packages/docs/docs/lambda/without-iam/index.mdx
import {UserPolicy} from '../../../components/lambda/user-permissions.tsx';
As documented on the Permissions page, the default way of using Remotion Lambda involves creating a Remotion user and assign it policies.
These policies give permission to Lambda to render a video with renderMediaOnLambda(). These credentials are considered long-term which is less secure and are disallowed in some companies.
Additionally, there might be requirements to execute renderMediaOnLambda() on services such as Lambda, EC2, and other computing services where the use of long-term credentials is not an option.
AWS offers the concept of IAM Roles as a solution to the problem above. When a role is assigned to an AWS service, AWS gives any elevated privileges based on the attached policies and the role is empowered to execute activities such as putting a file to an S3 bucket.
The role is given temporary AWS credentials such as AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN to generate the video. This approach enhances security as there are no long-term credentials lingering around and the need to keep track of their rotation is eliminated.
The steps below provide authorization for the Lambda function to execute renderMediaOnLambda() without permission issues.
CDK is available here. It gives you an idea how to call renderMediaOnLambda() inside another Lambda function. The function is triggered by API Gateway. The example assumes that you have knowledge of using CDK, a write up is also available.remotion-executionrole-policy. The other fields can be left as they are.Execution roleAdd permissionsremotion-executionrole-policyAttach policies button.With the assignment of the policy to the Lambda execution role, it is now empowered to execute the renderMediaOnLambda() API without permission issues.
In the background, when the Lambda function is executed, it is provided with environment variables such as AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN that has temporary permission to AWS resources that renderMediaOnLambda() requires to render the video. The elevated powers come from the policy statements in remotion-executionrole-policy.
:::note
This procedure can be also applied to other AWS compute services such as EC2, Fargate etc..
:::
Optionally, if you want to move the video to another S3 bucket after it is rendered, the Lambda function also needs permission to do so. The process is similar to the previous steps, but you will need to create a new policy statement that defines the bucket that Lambda needs to transfer the rendered video to.
Use the outName property to select a different bucket. See: Custom output destination
import {renderMediaOnLambda} from '@remotion/lambda/client';
const {bucketName, renderId} = await renderMediaOnLambda({
region: 'us-east-1',
functionName: 'remotion-render-bds9aab',
composition: 'MyVideo',
serveUrl: 'https://remotionlambda-qg35eyp1s1.s3.eu-central-1.amazonaws.com/sites/bf2jrbfkw',
codec: 'h264',
outName: {
key: 'my-output',
bucketName: 'output-bucket',
},
});
In the example above, the renderMediaOnLambda() is configured to output the rendered video to transfer-to-this-bucket-after-render bucket. The following steps allow Lambda to move the file to another bucket.
Execution roleAdd permissionsAdd a policy statement similar to the one below, which is defining the bucket Lambda needs to transfer the rendered video to.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": ["s3:PutObject"],
"Resource": ["arn:aws:s3:::{bucketname}", "arn:aws:s3:::{bucketname}/*"],
"Effect": "Allow"
}
]
}
{bucketname} with the name of the bucket where you want to move the rendered video to.Review policySave changesThe Lambda function can now move the rendered video to the other bucket when the render process is completed.