Authorization

To allow the Veridas VSS service to access the Kinesis Video Streams, the client must create an IAM role that can be assumed by the VSS service. This role should grant permissions to read and manage the streams needed for the contact flow sessions.

Go to IAM > Roles, click on Create Role and fill in with the following details (no detailed information can be left with default values):

• Trusted entity type: Custom trust policy
• Custom trust policy:

  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": {
          "AWS": "<vss_arn*>"
        },
        "Action": "sts:AssumeRole",
        "Condition": {
          "StringEquals": {
            "sts:ExternalId": "<external_id**>"
          }
        }
      }
    ]
  }
  

• Permission policies:
  • AmazonKinesisVideoStreamsFullAccess
• Role name: veridas_vss_role

Finally, click on Create role.

* vss_arn is the AWS ARN of the IAM user/role which will asume the created rol. It must be provided by Veridas. ** external_id AWS STS is a unique identifier defined by the user. This identifier is used by Veridas when assuming the role to prevent the "confused deputy problem" and ensure secure cross-account-access. It must be provided when creating a stream in VSS via API.

veridas_vss_role will be assumed by Veridas VSS service so it can access customer Kinesis Video Streams resources using AWS STS.