Hello, I would like to use AWS IAM role instead of access and secrets key for upload to s3 from livekit cloud. How can I achieve this?

Thanks for reaching out, Srinath. I'm an AI assistant and I'm here to help. Give me a moment while I research this topic.

is there a AWS user/role from livekit cloud that I can use for granting the access to S3 bucket?

Hey! Just a heads up—LiveKit Cloud doesn’t come with a specific AWS user or role for accessing your S3 bucket. But no worries! You can create your own IAM role in AWS and then pop its ARN into your LiveKit egress settings using the

assume_role_arn

field. This way, LiveKit can step in and access your S3 bucket smoothly. If you’d like a hand setting up the IAM role or tweaking those egress settings, just give me a shout—I’m here to help! Sources: Infrastructure & Deployment | livekit/livekit_composite | DeepWiki | livekit/livekit_egress.pb.go | cmd/lk/examples/auto-track-egress.json

Actually I don't want to use any access/secrets keys due to security concerns. Is it possible to create trust policy with livekit cloud account?

Hey there! You can skip using access/secret keys by creating a trust policy with your AWS IAM role. LiveKit Cloud makes things easier by supporting role-based authentication through the AssumeRole feature. Here’s a simple way to get started: 1. Create an IAM role in your AWS account with the S3 permissions you need. 2. Set up a trust policy for that role so LiveKit Cloud can assume it. This means adding LiveKit Cloud as a trusted entity in the role's trust relationship. 3. In your LiveKit egress settings, use the

assume_role_arn

of the IAM role instead of access keys. Just a heads up: this feature needs to be enabled on your LiveKit Cloud account. Let me know if it’s active, and I’ll happily walk you through setting up the trust policy! Sources: livekit/livekit_egress.pb.go | config.go

How do I enable the feature in LiveKit Cloud account?

Hey there! To use the AssumeRole feature for S3 access, it needs to be turned on for your LiveKit Cloud account by our support team. Could you please get in touch with your LiveKit account rep or our support folks to ask for this feature to be activated? Once it’s all set up, you’ll be able to configure the IAM role and trust policy for secure S3 access—no need to mess with access or secret keys. If you want, I’m here to help you through the setup whenever you’re ready!

sure. How should I proceed once AssumeRole feature is enabled for s3 access?

Once you’ve enabled the AssumeRole feature for S3 access, here’s a simple way to get it all set up: 1. Create an IAM Role: Head over to your AWS account and create an IAM role with the right S3 permissions—like read/write access to your bucket. 2. Set Up a Trust Policy: Next, you’ll want to configure the trust relationship for that IAM role so LiveKit Cloud can assume it. This means adding LiveKit Cloud as a trusted entity in the role’s trust policy. 3. Configure Egress Settings: Finally, update your LiveKit egress configuration to include the

assume_role_arn

of your IAM role. Here’s an example:

{
  "s3": {
    "assume_role_arn": "arn:aws:iam::123456789012:role/YourRoleName",
    "assume_role_external_id": "your-external-id",
    "bucket": "your-bucket-name",
    "region": "your-region"
  }
}

If you want a hand with any of these steps or need a bit more detail on setting up the trust policy, just let me know—I’m here to help!

@mysterious-artist-97770 FYI

Thanks so much for the update! Just give me a shout if you or your team need any help with the setup or have any other questions—I’m here for you.

Hello! Please provide an example in Python of how to configure the LK egress configurtion.

Here’s a friendly example in Python to help you set up LiveKit egress with AssumeRole for uploading to S3:

from livekit import api
from livekit.protocol import egress

# Create the egress client
egress_client = api.EgressService(
    host="your-livekit-host",
    api_key="your-api-key",
    api_secret="your-api-secret"
)

# Configure S3 upload with AssumeRole
s3_upload = egress.S3Upload(
    access_key="your-access-key",           # This is used to make the AssumeRole API call
    secret="your-secret-key",               # This is also for the AssumeRole API call
    assume_role_arn="arn:aws:iam::123456789012:role/EgressUploadRole",  # The ARN of the role you want to assume
    assume_role_external_id="your-external-id",  # Optional: adds extra security with ExternalID
    region="us-west-2",
    bucket="your-destination-bucket"
)

