Enable MediaLive to create/store thumbnails

0

The MediaLive Trusted Entity Requirements for S3 list PutObject twice, once (along with ListBucket, GetObject, and DeleteObject) for:

Sending and retrieving assets from an Amazon S3 bucket when a channel is running…

…and once (by itself for):

Sending thumbnails to an Amazon S3 bucket when a channel is running, if a channel has input thumbnails enabled

…but I think something must be missing—or else I'm just missing something—in the docs. To what bucket does the PutObject for thumbnails apply?

Right now, with PutObject only enabled for the bucket from/to which I'm reading-MP4/writing-HLS video, the channel is working as expected, other than the thumbnails. I'm not seeing any thumbnails, and in CloudWatch, I'm seeing errors like:

[OutputDataS3: PUT failed. Response=[403] Message[Access Denied] Headers[]]

Is this because there is some other S3 bucket to which I need to provide MediaLive access? If so, how can I find out what bucket that is?

1 Answer
1
Accepted Answer

Good question.

As you wrote, preview thumbnail errors should not impact production outputs going to other targets. The thumbnails for output preview get written to a bucket owned by the MediaLive service, not a customer bucket. Every PUT attempt to S3 gets 3 retries, so one write error is not necessarily a failure on that file.

There are some possible conditions which might cause an S3 write error:

  • If the channel is running in a VPC, then the VPC needs an S3 access endpoint or some other means of reaching the output bucket.
  • some issue with the IAM Role MediaLive assumes to run the channel in your account
  • Other transient error reaching S3, possible dependency outage, or service outage etc.

If you want a deeper investigation, the S3 support team can trace the individual S3 request IDs for each PUT operation. I suggest opening a case with AWS Premium Support to start that process.

AWS
answered 24 days ago
  • The thumbnails for output preview get written to a bucket owned by the MediaLive service, not a customer bucket.

    This answers the question. Thank you.

    Because I was following the guide's "complex option", I did not give broad access to S3.

    I'll use the "Feedback" link on the Trusted Entity Requirements page to request that the ARN of the MediaLive bucket be included on that page so it can get included in custom policies.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions