Using Amazon S3 for Secure Content Storage

This step-by-step walk-through will guide you through the process of using Amazon S3 (Simple Storage Service) to securely store your Roku video content. The video stream URLs generated using this walk-through are cryptographically signed, have built-in expiration dates, and will only function within your channel installed on a Roku player.

If your Instant TV Channel account contains multiple channels, the S3 Content bucket created in this walk-through can be used to store the video files for all of the channels in your account. You can create a folder structure within the S3 bucket to organize your videos by category, by channel, or any other criteria.

Do not use the method described in this walk-through for storing poster artwork, as it will greatly increase the time it takes for your Roku channel to load the menu images, particularly in large horizontal lists or grids. Please follow this walk-through to use Amazon S3 to store your poster images.

The following steps are only necessary if you wish to secure your content files so that they can only be accessed via your Roku channel and not via a web browser or other playback device. If your content is publicly accessible via regular http:// or https:// URLs, then you can skip this walk-through.

Please follow this walk-through to use Amazon S3 to store your video files using regular http:// or https:// URLs instead of using secure URLs.

Create an S3 "bucket" to store Roku Content

  1. Log into your AWS (Amazon Web Services) account and go to the S3 section of your AWS control panel.
  2. Click the Create Bucket button.
  3. Provide a Bucket Name, for example "my-content-bucket".

    Very Important: Use only lower-case characters, digits, and dashes in your bucket name. Instant TV Channel does not support the use of upper-case characters or other symbols in bucket names.

    Good Bucket Name: test-bucket
    Good Bucket Name: bucket123
    Bad Bucket Name: test.bucket (contains unsupported period character ".")
    Bad Bucket Name: bucket+123 (contains unsupported plus character "+")
    Bad Bucket Name: Test-Bucket (contains upper-case characters "T" and "B")
  4. The bucket Region must be set to "US East (N. Virginia)".
  5. Click the Create button, do not click the Next button.

At this point your new S3 bucket is ready to store content files.

The default ACL (Access Control List) on your new bucket is "Private", meaning that a pair of AWS keys is required to access the bucket content. The bucket cannot be accessed using a plain http:// or https:// URL. This is usually the correct setting for a Content bucket, as it prevents content from being copied out of the bucket without your permission.

You can upload files to the new bucket by clicking the Upload button in the S3 control panel. For now, we will continue on with the creation of your AWS IAM Content user, but you can return to the AWS S3 control panel at any time to add new content.

Shortcut for S3 Bucket Keys

If your Amazon AWS account is used exclusively for your Roku channel you may wish to consider using your root account access keys instead of using the IAM Content user and keys described below.

Your Amazon AWS root account access keys provide access to all portions of your Amazon AWS account, whereas the IAM keys limit access to a specific S3 bucket or buckets within your AWS account.

To create a new Amazon AWS root account access key pair:
  1. Browse to the Amazon AWS website at http://aws.amazon.com.
  2. From the My Account/Console drop-down list in the upper right-hand corner of the page, select My Security Credentials. If you are already logged in, the drop-down list may display your Amazon login ID instead of My Account/Console.
  3. If prompted to do so, enter your Amazon AWS email address and password. You may also need to click a Continue to Security Credentials button.
  4. Click on the plus (+) symbol next to the Access Keys link.
  5. Click on the Create New Access Key button.
  6. Click on the Download Key File button, and save the key file on your computer.
  7. DO NOT click the Close button until after you have verified that the save key file can be opened and viewed.
  8. The key file contents will look like this:
    AWSAccessKeyId=AKIAJQCQXH6EPMJ2LMSR
    AWSSecretKey=7a8JQnwVf2xxLzjsR73SM7BxSMGakS/lQazrg9YA
    

    Your root account Access Key Id starts with the letters AKIA... and is 20 characters long.

    Your root account Secret Access Key is 40 characters long.

  9. After you have verified that you can view the key file, click the Close button on the Amazon Security Credentials page.
  10. Skip over the Create an IAM User section of this walk-through and continue at the Copy the Content Keys to your Channel section. Use your root account keys instead of the IAM user's keys.

Create an IAM User to Access the Content Bucket

Although you can use your AWS root account keys to access any S3 bucket that you create, you may feel more comfortable providing Instant TV Channel with keys that only grant access to the Content bucket. If you want to allow Instant TV Channel to use your AWS root account keys to access your Content bucket, you can skip this section and rejoin at Copy the Content Keys to your Channel below.

