Provisioning a dedicated IAM profile allows the owner of the S3 instance to grant Beamr Cloud access to AWS resources without sharing AWS security credentials. This approach helps maintain permission boundaries by controlling access to specific AWS folders and actions permitted by Beamr Cloud.
We recommend granting only the necessary permissions and avoiding the use of AmazonS3AllAccess whenever possible.
This below instructions will walk you through the initial configuration required to integrate your AWS S3 storage with the Beamr platform.
1. Update your AWS account and region on Beamr
2. Create Beamr IAM role & SNS topic
This step involves configuring AWS IAM roles and an SNS topic to handle notifications and permissions.
Beamr provides a CloudFormation template to automate this process, but you also have the option to configure everything manually. This section covers both methods.
Manually Create IAM role & SNS topic using AWS console
Step 1: Create the IAM Role
- Log in to AWS Console.
- Go to IAM Service:
- In the AWS Management Console, navigate to IAM by typing "IAM" in the search bar.
- Create a New Role:
- Go to Roles and click Create Role.
- Select Another AWS account as the trusted entity, and enter Beamr's AWS account ID:
897367468997
.
- Set Permissions:
- Add the following permissions to the role:
- Source Bucket Permissions: List and get objects (
s3:ListBucket, s3:GetObject
) for your source buckets. - Destination Bucket Permissions: Upload and set ACL for objects (
s3:PutObject, s3:PutObjectAcl
) for your destination buckets. - List All Buckets: List all S3 buckets
(s3:ListAllMyBuckets
)
- Source Bucket Permissions: List and get objects (
- Add the following permissions to the role:
- Create the Role:
- Name the role
BeamrCloudAccessRole
.
- Name the role
Step 2: Create the SNS Topic
- Go to SNS Service:
- In the AWS Management Console, navigate to SNS by typing "SNS" in the search bar.
- Create a New Topic:
- Click Create topic, choose Standard, and name it
BeamrS3EventTopic
.
- Click Create topic, choose Standard, and name it
- Set Topic Policy:
- Edit the topic's access policy to allow Beamr's AWS account to subscribe and manage the topic. Here is an example policy:
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"SNS:Publish",
"SNS:RemovePermission",
"SNS:SetTopicAttributes",
"SNS:DeleteTopic",
"SNS:ListSubscriptionsByTopic",
"SNS:GetTopicAttributes",
"SNS:AddPermission",
"SNS:Subscribe"
],
"Resource": "arn:aws:sns:your-region:your-account-id:BeamrS3EventTopic",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "your-account-id"
}
}
},
{
"Sid": "__console_sub_0",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::897367468997:root"
},
"Action": "SNS:Subscribe",
"Resource": "arn:aws:sns:your-region:your-account-id:BeamrS3EventTopic"
}
]
}
Create IAM role & SNS topic using cloudFormation
- IAM Role:
BeamrCloudAccessRole
– This role allows Beamr to access your S3 buckets with the necessary permissions. - SNS Topic:
BeamrS3EventTopic
– This is used to handle S3 event notifications, such as when new files are added or updated in the bucket.
Please review and copy cloudFormation from here:
AWSTemplateFormatVersion: '2010-09-09'
Description: One-time setup for Beamr integration with pre-defined SNS topic policy.
Resources:
BeamrCloudAccessRole:
Type: 'AWS::IAM::Role'
Properties:
RoleName: BeamrCloudAccessRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS:
- arn:aws:iam::897367468997:role/prod_bvcloud_storage_process_cluster-role
- arn:aws:iam::897367468997:role/prod-beamr-cloud-backend-role
- arn:aws:iam::897367468997:role/BVCloudWorkers
Action: 'sts:AssumeRole'
Policies:
- PolicyName: BeamrS3AccessPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
# Input bucket permissions (placeholders)
- Effect: Allow
Action:
- 's3:ListBucket'
- 's3:GetObject'
Resource:
- "arn:aws:s3:::PLACEHOLDER_INPUT_BUCKET"
- "arn:aws:s3:::PLACEHOLDER_INPUT_BUCKET/*"
# Output bucket permissions (placeholders)
- Effect: Allow
Action:
- 's3:PutObject'
- 's3:PutObjectAcl'
Resource:
- "arn:aws:s3:::PLACEHOLDER_OUTPUT_BUCKET"
- "arn:aws:s3:::PLACEHOLDER_OUTPUT_BUCKET/*"
# Permission to list all buckets
- Effect: Allow
Action:
- 's3:ListAllMyBuckets'
Resource: "*"
BeamrS3EventTopic:
Type: 'AWS::SNS::Topic'
Properties:
TopicName: BeamrS3EventTopic
BeamrS3EventTopicPolicy:
Type: 'AWS::SNS::TopicPolicy'
Properties:
Topics:
- !Ref BeamrS3EventTopic
PolicyDocument:
Version: '2008-10-17'
Id: "__default_policy_ID"
Statement:
- Sid: "__default_statement_ID"
Effect: Allow
Principal:
AWS: "*"
Action:
- "SNS:Publish"
- "SNS:RemovePermission"
- "SNS:SetTopicAttributes"
- "SNS:DeleteTopic"
- "SNS:ListSubscriptionsByTopic"
- "SNS:GetTopicAttributes"
- "SNS:AddPermission"
- "SNS:Subscribe"
Resource: !Ref BeamrS3EventTopic
Condition:
StringEquals:
AWS:SourceAccount: !Ref AWS::AccountId
- Sid: "__console_sub_0"
Effect: Allow
Principal:
AWS: "arn:aws:iam::897367468997:root"
Action: "SNS:Subscribe"
Resource: !Ref BeamrS3EventTopic
Outputs:
BeamrRoleArn:
Description: ARN of the role that Beamr will assume
Value: !GetAtt BeamrCloudAccessRole.Arn
SNSTopicArn:
Description: ARN of the SNS topic for S3 event notifications
Value: !Ref BeamrS3EventTopic
Explanation of CloudFormation Template
- IAM Role (
BeamrCloudAccessRole
):- Purpose: This role grants Beamr the necessary permissions to access your S3 buckets for video optimization.
