
IACs such as Terraform
, this might cause drift if you forget what you have done.在控制台上编辑某些内容时要小心,而主要基础架构是用 IAC 编写的,
IACs such as Terraform
,如果您忘记所做的事情,这可能会导致漂移。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.