Using Zencoder with S3

Zencoder can upload and download files from your Amazon S3 bucket. For Zencoder to download files, they either need to be accessible by Everyone, or a bucket policy needs to be added to your bucket that will grant Zencoder access, or you must save credentials to your account for accessing the bucket.

Introduction

Zencoder can upload and download files from your Amazon S3 bucket. For Zencoder to download files, they either need to be accessible by Everyone, or a bucket policy needs to be added to your bucket that will grant Zencoder access, or you must save credentials to your account for accessing the bucket.

Use credentials

You can save credentials to your account, which will allow us to use your account to upload files instead of ours. This means your account is the owner of the file, with full rights and privileges over it. You can set credentials to be the default for all uploads and downloads or reference them with each request, but keep in mind that if you set them as the default for S3, they will be used for ALL S3 uploads and downloads. Generally this isn't a problem, but if later you'd like to upload to a third party's bucket, this can cause issues.

Use a bucket policy

Another option is to use a bucket policy, which lets you set permissions on all of the files in your bucket. To get started, visit AWS Console. Select your bucket on the left side of the screen, then click "properties". On the last row click "Add bucket policy". We'll put a Bucket Policy together below, which you'll copy in to the Bucket Policy text box.

Our recommended bucket policy:

 {
"Version": "2012-10-17",
"Id": "ZencoderBucketPolicy",
"Statement": [
  {
      "Sid": "Stmt1295042087538",
      "Effect": "Allow",
      "Principal": {
          "AWS": "arn:aws:iam::395540211253:root"
      },
      "Action": [
      "s3:GetObjectAcl",
      "s3:GetObject",
      "s3:PutObjectAcl",
      "s3:PutObject",
      "s3:ListMultipartUploadParts"
      ],
      "Resource": "arn:aws:s3:::MY-BUCKET/*"
  },
  {
      "Sid": "Stmt1295042087538",
      "Effect": "Allow",
      "Principal": {
          "AWS": "arn:aws:iam::395540211253:root"
      },
      "Action": [
      "s3:ListBucketMultipartUploads",
      "s3:GetBucketLocation"
      ],
      "Resource": "arn:aws:s3:::MY-BUCKET"
  }
]
}

There is only one change you will have to make to this bucket policy before it's ready to go.

  1. Replace MY-BUCKET with the name of your bucket. Leave the /* at the end of the line, as that will apply the policy to every file within the bucket.
  2. Optionally, replace the Action array with the actions you want to allow. Valid actions that Zencoder may need are:

    Object Permissions - first action array in the example above

    • s3:PutObject - allow Zencoder to upload files to the bucket
    • s3:GetObject - allow Zencoder to download files from the bucket
    • s3:GetObjectAcl - allow Zencoder to get ACL permissions for files
    • s3:PutObjectAcl - allow Zencoder to set ACL permissions for other users on files
    • s3:ListMultipartUploadParts - allow Zencoder to list which parts of a multipart file have been uploaded to the bucket

    Bucket Permissions - second action array in the example above

    • s3:GetBucketLocation - allow Zencoder to get the location of the bucket (US, EU, Asia, etc.)
    • s3:ListBucketMultipartUploads - allow Zencoder to view any multipart uploads currently happening on the bucket

      ex: If you want Zencoder to be able to download and upload files, replace the first Action array with:

      ["s3:PutObject", "s3:GetObject"]

Note that there are two statements in the policy. The first statement affects keys within the bucket, while the second part affects the bucket itself.

The rest of the policy can be left alone and it will work fine. Amazon's documentation contains more information about the elements of a Bucket Policy.

Zencoder can also set ACL permissions on the videos and thumbnails that we create for you. This is documented in our S3 API docs.

Note: When using a bucket policy you should always use URLs in the s3://BUCKET/KEY format so that Zencoder is sure to identify them as S3 URLs and sign the request appropriately.

If you'd like to build your own Bucket Policy, you can use Amazon's Policy Generator. Use arn:aws:iam::395540211253:root as the AWS Principal to allow Zencoder access.

Specific files

Can I Just Grant Permission To Specific Files?

You definitely can. While the Bucket Policy approach is generally easier and faster, it doesn't work well for everyone. If that's you, you can grant permissions to our Amazon AWS account, aws@zencoder.com.

If you need to use our canonical ID instead, you can use 6c8583d84664a381db0c6af0e79b285ede571885fbe768e7ea50e5d3760597dd.

Troubleshooting

I'm getting permission denied still!

S3 responds with "Access Denied" if access is denied or if the file isn't found. If you believe you've set up your S3 credentials or bucket policy correctly but are still getting "Access Denied" errors, double check the URL you're submitting. If the input looks like "s3://my-bucket/this+file+is+great.mp4", there's a good chance what you actually want is "s3://my-bucket/this file is great.mp4"

I get an error when using the EU Frankfurt region!

In order to use the EU Frankfurt region with Zencoder, you must generate S3 URLs that contain the region name. To do this, simply create URLs like this "s3+eu-central-1://my-bucket/file.mp4".