Storage Bucket Permission Configuration Guide

This document describes the minimum permission configuration required for customer object storage when integrating with the cloud transcoding service.

Permission Overview

The transcoding service needs to access customer buckets for read and write operations during the transcoding process. The following permissions are required:

Operation TypeDescription
Read PermissionDownload files to be transcoded
Write PermissionUpload transcoded output files
Multipart Upload PermissionLarge file multipart upload and resumable upload operations

AWS S3

Reference Documentation: Multipart Upload API and Permissions

Required Permissions List

PermissionDescription
s3:GetObjectGet object (download file)
s3:PutObjectPut object (upload file)
s3:ListBucketMultipartUploadsList multipart upload tasks
s3:ListMultipartUploadPartsList uploaded parts
s3:AbortMultipartUploadAbort multipart upload

Policy Configuration Example

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload"
],
"Resource": [
"arn:aws:s3:::your-bucket-name/*"
]
}
]
}

Note: Please replace your-bucket-name with your actual bucket name.


Google Cloud Storage (GCS)

Reference Documentation: IAM Permissions and Roles

Unlike other cloud storage services, GCS uses an IAM role-based authorization mechanism. You need to first create a custom role and assign the required permissions, then create a service account, and finally grant that role to the service account at the bucket level.

Configuration Steps

  1. Create Custom Role

    • Go to Google Cloud Console → IAM & Admin → Roles
    • Click "Create Role", fill in the role name and description
  2. Assign Permissions

    • Add all permissions listed in the table below to the custom role
  3. Create Service Account

    • Go to IAM & Admin → Service Accounts
    • Click "Create Service Account", fill in the name and description
  4. Bucket Authorization

    • Go to the target bucket → Click "Grant Access"
    • Add the service account email, select the created role, and click "Save"
  5. Generate HMAC Key

    • Go to Cloud Console → Cloud Storage → Settings → Interoperability
    • Click "Create a key for a service account" to generate access keys

Required Permissions List

PermissionDescription
storage.objects.getGet object (download file)
storage.objects.createCreate object (upload file)
storage.objects.createContextCreate object context
storage.objects.deleteDelete object
storage.objects.deleteContextDelete object context
storage.objects.listList objects
storage.objects.updateUpdate object
storage.objects.updateContextUpdate object context
storage.multipartUploads.createCreate multipart upload task
storage.multipartUploads.listList multipart upload tasks
storage.multipartUploads.listPartsList uploaded parts
storage.multipartUploads.abortAbort multipart upload

Role Permission Configuration Example

{
"title": "Transcode Service Role",
"description": "Role for media transcoding service to access GCS",
"stage": "GA",
"includedPermissions": [
"storage.objects.get",
"storage.objects.create",
"storage.objects.createContext",
"storage.objects.delete",
"storage.objects.deleteContext",
"storage.objects.list",
"storage.objects.update",
"storage.objects.updateContext",
"storage.multipartUploads.create",
"storage.multipartUploads.list",
"storage.multipartUploads.listParts",
"storage.multipartUploads.abort"
]
}

Note:

  • Please replace the parameters in the example with your actual project information
  • The HMAC Key's Access Key and Secret will be used to configure the transcoding service's GCS access credentials

Linode Object Storage

Reference Documentation: Define access and permissions using bucket policies

Linode Object Storage is compatible with the AWS S3 API, so permission configuration is identical to AWS S3.

Required Permissions List

PermissionDescription
s3:GetObjectGet object (download file)
s3:PutObjectPut object (upload file)
s3:ListBucketMultipartUploadsList multipart upload tasks
s3:ListMultipartUploadPartsList uploaded parts
s3:AbortMultipartUploadAbort multipart upload

Policy Configuration Example

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload"
],
"Resource": [
"arn:aws:s3:::your-bucket-name/*"
]
}
]
}

Note: Please replace your-bucket-name with your actual bucket name.


