Mandatory config change for Isolation customers

Dear SG Community,
We are writing to inform you about an upcoming update to our Media Isolation feature set, a key component of our Cloud Hosted Platform that ensures stringent security and privacy requirements for your content.

What’s Changing?

Our back-end infrastructure is being upgraded to ensure greater security and reliability for the ShotGrid service. These changes necessitate an update to the AWS IAM Roles, VPCs, and NAT gateways previously utilized by ShotGrid to access content hosted in your S3 bucket.

Who Does This Affect?

This update affects all customers who are currently using the Media Isolation feature. If you are hosting assets and attachments in your own S3 Bucket using Media Isolation, Media Traffic Isolation and / or Media Replication, this update is relevant to you.


The configuration changes need to be applied by October 24th. On October 25th, update to service infrastructure will require this configuration in order to avoid any service interruptions.

What Do You Need to Do?

Ensure your Isolation role trust relationship permits assumeRole access to newly defined AWS Roles for ShotGrid and the ShotGrid Transcoding service.

  1. Identify the IAM Role used by ShotGrid to access your AWS account
  2. Navigate to the Isolation section of your ShotGrid Site Preferences

    *Note this section is only accessible to ShotGrid site administrators
  3. Identify the value for aws_role_arn in your configuration
  4. From the IAM Service within the AWS Console, validate that the trust relationship allows access to the new ShotGrid and ShotGrid Transcoder roles:
    "Version": "2012-10-17",
    "Statement": [
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
            "Action": "sts:AssumeRole"

  1. If you allow restricted access to your bucket by applying the bucket policies described in the Isolation fine tuning instructions, please refer to the updated bucket policy from these instructions to ensure that the new VPC and NAT gateways utilized by ShotGrid and ShotGrid Transcoding service are permitted access to your bucket.

  2. Ensure that your configuration is ready for the switch by initiating a transcode with media containing the string sg_transcoder_migration_test anywhere in the uploaded media’s file name. If the media is transcoded successfully then your site configuration is ready for use in the updated ShotGrid infrastructure.

Why Are We Making This Change?

This infrastructure upgrade is crucial to maintaining the high level of service you expect from ShotGrid. If you have any concerns or questions about the upgrade, please don’t hesitate to reach out to our Support Team. Thank you for your understanding. We apologize for any inconvenience and appreciate your patience as we work to improve your experience.