Provisioning a dedicated IAM profile allows the owner of the S3 instance to grant Beamr Cloud access to AWS resources without sharing AWS security credentials. This approach helps maintain permission boundaries by controlling access to specific AWS folders and actions permitted by Beamr Cloud.

 

Beamr Cloud facilitates the connection of your Amazon S3 buckets, allowing for a streamlined workflow with your AWS account. This feature enables you to designate specific buckets where your source video files are stored (source bucket) and for saving the transformed videos (output bucket).

 

Beamr Cloud will operate within your Amazon S3 environment using this IAM role. To fully utilize the available triggers and actions, the IAM role should have List/Write permissions for the relevant buckets and folders. We recommend granting only the necessary permissions and avoiding the use of AmazonS3AllAccess whenever possible.

 

1. Identify Your S3 Buckets

- Choose an S3 bucket(s) for your video files. It is advisable to start with one source bucket for your original videos and one output bucket for the transformed files.

- Select trusted entity - Trusted entity type “AWS account”

2. Create an IAM Role in Your AWS Account

    • Navigate to your AWS account and create a new IAM role for Beamr Cloud integration and call it: BeamrCloudAccessRole

3. Establish Trust Relationships for the BeamrCloudAccessRole

  • Set up the following trust policy.
   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Effect": "Allow",
               "Principal": {
                   "AWS": [
             "arn:aws:iam::897367468997:role/prod_bvcloud_storage_process_cluster-role",
             "arn:aws:iam::897367468997:role/prod-beamr-cloud-backend-role",
             "arn:aws:iam::897367468997:role/BVCloudWorkers"
                    ]
                },
               "Action": "sts:AssumeRole"
           }
       ]
   }

4. Configure Permission Policies for the BeamrCloudAccessRole

  • For a source bucket (read-only access), use the following policy:
   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Allow",
         "Action": [
           "s3:ListBucket",
           "s3:GetObject"
         ],
         "Resource": [
           "arn:aws:s3:::source-bucket-name",
           "arn:aws:s3:::source-bucket-name/*"
         ]
       },
   ```
  • For an output bucket (read/write access), use this policy
   ```
       {
         "Effect": "Allow",
         "Action": [
           "s3:ListBucket",
           "s3:GetObject",
           "s3:PutObject",
           "s3:PutObjectAcl"
         ],
         "Resource": [
           "arn:aws:s3:::output-bucket-name",
           "arn:aws:s3:::output-bucket-name/*"
         ]
       },
   ```
  • To allow selecting buckets in Beamr Cloud, please allow listing of buckets in your AWS account
     ```
    {
        "Effect": "Allow",
        "Action": [
            "s3:ListAllMyBuckets"
        ],
        "Resource": [
            "arn:aws:s3:::*"
        ]
    }
  ]
}
 * Remember to replace "source-bucket-name" and "output-bucket-name" with the name of your buckets.

Configure Beamr Cloud

1. In the Integrations page of the Beamr Cloud web app (Left Menu), click on the 'Connect AWS' button.

2. In the "AWS Account Details" window that appears, enter your AWS Account ID, Select your Region and click 'Update'.

 

You can also connect your account when creating a new workflow for the first time, from the ‘Source’ drop down: 

 
 
 
Note: In case you wish to change your existing AWS Account ID,  do it with caution as it can invalidate your existing workflows!

 

How to Enable ‘Live Monitor’ Workflow type?

After you configured the access to your buckets as specified in the above instructions you can set up the real-time processing of the new files which appear in your S3 bucket of choice
  1. Create a SNS topic of Standard type named BeamrS3EventTopic in the same AWS region as your monitored S3 bucket
  2. In the Access Policy of the newly created SNS topic, please add Beamr AWS Account ID 897367468997 as a Subscriber
    Note: after creating the Access Policy you may need to replace "AWS:SourceOwner" with "AWS:SourceAccount" in the "Condition" element of the policy
  3. Create the Event Notification in Properties of the S3 bucket which you wish to monitor:
    - set event type to "All objects create event"
    - set the destination type to "SNS topic"
    - set BeamrS3EventTopic as SNS topic
Now you can create a new workflow of Live Monitor type in Beamr Cloud and select the bucket you wish to monitor for the new files, presets to apply to the new files, and the output bucket to store the result files.
That’s it - you are all set, now you can return to your Beamr Cloud account