Storage Bucket Permission Configuration Guide

This document describes the minimum permission configuration required for customer object storage when integrating with the cloud transcoding service.

Permission Overview

The transcoding service needs to access customer buckets for read and write operations during the transcoding process. The following permissions are required:

Operation Type	Description
Read Permission	Download files to be transcoded
Write Permission	Upload transcoded output files
Multipart Upload Permission	Large file multipart upload and resumable upload operations

AWS S3

Reference Documentation: Multipart Upload API and Permissions

Required Permissions List

Permission	Description
`s3:GetObject`	Get object (download file)
`s3:PutObject`	Put object (upload file)
`s3:ListBucketMultipartUploads`	List multipart upload tasks
`s3:ListMultipartUploadParts`	List uploaded parts
`s3:AbortMultipartUpload`	Abort multipart upload

Policy Configuration Example

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:ListBucketMultipartUploads",
        "s3:ListMultipartUploadParts",
        "s3:AbortMultipartUpload"
      ],
      "Resource": [
        "arn:aws:s3:::your-bucket-name/*"
      ]
    }
  ]
}

Note: Please replace your-bucket-name with your actual bucket name.

Google Cloud Storage (GCS)

Reference Documentation: IAM Permissions and Roles

Unlike other cloud storage services, GCS uses an IAM role-based authorization mechanism. You need to first create a custom role and assign the required permissions, then create a service account, and finally grant that role to the service account at the bucket level.

Configuration Steps

Create Custom Role
- Go to Google Cloud Console → IAM & Admin → Roles
- Click "Create Role", fill in the role name and description
Assign Permissions
- Add all permissions listed in the table below to the custom role
Create Service Account
- Go to IAM & Admin → Service Accounts
- Click "Create Service Account", fill in the name and description
Bucket Authorization
- Go to the target bucket → Click "Grant Access"
- Add the service account email, select the created role, and click "Save"
Generate HMAC Key
- Go to Cloud Console → Cloud Storage → Settings → Interoperability
- Click "Create a key for a service account" to generate access keys

Required Permissions List

Permission	Description
`storage.objects.get`	Get object (download file)
`storage.objects.create`	Create object (upload file)
`storage.objects.createContext`	Create object context
`storage.objects.delete`	Delete object
`storage.objects.deleteContext`	Delete object context
`storage.objects.list`	List objects
`storage.objects.update`	Update object
`storage.objects.updateContext`	Update object context
`storage.multipartUploads.create`	Create multipart upload task
`storage.multipartUploads.list`	List multipart upload tasks
`storage.multipartUploads.listParts`	List uploaded parts
`storage.multipartUploads.abort`	Abort multipart upload

Role Permission Configuration Example

{
  "title": "Transcode Service Role",
  "description": "Role for media transcoding service to access GCS",
  "stage": "GA",
  "includedPermissions": [
    "storage.objects.get",
    "storage.objects.create",
    "storage.objects.createContext",
    "storage.objects.delete",
    "storage.objects.deleteContext",
    "storage.objects.list",
    "storage.objects.update",
    "storage.objects.updateContext",
    "storage.multipartUploads.create",
    "storage.multipartUploads.list",
    "storage.multipartUploads.listParts",
    "storage.multipartUploads.abort"
  ]
}

Note:
Please replace the parameters in the example with your actual project information
The HMAC Key's Access Key and Secret will be used to configure the transcoding service's GCS access credentials

Linode Object Storage

Reference Documentation: Define access and permissions using bucket policies

Linode Object Storage is compatible with the AWS S3 API, so permission configuration is identical to AWS S3.

Required Permissions List

Permission	Description
`s3:GetObject`	Get object (download file)
`s3:PutObject`	Put object (upload file)
`s3:ListBucketMultipartUploads`	List multipart upload tasks
`s3:ListMultipartUploadParts`	List uploaded parts
`s3:AbortMultipartUpload`	Abort multipart upload

Policy Configuration Example

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:ListBucketMultipartUploads",
        "s3:ListMultipartUploadParts",
        "s3:AbortMultipartUpload"
      ],
      "Resource": [
        "arn:aws:s3:::your-bucket-name/*"
      ]
    }
  ]
}

Note: Please replace your-bucket-name with your actual bucket name.

