Elemental Live HLS to MediaPackage v2 Error 403

Hi rjdxb,

MediaLive uses role-based authentication to send to MediaPackage v2. Make sure your MediaLiveCustomPolicy attached to your MediaLiveAccessRole includes the following permissions:

                {
			"Effect": "Allow",
			"Action": [
				"mediapackagev2:PutObject",
				"mediapackagev2:GetChannel"
			],
			"Resource": "*"
		},

No username/password pair is required when this is properly configured.

Regards, Steve

You have two options here:

1. Use programmatic access.

• you need to make sure that Elemental Live has latest version at least 2.25.6
• you need to create IAM user with programmatic keys and attach EMP permission policy to it (AWSElementalMediaPackageV2FullAccess)
• use these keys to configure Elemental Live channel https://docs.aws.amazon.com/elemental-live/latest/ug/output-empV4.html
• Configure MediaPackage Ingest authorization: https://docs.aws.amazon.com/mediapackage/latest/userguide/ingest-auth.html#ingest-elemental-live

2. Use specific IP restricted based access

This is not best practices but you can try to limit access by ip:

https://docs.aws.amazon.com/mediapackage/latest/userguide/endpoint-auth.html

Apply this policy to Ingest authorization

Restrict access by IP range

Based on the information provided, there are a few potential reasons for the ERROR 403 you're experiencing when trying to send HLS from Elemental Live to MediaPackage v2:

1. IAM User Permissions: While you've created an IAM user with full access to MediaPackage v2, ensure that the user also has the necessary permissions to assume any required roles and access other related services.

2. Channel Policy Configuration: Double-check that the channel policy in MediaPackage v2 is correctly configured. Make sure the ARN of the IAM user is accurately specified in the Principal section of the policy, and that the "PutObject" action is allowed for the correct channel resource.

3. Credentials Usage: If the IAM console shows that the secret key has never been used, it's possible that the credentials are not being properly applied in the Elemental Live configuration. Verify that you're using the access key ID as the username and the secret access key as the password in the Elemental Live setup.

4. Elemental Live Configuration: Ensure that you've correctly set up the output in Elemental Live. For MediaPackage v2 (HLS output), you need to use the specific input endpoints provided by MediaPackage. These URLs should start with "https://" and be slightly different from each other.

5. Network Configuration: Although not explicitly mentioned in your setup, ensure there are no network-related issues preventing communication between Elemental Live and MediaPackage v2. Check that any necessary security groups or firewall rules are properly configured.

6. Encryption Settings: If you're using encryption, make sure the encryption settings are correctly configured on both the Elemental Live and MediaPackage v2 sides.

To troubleshoot further:

• Double-check all the configuration steps, especially the channel policy and the credentials used in Elemental Live.
• Verify that the MediaPackage v2 channel and input endpoints are correctly set up and accessible.
• Check CloudWatch logs or any available Elemental Live logs for more detailed error messages.
• Consider temporarily granting broader permissions to the IAM user to rule out specific permission issues, then narrow down the permissions once the connection is established.

If the issue persists after verifying these points, you may need to contact AWS support for more in-depth troubleshooting, as there could be an underlying service issue or a more complex configuration problem.
Sources
MediaLive unable to open output or stream to MediaPackage | AWS re:Post
Ingest authorization - AWS Elemental MediaPackage