can we use access by policy to upload recording into s3 LiveKit Community #ask-ai

Join Slack

can we use access by policy to upload recording in...

# ask-ai

big-controller-60015

07/13/2025, 1:35 PM

can we use access by policy to upload recording into s3

tall-airline-16756

07/13/2025, 1:35 PM

Thanks for reaching out, Mohammed. I'm an AI assistant and I'm here to help. Give me a moment while I research this topic.

tall-airline-16756

07/13/2025, 1:36 PM

Yes, you can use access by policy to upload recordings into Amazon S3 with LiveKit. The egress service supports multiple authentication methods for S3 uploads, including: • IAM role assumption (using

assume_role_arn

and optional

assume_role_external_id

), which allows LiveKit to assume a specific IAM role with the necessary S3 permissions • Instance profile/IAM role, by leaving

access_key

and

secret

fields empty in your configuration • Session tokens for temporary credentials You can configure these methods in your S3Upload settings. Note that, for LiveKit Cloud, the assume role functionality is available only on accounts with this feature enabled. This allows secure, policy-based access for your recording uploads without storing long-lived credentials in your application. Let me know if you need specific configuration examples or further details about any of these methods. Sources: auth/grants_test.go | README.md | Session recording and transcripts | LiveKit Docs

big-controller-60015

07/13/2025, 1:37 PM

can you give the code for this, start the egress like this

tall-airline-16756

07/13/2025, 1:38 PM

Hey there! Let me walk you through a cool way to start a LiveKit room recording that uploads straight to S3 using an IAM role. I've got a JavaScript example that'll make this super clear - and don't worry, it's not as complicated as it might look at first glance!

Copy code

import { EgressClient, EncodedFileOutput, S3Upload } from 'livekit-server-sdk';

const egressClient = new EgressClient(
  '<https://your-livekit-host>',
  'your-api-key',
  'your-api-secret'
);

const fileOutput = new EncodedFileOutput({
  filepath: 'recordings/my-room-recording.mp4',
  output: {
    case: 's3',
    value: new S3Upload({
      accessKey: 'your-access-key',        // Base AWS credentials
      secret: 'your-secret-key',           // Base AWS credentials
      assumeRoleArn: 'arn:aws:iam::123456789012:role/EgressRole',
      assumeRoleExternalId: 'unique-external-id', // Optional, for cross-account
      region: 'us-east-1',
      bucket: 'your-bucket-name',
    }),
  },
});

const info = await egressClient.startRoomCompositeEgress(
  'room-name',
  {
    fileOutputs: [fileOutput],
  },
  {
    layout: 'speaker',
  }
);

Quick tips to keep in mind: • Make sure you've got those

accessKey

and

secret

handy - they're your ticket to calling the AWS AssumeRole API. • Double-check that

assumeRoleArn

is the full ARN of the IAM role with S3 upload permissions. • The

assumeRoleExternalId

is optional, but it's like an extra security blanket for cross-account setups. • Just a heads up - this feature is only available if it's enabled on your LiveKit cloud account. Need help with Python, Ruby, or want to customize this further? Just give me a shout, and I'll be happy to help! Sources: livekit/livekit_egress.pb.go

3 Views

Open in Slack

Previous Next