- Permissions:
- It allows Beamr to assume the role using predefined roles (
prod_bvcloud_storage_process_cluster-role
,prod-beamr-cloud-backend-role
, andBVCloudWorkers
). - It has placeholder permissions for both input and output buckets:
- Source Buckets: Permission to list and get objects (
s3:ListBucket
,s3:GetObject
). - Destination Buckets: Permission to upload objects and set object ACLs (
s3:PutObject
,s3:PutObjectAcl
). - It also grants permission to list all the S3 buckets in your account (
s3:ListAllMyBuckets
) to allow easier selection on Beamr cloud UI
- Source Buckets: Permission to list and get objects (
- It allows Beamr to assume the role using predefined roles (
- SNS Topic (
BeamrS3EventTopic
):- Purpose: This topic is used to handle S3 event notifications, such as new file uploads.
- The topic allows Beamr's AWS account (
897367468997
) to subscribe to the notifications, and it provides general permissions for SNS actions, including publishing and subscribing.
- SNS Topic Policy (
BeamrS3EventTopicPolicy
):- Purpose: Defines access control for the SNS topic, ensuring that Beamr and your account can use it correctly.
3. Setup of source & destination buckets
Set the Bucket Policy to Allow the Beamr IAM Role to Access the Buckets
BeamrCloudAccessRole
) to access your S3 buckets, you will need to update the policy for both the source bucket and destination bucket.Steps:
- Log in to AWS Console.
- Go to the S3 Service:
- In the AWS Management Console, navigate to S3 by typing "S3" in the search bar.
- Open the Source or Destination Bucket:
- Navigate to the bucket where you want to grant Beamr access.
- Go to Permissions Tab:
- Click on the Permissions tab.
- Edit Bucket Policy:
- Scroll down to Bucket policy and click Edit.
- Add the following JSON policy to allow the Beamr IAM role to access the bucket:
For source bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<your-account-id>:role/BeamrCloudAccessRole"
},
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::your-source-bucket",
"arn:aws:s3:::your-source-bucket/*"
]
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<your-account-id>:role/BeamrCloudAccessRole"
},
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::your-destination-bucket",
"arn:aws:s3:::your-destination-bucket/*"
]
}
]
}
- Replace your-source-bucket and your-destination-bucket with the actual bucket names.
- Replace your-account-id with your AWS account ID.
Update the Resource Section of the Beamr IAM Role
PLACEHOLDER_INPUT_BUCKET, PLACEHOLDER_OUTPUT_BUCKET
) with the actual bucket names.Steps:
- Log in to AWS Console. Try this quick link or navigate manually following the next steps
- Go to the IAM Service:
- In the AWS Management Console, navigate to IAM by typing "IAM" in the search bar.
- Locate the
BeamrCloudAccessRole
:- Under Roles, search for
BeamrCloudAccessRole
.
- Under Roles, search for
- Edit the Policy:
- In the policy attached to the role, look for
BeamrS3AccessPolicy
. - Click Edit policy and navigate to the JSON editor.
- Replace the placeholders in the policy with the actual bucket names for the source and destination buckets. Example:
Replace your-source-bucket and your-destination-bucket with the actual bucket names.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetObject" ], "Resource": [ "arn:aws:s3:::your-source-bucket", "arn:aws:s3:::your-source-bucket/*" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectAcl" ], "Resource": [ "arn:aws:s3:::your-destination-bucket", "arn:aws:s3:::your-destination-bucket/*" ] } ] }
- In the policy attached to the role, look for
- Save the policy
Configure Event Notifications for "Live Monitoring" Workflows
Steps:
- Go to the S3 Service:
- In the AWS Management Console, navigate to S3 and open your source bucket.
- Go to Properties Tab:
- Click on the Properties tab.
- Scroll to Event Notifications:
- Under Event notifications, click Create event notification.
- Configure Event Notification:
- Name the event (e.g.,
BeamrLiveMonitoring
). - Events: Choose the event types you want to monitor. Typically, you want to choose
All object create
events to trigger notifications when new objects are uploaded to the bucket. - Destination: Select SNS Topic and choose
BeamrS3EventTopic
.
- Name the event (e.g.,
- Save the Event Notification.