Alibaba Cloud OSS

Reference Documentation: Setting Authorization Policies via RAM Policy

Required Permissions List

PermissionDescription
oss:GetObjectGet object (download file)
oss:PutObjectPut object (upload file)
oss:AbortMultipartUploadAbort multipart upload
oss:ListMultipartUploadsList multipart upload tasks
oss:ListPartsList uploaded parts

Policy Configuration Example

{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:GetObject",
"oss:PutObject",
"oss:AbortMultipartUpload",
"oss:ListMultipartUploads",
"oss:ListParts"
],
"Resource": [
"acs:oss:*:*:your-bucket-name/*"
]
}
]
}

Note: Please replace your-bucket-name with your actual bucket name.


Tencent Cloud COS

Reference Documentation: Tencent Cloud CAM Policy

Required Permissions List

PermissionDescription
cos:HeadObjectGet object metadata
cos:GetObjectGet object (download file)
cos:PutObjectPut object (upload file)
cos:InitiateMultipartUploadInitiate multipart upload
cos:UploadPartUpload part
cos:CompleteMultipartUploadComplete multipart upload
cos:ListPartsList uploaded parts
cos:AbortMultipartUploadAbort multipart upload

Policy Configuration Example

{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"cos:HeadObject",
"cos:GetObject",
"cos:PutObject",
"cos:InitiateMultipartUpload",
"cos:UploadPart",
"cos:CompleteMultipartUpload",
"cos:ListParts",
"cos:AbortMultipartUpload"
],
"resource": [
"qcs::cos:::your-bucket-name/*"
]
}
]
}

Note: Please replace your-bucket-name with your actual bucket name.


Volcano Engine TOS

Reference Documentation: Access Policy (Policy)

Required Permissions List

PermissionDescription
tos:GetObjectGet object (download file)
tos:PutObjectPut object (upload file)
tos:ListBucketMultipartUploadsList multipart upload tasks
tos:ListMultipartUploadPartsList uploaded parts
tos:AbortMultipartUploadAbort multipart upload

Policy Configuration Example

{
"Statement": [
{
"Effect": "Allow",
"Action": [
"tos:GetObject",
"tos:PutObject",
"tos:ListBucketMultipartUploads",
"tos:ListMultipartUploadParts",
"tos:AbortMultipartUpload"
],
"Resource": [
"trn:tos:*:*:your-bucket-name/*"
]
}
]
}

Note: Please replace your-bucket-name with your actual bucket name.


Kingsoft Cloud KS3

Reference Documentation: User Policy

Required Permissions List

PermissionDescription
ks3:GetObjectGet object (download file)
ks3:PutObjectPut object (upload file)
ks3:ListBucketMultipartUploadsList multipart upload tasks
ks3:ListMultipartUploadPartsList uploaded parts
ks3:AbortMultipartUploadAbort multipart upload

Policy Configuration Example

{
"Version": "2015-11-01",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ks3:GetObject",
"ks3:PutObject",
"ks3:ListBucketMultipartUploads",
"ks3:ListMultipartUploadParts",
"ks3:AbortMultipartUpload"
],
"Resource": [
"krn:ksc:ks3:::your-bucket-name/*"
]
}
]
}

Note: Please replace your-bucket-name with your actual bucket name.


Configuration Notes

  1. Bucket Name: Please replace your-bucket-name in the examples with your actual bucket name.

  2. Permission Scope: The permissions listed above are the minimum required permissions for the cloud transcoding service, including only file read/write and multipart upload operations.

  3. Resource Format: The ARN format for resources varies across platforms. Please follow the format in the corresponding platform example.

  4. Multipart Upload: Multipart upload permissions are used for large file uploads and resumable uploads. It is recommended to grant all these permissions to ensure upload stability.


Troubleshooting

If you encounter permission-related errors, please check:

  • Whether the Access Key and Secret Key are correct
  • Whether the bucket name is entered correctly
  • Whether the permission policy includes all required permissions
  • Whether the bucket region is configured correctly

For other issues, please contact the Visionular technical support team.