Mandatory configuration change for Isolation customers required by January 15th 2025

Dear FPTR Community,
We are writing to inform you about an upcoming update to our Media Isolation feature set, a key component of our Cloud Hosted Platform that ensures stringent security and privacy requirements for your content.

What’s Changing?

Our back-end infrastructure is being upgraded to ensure greater security and reliability for the Flow Production Tracking service. These changes necessitate an update to the AWS IAM Roles previously utilized by Flow Production Tracking to access content hosted in your S3 bucket.

Who Does This Affect?

This update affects all customers who are currently using the Media Isolation feature. If you are hosting assets and attachments in your own S3 Bucket using Media Isolation, Media Traffic Isolation and / or Media Replication, this update is relevant to you.

When?

The configuration changes need to be applied by January 15th 2025. On January 16th 2025, update to service infrastructure will require this configuration in order to avoid any service interruptions.

What Do You Need to Do?

Ensure your Isolation role trust relationship permits assumeRole access to newly defined AWS Roles for Flow Production Tracking and the Flow Production Tracking Transcoding service.

  1. Identify the IAM Role used by Flow Production Tracking to access your AWS account

  2. Navigate to the Isolation section of your Flow Production Tracking Site Preferences

    *Note this section is only accessible to Flow Production Tracking site administrators

  3. Identify the value for aws_role_arn in your configuration

  4. From the IAM Service within the AWS Console, validate that the trust relationship allows access to the new Flow Production Tracking and Flow Production Tracking Transcoder roles:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::150697717911:role/cos_ctr_shotgun-p-ue1-db",                
                    "arn:aws:iam::150697717911:role/cos_ctr_shotgun-p-ue1-wa",                    
                    "arn:aws:iam::150697717911:role/cos_ctr_shotgun-p-ue1-sa",                    
                    "arn:aws:iam::150697717911:role/cos_ctr_shotgun-p-ue1-sd",                   
                    "arn:aws:iam::150697717911:role/shotgun-batch-prd-activity-worker-job-ctr",
                    "arn:aws:iam::882022952826:role/cos_ctr_shotts-p-ue1",
                    "arn:aws:iam::882022952826:role/cos-batch_shotts-p-ue1",                    
                    "arn:aws:iam::882022952826:role/shotts-batch-prd-shotts-worker-ctr"
                ]
            },
            "Action": "sts:AssumeRole"
        }
    ]
} 

  1. If you allow restricted access to your bucket by applying the bucket policies described in the Isolation fine tuning instructions, please refer to the updated bucket policy from these instructions to ensure that the new VPC and NAT gateways utilized by Flow Production Tracking and Flow Production Tracking Transcoding service are permitted access to your bucket.
  2. Ensure that your configuration is ready for the switch by initiating a transcode with media containing the string sg_transcode_with_shotts_batch anywhere in the uploaded media’s file name. If the media is transcoded successfully then your site configuration is ready for use in the updated Flow Production Tracking infrastructure.

Why Are We Making This Change?

This infrastructure upgrade is crucial to maintaining the high level of service you expect from Flow Production Tracking. If you have any concerns or questions about the upgrade, please don’t hesitate to reach out to our Support Team. Thank you for your understanding. We apologize for any inconvenience and appreciate your patience as we work to improve your experience.

3 Likes