# Set up the file output with S3 upload
file_output = egress.EncodedFileOutput(
    file_type=egress.EncodedFileType.MP4,
    filepath="recordings/{room_name}-{time}.mp4",
    s3=s3_upload
)

# Start the room composite egress
request = egress.RoomCompositeEgressRequest(
    room_name="your-room-name",
    file_outputs=[file_output]
)

# Send off the egress request
response = egress_client.start_room_composite_egress(request)
print(f"Egress started with ID: {response.egress_id}")

If you want me to walk you through any part of this or need examples for other egress types, just let me know—I’m here to help! Sources: egress/redact.go | livekit-protocol/livekit/protocol/egress.pyi | README.md

it looks like S3 access keys and secrets are still required here even when assumeRole is being used?

Hey! Just to clarify, the S3 access keys and secrets are needed specifically for making the AssumeRole API call. They’re not used for direct S3 access, but LiveKit needs them to assume the IAM role you’ve set up. After that, LiveKit uses the temporary credentials from that role for any S3 operations. If you’d prefer to skip using access keys and secrets altogether, you can set up the IAM role’s trust policy to let LiveKit Cloud assume the role directly. For this, you’ll need to enable the AssumeRole feature on your LiveKit Cloud account and configure the trust relationship in AWS. If you want, I’m here to help you with setting up the trust policy or anything else related to this. Just let me know!

i have already setup the IAM role’s trust policy to let LiveKit Cloud assume the role directly, can you give me the example python code after this setup?

If you’ve already set up the IAM role’s trust policy to let LiveKit Cloud assume the role directly, you can skip adding the access keys and secrets in your configuration. Here’s an updated Python example to make things easier:

from livekit import api
from livekit.protocol import egress

# Create the egress client
egress_client = api.EgressService(
    host="your-livekit-host",
    api_key="your-api-key",
    api_secret="your-api-secret"
)

# Configure S3 upload with AssumeRole (no access keys or secrets needed)
s3_upload = egress.S3Upload(
    assume_role_arn="arn:aws:iam::123456789012:role/EgressUploadRole",  # ARN of the role to assume
    assume_role_external_id="your-external-id",  # Optional: ExternalID for extra security
    region="us-west-2",
    bucket="your-destination-bucket"
)

# Set up the file output with S3 upload
file_output = egress.EncodedFileOutput(
    file_type=egress.EncodedFileType.MP4,
    filepath="recordings/{room_name}-{time}.mp4",
    s3=s3_upload
)

# Start room composite egress
request = egress.RoomCompositeEgressRequest(
    room_name="your-room-name",
    file_outputs=[file_output]
)

# Submit the egress request
response = egress_client.start_room_composite_egress(request)
print(f"Egress started with ID: {response.egress_id}")

With this setup, LiveKit Cloud will handle assuming the IAM role directly using the trust policy, so you don’t have to worry about managing access keys and secrets. If you have any questions or need a hand with anything else, just let me know!

im getting this error: Failed to start egress: module 'livekit.api' has no attribute 'EgressService' what version of livekit do i need for this feature?

Good news! The EgressService feature is included in the LiveKit Python SDK. To make sure everything works smoothly, please update to the latest version of the SDK by running:

pip install livekit-api>=1.0.5

If you run into any problems after updating, just give me a shout—I’m here to help you troubleshoot or guide you through the setup. Sources: livekit-rtc/livekit/rtc/version.py | Egress API | LiveKit Docs

im running livekit-api 1.0.5 but i get this error: "Failed to start egress: module 'livekit.api' has no attribute 'EgressService'\

Hey there! The error happens because

EgressService

isn’t directly accessible as

livekit.api.EgressService

. Instead, you’ll want to use it through the

LiveKitAPI

class. Here’s how you can do it:

from livekit.api import LiveKitAPI

# Initialize the API client
lkapi = LiveKitAPI(
    url="your-livekit-url",
    api_key="your-api-key", 
    api_secret="your-api-secret"
)

# Access egress methods
egress_info = lkapi.egress.start_room_composite_egress(request)

If you have any questions or need a hand with this setup, just give me a shout! Sources: livekit-api/livekit/api/py.typed