AccessDeniedException when invoking lambda function to convert video from input to output bucket

[luciano-schirmer]

Describe the bug

When I upload a video to the input bucket, it triggers video conversion, but fails to complete the InputTriggerLambdaFunction.

To Reproduce

Steps to reproduce the behavior:

1. Add amplify-video to an existing application, configuring it to Video-On-Demand. Example as follows.

$ npm i amplify-category-video -g
$ amplify plugin add
$ amplify video add
? Select from one of the below mentioned services: Video-On-Demand
? Provide a friendly name for your resource to be used as a label for this category in the project: xamavod
? Select a system-provided encoding template, specify an already-created template name:  Default HLS Adaptive Bitrate
? Do you want to get notifications on the video processing job? Yes
? Do you want a custom function executed for notifications? Yes
? Is this a production enviroment? Yes
? Do you want to protect your content with signed urls? Yes
? Do you want Amplify to create a new GraphQL API to manage your videos? (Beta) No
✔ All resources built.
$ amplify push

2. Upload a video file (extension .mp4) to the generated S3 input bucket.

3. Open the AWS Elemental MediaConvert console, select Jobs. Result: No job is submitted for processing.

4. Open the CloudWatch console, filter inputwatcher to find the log group of the corresponding rInputLambdaTriggerFunction Lambda Function.

5. Open the log. Result is an error like the following.

{
    "errorType": "AccessDeniedException",
    "errorMessage": "User: arn:aws:sts::[xxxxx]:assumed-role/[xxxxx]-videox-LambdaExecutionRole-[xxxxx]/[xxxxx]-inputWatcher is not authorized to perform: mediaconvert:TagResource on resource: arn:aws:mediaconvert:us-east-1:[xxxxx]:jobs/*",
    "code": "AccessDeniedException",
    "stack": [
        "AccessDeniedException: User: arn:aws:sts::[xxxxx]:assumed-role/amplify-[xxxxx]-videox-LambdaExecutionRole-[xxxxx]/[xxxxx]-inputWatcher is not authorized to perform: mediaconvert:TagResource on resource: arn:aws:mediaconvert:us-east-1:[xxxxx]:jobs/*",
        "    at Object.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/json.js:52:27)",
        "    at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/rest_json.js:49:8)",
        "    at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20)",
        "    at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:78:10)",
        "    at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:686:14)",
        "    at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)",
        "    at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12)",
        "    at /var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10",
        "    at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9)",
        "    at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:688:12)"
    ]
}

Expected behavior
Job submitted to Media Convert and after processed, the output files generated in the S3 output bucket.

Desktop (please complete the following information):

• OS: macOS Version 11.6.1
• Browser: Safari
• Version: amplify-video v3.9.1

Proposed solution

I solved the issue with the following steps to make it work after deployed:

1. Opened IAM console and selected Roles.
2. Opened amplify-xama-dev-194301-videox-LambdaExecutionRole-7Q383P958FXF role (exact name is different for each deployed application).
3. Added the following Action to the MediaConvert resource in S3PolicyTesting policy:

"mediaconvert:TagResource"

Full S3PolicyTesting JSON file as follows:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:us-east-1:[xxxxx]:log-group:/aws/lambda/*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "mediaconvert:CreateJob",
                "mediaconvert:CreateJobTemplate",
                "mediaconvert:CreatePreset",
                "mediaconvert:DeleteJobTemplate",
                "mediaconvert:DeletePreset",
                "mediaconvert:DescribeEndpoints",
                "mediaconvert:GetJob",
                "mediaconvert:GetJobTemplate",
                "mediaconvert:GetQueue",
                "mediaconvert:GetPreset",
                "mediaconvert:ListJobTemplates",
                "mediaconvert:ListJobs",
                "mediaconvert:ListQueues",
                "mediaconvert:ListPresets",
                "mediaconvert:UpdateJobTemplate",
                "mediaconvert:TagResource"
            ],
            "Resource": [
                "arn:aws:mediaconvert:us-east-1:[xxxxx]:*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "iam:PassRole"
            ],
            "Resource": [
                "arn:aws:iam::[xxxxx]:role/amplify-[xxxxx]-videoxama-MediaConvertRole-[xxxxx]"
            ],
            "Effect": "Allow"
        }
    ]
}

Note: some specific parts of the policy were replaced by [xxxxx].

My suggestion is that this action should be added to the InputTriggerLambda.template file.

I can submit a PR if this is confirmed as a bug and the solution applies.

[cm-datrics]

Just noticing the same from a fresh amplify video add (amplify cli 9.1.0)