AWS S3 Cloud Storage

Processing media in Amazon Simple Storage Service (Amazon S3)

The AWS Simple Storage Service (S3) can be used in media workflows. If your media already resides on S3, you can process it there directly with APIs by providing temporary access credentials to your data.

AWS Simple Storage Service with Pre-Signed URLs

There are a few ways to achieve this in media workflows.

Public File


Using s3:// URLs

We support s3:// style URLs as an input / output parameter. This may be easier for any public media than specifying a regular HTTP URL.

A publicly available URL is accessible with a GET request that is used as an input parameter. You can set this up by following the AWS documentation instructions.

Pre-Signed URLs

A pre-signed URL can be a convenient way to provide a URL containing temporary credentials as a basic string. The Media APIs need to GET the input parameter when reading media and PUT on the output parameter to write media. Therefore, to make a request with pre-signed URLs, you'll need to generate a separate string for each parameter.

Here's some examples for how to do this:

# pip install boto3

import boto3
from botocore.exceptions import ClientError
def create_presigned_url(bucket_name, object_name,
                         operation='get_object', expiration=3600):
    client = boto3.client('s3')
        return client.generate_presigned_url(operation,
                Params={'Bucket': bucket_name, 'Key': object_name},
    except ClientError as e:

# Use the presigned URL as the input parameter to an Media API request
input_url = presign.create_presigned_url('your-bucket-name', 'object/name.mp3')

# Change the operation to put_object for a write-able location
output_url = presign.create_presigned_url('your-bucket-name', 'object/name.enhanced.mp3',
    operation='put_object', expiration=7200)

media_request = {
 'input': input_url,
 'output': output_url
// npm install aws-sdk

const aws = require('aws-sdk');
const s3 = new aws.S3({ signatureVersion: "v4", region: 'us-west-1' });

const bucket_name = 'your-bucket-name';

// Use getObject for a readable location
let input_url = await s3.getSignedUrlPromise('getObject', {
  Bucket: bucket_name,
  Key: 'your-input-object/name.mp4',
  Expires: 3600

// Use putObject for a writeable location
let output_url = await s3.getSignedUrlPromise('putObject', {
  Bucket: bucket_name,
  Key: 'your-output-object/name.enhanced.mp4',
  Expires: 7200  

let media_request = {
  'input': input_url,
  'output': output_url

For further examples, see the AWS S3 Documentation.


Output Expiration Limit

When setting an expiration on a pre-signed URL, you need to allow enough time for the file to complete processing. For longer media files, there may be a delay when a job is queued before processing and it can take up to real-time before a file completes. You should take this into consideration when setting the expiration value of the output URL.

AWS Simple Storage Service with Auth Keys

You can use AWS IAM user credentials to access your media either in-line, or by defining a storage object (examples below). These are the steps to get your IAM user credentials from your AWS account:

  1. Log into your AWS account or create a new account:
  2. Go to the AWS Management Console:
  3. In the upper-left page, click Services, click Security, Identity, & Compliance, and then click IAM.

  1. On the left navigation, click Users, and then click Add users.

  1. In the User name box, enter a user name, click the Access key - Programmatic access check box, and then click Next: Permissions.

  1. In the Set permissions section, click Attach existing policies directly. In the search box, enter s3, and then click the AmazonS3FullAccess check box.

  1. Click Next: Tags. If you prefer, add tags. Click Next: Review.
  2. Verify that you added AmazonS3FullAccess permissions, and then click Create user.

  1. VERY IMPORTANT—This is your only chance to download (or see) the secret access key associated with this user. If you skip this step, you must create a new set of keys.

To download the Access Key ID and Secret Access Key, click Download .csv.

Example usage for In-Line Credentials


In-Line Credentials are currently not supported by the Transcode API. The Transcode API supports AWS S3 Cloud Storage with Auth Keys.

For the input and output parameters, you can specify an in-line object dictionary instead of a single string. When you do, you'll include the URL as a string, but also an auth block where you can identify your access credentials.

  "input": {
    "url": "s3://your-bucket-name/input_file.mp3",
    "auth": {
      "key": "ABCDEIF...ASEOFJHIF",
      "secret": "djkgg39u34i....ogn9gh89w34gh984h",
  "output": {
    "url": "s3://your-bucket-name/output_file.mp3",
    "auth": {
      "key": "ABCDEIF...ASEOFJHIF",
      "secret": "djkgg39u34i....ogn9gh89w34gh984h",