amazon-web-servicesamazon-s3amazon-iamamazon-chime

AWS Chime Meeting S3 Bucket Permission Issues


I'm trying to implement AWS Chime meeting with a Media Capture Pipeline in my application but I keep getting this error when setting up the pipeline by running the start capture function (code below): Insufficient permission to access S3 bucket: s3-bucket-name

Here is what I have tried:

  1. Added the S3 bucket policy to allow Chime service principal access (code below)
  2. Added IAM user policy with necessary Chime and S3 permissions (code below)
  3. Verified bucket exists and is in the correct region
  4. Verified IAM user has the correct permissions

What am I missing in my setup? Are there additional permissions or configurations needed for AWS Chime meeting to work properly?

Code implementation

import {
  CreateMediaCapturePipelineCommand,
  ChimeSDKMediaPipelinesClient,
} from '@aws-sdk/client-chime-sdk-media-pipelines';
import {
  ChimeSDKMeetingsClient,
  CreateAttendeeCommand,
  CreateAttendeeCommandInput,
  CreateMeetingCommand,
  CreateMeetingCommandInput,
} from '@aws-sdk/client-chime-sdk-meetings';

export const chimeSdkMeetings = new ChimeSDKMeetingsClient({
  credentials: {
    accessKeyId: process.env.AWS_KEY_ID || '',
    secretAccessKey: process.env.AWS_SECRET || '',
  },
  region: 'eu-central-1',
});

export const chimeSDKMediaPipelinesClient = new ChimeSDKMediaPipelinesClient({
  credentials: {
    accessKeyId: process.env.AWS_KEY_ID || '',
    secretAccessKey: process.env.AWS_SECRET || '',
  },
  region: 'eu-central-1',
});

export const startCapture = async (meetingId: string) => {
  return chimeSDKMediaPipelinesClient.send(
    new CreateMediaCapturePipelineCommand({
      ChimeSdkMeetingConfiguration: {
        ArtifactsConfiguration: {
          Audio: { MuxType: 'AudioOnly' },
          Content: { State: 'Disabled' },
          Video: { State: 'Disabled' },
        },
      },
      SinkArn: 'arn:aws:s3:::s3-bucket-name',
      SinkType: 'S3Bucket',
      SourceArn: `arn:aws:chime::${AWS_ACCOUNT_ID}:meeting:${meetingId}`,
      SourceType: 'ChimeSdkMeeting',
    }),
  );
};

S3 Bucket Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSChimeMediaCaptureBucketPolicy",
            "Effect": "Allow",
            "Principal": {
                "Service": "mediapipelines.chime.amazonaws.com"
            },
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::s3-bucket-name/*",
                "arn:aws:s3:::s3-bucket-name"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": "${AWS_ACCOUNT_ID}"
                },
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:chime:*:${AWS_ACCOUNT_ID}:*"
                }
            }
        },
        {
            "Sid": "AWSChimeMediaConcatBucketPolicy",
            "Effect": "Allow",
            "Principal": {
                "Service": "mediapipelines.chime.amazonaws.com"
            },
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::s3-bucket-name/*",
                "arn:aws:s3:::s3-bucket-name"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": "${AWS_ACCOUNT_ID}"
                },
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:chime:*:${AWS_ACCOUNT_ID}:*"
                }
            }
        }
    ]
}

IAM User Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::s3-bucket-name",
                "arn:aws:s3:::s3-bucket-name/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "chime:CreateMediaCapturePipeline",
                "chime:CreateMeeting",
                "chime:CreateAttendee"
            ],
            "Resource": "*"
        }
    ]
}

Solution

  • OK I was able to get this to work finally!! I just had to follow this guide.

    I just updated the Bucker police to the one mentioned in the guide and updated my IAM role to the following:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "chime:*",
                    "s3:GetBucketPolicy",
                    "s3:GetBucketLocation"
                ],
                "Resource": "*"
            }
        ]
    }