How to create an IAM Role for eMAM Platform?

IAM Role creation is required only if you are planning to use the simple one-click configuration interface.
One-Click-Config interface uses the IAM role associated with the EC2 instance to create an IAM user with programmatic access for configuration and future use.
Configuration interface running from your EC2 instance automatically provision the S3 buckets, Elemental Media Convert presets, Elastic Transcoder Pipeline, CloudWatch rules,  IAM roles, SNS topics, Rekognition and Transcribe. 


To create an IAM role using the IAM console
  1. Open the IAM console at https://console.aws.amazon.com/iam/.
  2. In the navigation pane, choose Roles, Create role.
  3. On the Select role type page, choose EC2 and the EC2 use case. Choose Next: Permissions.
  4. On the Attach permissions policy page, select IAMFulAccess.
  5. Add Tag
  6. On the Review page, type a name for the role and choose Create role.
Alternatively, you can use the AWS CLI to create an IAM role.

To create an IAM role and instance profile (AWS CLI)
  • Create an IAM role with a policy that allows the role to use an Amazon S3 bucket.
    1. Create the following trust policy and save it in a text file named ec2-role-trust-policy.json.
      {  
          "Version": "2012-10-17",
          "Statement": [
              {      
                  "Effect": "Allow",
                  "Principal": { "Service": "ec2.amazonaws.com"},
                  "Action": "sts:AssumeRole"
              }  
          ] 
      }

    2. Create the IAMUserAccess role and specify the trust policy that you created.
      aws iam create-role --role-name IAMUserAccess --assume-role-policy-document file://ec2-role-trust-policy.json
    3. Create an access policy and save it in a text file named ec2-role-access-policy.json. This policy grants administrative permissions for IAM to applications running on the instance. eMAM Configuration application running from EC2 uses this role to create an IAM user with programmatic access to obtain the AccessKey and SecretKey for certain s3 operations.

      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Action": ["iam:*"],
            "Resource": ["*"]
          }
        ]
      }
    4. Attach the access policy to the role.
      aws iam put-role-policy --role-name IAMUserAccess --policy-name IAM-Permissions --policy-document file://ec2-role-access-policy.json
    5. Create an instance profile named IAMUserAccess-profile.
      aws iam create-instance-profile --instance-profile-name IAMUserAccess-profile

    6. Add the IAMUserAccess role to the IAMUserAccess-profile instance profile.
      aws iam add-role-to-instance-profile --instance-profile-name IAMUserAccess-profile --role-name IAMUserAccess
      Choose this IAM role in the configure instance details page.
  • Note
    The IAM role list displays the name of the instance profile that you created when you created your IAM role (IAMUserAccess-profile). If you created your IAM role using the console, the instance profile was created for you and given the same name as the role. If you created your IAM role using the AWS CLI, API, or an AWS SDK, you may have named your instance profile differently.