Alibaba Cloud OSS

Reference Documentation: Setting Authorization Policies via RAM Policy

Required Permissions List

Permission	Description
`oss:GetObject`	Get object (download file)
`oss:PutObject`	Put object (upload file)
`oss:AbortMultipartUpload`	Abort multipart upload
`oss:ListMultipartUploads`	List multipart upload tasks
`oss:ListParts`	List uploaded parts

Policy Configuration Example

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "oss:GetObject",
        "oss:PutObject",
        "oss:AbortMultipartUpload",
        "oss:ListMultipartUploads",
        "oss:ListParts"
      ],
      "Resource": [
        "acs:oss:*:*:your-bucket-name/*"
      ]
    }
  ]
}

Note: Please replace your-bucket-name with your actual bucket name.

Tencent Cloud COS

Reference Documentation: Tencent Cloud CAM Policy

Required Permissions List

Permission	Description
`cos:HeadObject`	Get object metadata
`cos:GetObject`	Get object (download file)
`cos:PutObject`	Put object (upload file)
`cos:InitiateMultipartUpload`	Initiate multipart upload
`cos:UploadPart`	Upload part
`cos:CompleteMultipartUpload`	Complete multipart upload
`cos:ListParts`	List uploaded parts
`cos:AbortMultipartUpload`	Abort multipart upload

Policy Configuration Example

{
  "version": "2.0",
  "statement": [
    {
      "effect": "allow",
      "action": [
        "cos:HeadObject",
        "cos:GetObject",
        "cos:PutObject",
        "cos:InitiateMultipartUpload",
        "cos:UploadPart",
        "cos:CompleteMultipartUpload",
        "cos:ListParts",
        "cos:AbortMultipartUpload"
      ],
      "resource": [
        "qcs::cos:::your-bucket-name/*"
      ]
    }
  ]
}

Note: Please replace your-bucket-name with your actual bucket name.

Volcano Engine TOS

Reference Documentation: Access Policy (Policy)

Required Permissions List

Permission	Description
`tos:GetObject`	Get object (download file)
`tos:PutObject`	Put object (upload file)
`tos:ListBucketMultipartUploads`	List multipart upload tasks
`tos:ListMultipartUploadParts`	List uploaded parts
`tos:AbortMultipartUpload`	Abort multipart upload

Policy Configuration Example

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "tos:GetObject",
        "tos:PutObject",
        "tos:ListBucketMultipartUploads",
        "tos:ListMultipartUploadParts",
        "tos:AbortMultipartUpload"
      ],
      "Resource": [
        "trn:tos:*:*:your-bucket-name/*"
      ]
    }
  ]
}

Note: Please replace your-bucket-name with your actual bucket name.

Kingsoft Cloud KS3

Reference Documentation: User Policy

Required Permissions List

Permission	Description
`ks3:GetObject`	Get object (download file)
`ks3:PutObject`	Put object (upload file)
`ks3:ListBucketMultipartUploads`	List multipart upload tasks
`ks3:ListMultipartUploadParts`	List uploaded parts
`ks3:AbortMultipartUpload`	Abort multipart upload

Policy Configuration Example

{
  "Version": "2015-11-01",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ks3:GetObject",
        "ks3:PutObject",
        "ks3:ListBucketMultipartUploads",
        "ks3:ListMultipartUploadParts",
        "ks3:AbortMultipartUpload"
      ],
      "Resource": [
        "krn:ksc:ks3:::your-bucket-name/*"
      ]
    }
  ]
}

Note: Please replace your-bucket-name with your actual bucket name.

Configuration Notes

Bucket Name: Please replace your-bucket-name in the examples with your actual bucket name.
Permission Scope: The permissions listed above are the minimum required permissions for the cloud transcoding service, including only file read/write and multipart upload operations.
Resource Format: The ARN format for resources varies across platforms. Please follow the format in the corresponding platform example.
Multipart Upload: Multipart upload permissions are used for large file uploads and resumable uploads. It is recommended to grant all these permissions to ensure upload stability.

Troubleshooting

If you encounter permission-related errors, please check:

Whether the Access Key and Secret Key are correct
Whether the bucket name is entered correctly
Whether the permission policy includes all required permissions
Whether the bucket region is configured correctly

For other issues, please contact the Visionular technical support team.