Valid for Curator 3.3
Curator requires an “ipvservice” IAM account which has full access to the following AWS services:
S3 buckets
Transcribe
Rekognition
SQS
Translate
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sqs:*",
“translate:*”,
"s3:*",
"transcribe:*",
"rekognition:*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
Next, Curator requires an “ipvcc” IAM account for Curator Connect which has the following access on the hi-res bucket:
s3:PutObject
s3:GetObject
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::curator-hires-bucket/Curator Connect/*"
],
"Effect": "Allow"
}
]
}
Also, it's required that Curator has an IAM account called “ipvadmin” which is for the remote access and goes hand-in-hand with the next EC2 role in the list.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ssm:StartSession",
"ssm:TerminateSession",
"ssm:ResumeSession"
],
"Resource": [
"arn:aws:ec2:*:*:instance/myinstanceid",
"arn:aws:ec2:*:*:instance/myinstanceid",
"arn:aws:ssm:*:*:session/${aws:username}-*",
"arn:aws:ssm:*:*:document/AWS-StartPortForwardingSession"
],
"Effect": "Allow"
}
]
}
With regard to EC2 roles we use the following to allow SSM access to the servers:
SSMManagedInstanceCore
For the streaming and bucket permissions, these details are laid out in the documentaion included with the release notes for each Curator release.
There is also a guide here available: https://help.ipv.com/en_US/aws/1149795-setup-guide-for-secure-proxy-streaming-from-aws-s3