SightCall has two steps for Media Endpoint Creation via the SightCall Admin Portal, requiring two different permissions:
1. Media Endpoint Validation
SightCall uses ListAllMyBuckets to test whether or not the secret/key provided is valid before allowing the Media Endpoint to be added in the SightCall Admin Portal. If this permission is not provided, the validation fails and the Media Endpoint will not be able to be created via the Admin Portal.
Here, we need only ListAllMyBuckets permission:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
}
]
}
To successfully create the Media Endpoint within SightCall. This validation process only needs to happen once, when adding the Media Endpoint to SightCall.
2. Media Endpoint File Push
Here, we need only PutObject permission, which can be restricted to a particular bucket/object, e.g. with test bucket “sightcalltestbucket”:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::sightcalltestbucket/*"
}
]
}
To successfully send files to the bucket. This permission is always required.
Summary
So, in order to add an S3 bucket as a media-endpoint, you have two options:
-
Allow both ListAllMyBuckets and PutObject to successfully allow both Validation and File Push.
-
Allow ListAllMyBuckets and PutObject to pass validation, and then once this endpoint has been added to SightCall, immediately remove ListAllMyBuckets permission. Keeping “PutObject” permission will still allow SightCall to send Media to the S3 bucket.