  1. Go to the IAM (Identity and Access Management) section of your AWS control panel.
  2. Click the Policies link on the left side of the page.
  3. Click the Create policy button near the top of the page.
  4. Click the JSON tab, and erase the sample lines of JSON text.
  5. Copy the security policy below and paste it into the JSON text box. Replace the two instances of
    my-content-bucket
    in the policy with the name of the bucket that you just created. This security policy allows files in the Content bucket to be read, but not created, modified, or deleted.
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "s3:Get*",
            "s3:List*"
          ],
          "Resource": [
            "arn:aws:s3:::my-content-bucket",
            "arn:aws:s3:::my-content-bucket/*"
          ]
        }
      ]
    }
  6. Click the Review policy button near the bottom of the page. An error message will be displayed if there are any errors in the JSON text. After correcting the errors, click the Review policy button again.
  7. Provide a Policy Name, for example "my-rw-config-policy" ("rw" stands for read-write).
  8. Click the Create Policy button near the bottom of the page.
  9. Click the Groups link on the left side of the page.
  10. Click the Create New Group button near the top of the page.
  11. Provide a group name, for example "my-content-group", then click the Next Step button near the bottom of the page.
  12. The "Attach Policy" page is displayed. Scroll down the list of policies until the "my-rw-config-policy" policy that you just created is visible, or type the name of your newly created policy in the "Filter" box. You may need to scroll through a large number of built-in AWS policies until your policy is visible.
  13. Click the check-box to the left of your policy name, making sure that no other check-boxes are checked, then click the Next Step button near the bottom of the page.
  14. Click the Create Group button near the bottom of the page.
  15. Click the Users link on the left side of the page.
  16. Click the Add User button near the top of the page.
  17. Enter a new user name, for example "my-content-user".
  18. Select an Access type of "Programmatic access".
  19. Click the Next: Permissions button near the bottom of the page.
  20. Click the check-box to the left of the previously created Group name, then click the Next: Review button near the bottom of the page.
  21. Click the Create user button near the bottom of the page.
  22. Click the Show link beneath "Secret access key" or click the Download .csv button to copy and save the Access Key ID and Secret Access Key. These keys will be used exclusively for read-only access to your Content bucket. They cannot be used to write or change the Content bucket, nor can they access any other AWS buckets or services. Make sure that you save the keys for future use, Amazon will not display them again. If you misplace the keys you will have to create a new IAM user.
  23. After copying the Security Credentials, click the Close button near the bottom of the page.

    At this point we have a new IAM user that is a member of a new IAM group - the user has the keys and the group has the security policy. This will allow the keys to be used in the Roku channel to access the S3 bucket specified by the security policy.

Copy the Content Keys to your Channel

  1. Sign into Instant TV Channel and select the channel that you want to configure for S3.
  2. Go to the channel's Keys & CDNs page.
  3. Under AWS S3 Content Storage, copy the new IAM user's Access Key ID into the Access Key ID box.
  4. Copy the new IAM user's Secret Access Key into the Secret Access Key box.
  5. The Expiration Time is the amount of time that a content item's S3 URL is valid for, after that time expires the URL stops working. It should usually be greater than your longest content length. If you are unsure, set it to 1440 minutes (1 day).

Add S3 Content to your Channel

Video content is added to your Roku channel using the Content Editor.

If you created an S3 bucket named "my-content-bucket" and put a video content file named "video.mp4" into it, then the URL that would be used in Instant TV Channel to reference your content is: s3://my-content-bucket/video.mp4

The above URL is only accessible within a channel created using Instant TV Channel. For information about using an Amazon S3 bucket to contain publicly accessible streams that are accessible using a standard web browser please see this walk-through.
 
For a walk-through covering how to build a Roku channel using Instant TV Channel, please see this article.

Comments or questions about this Roku developer walk-through can be emailed to .

Instant TV Channel is a cloud-based tool for Roku developers and content providers that shortens development time and eases maintenance after deployment.



Access Code: GRID3
Check out Instant TV Channel by adding our demonstration channel to your Roku player, or watch the YouTube video.

Need help with your Roku?

We are unable to provide technical support for your Roku device.

Please visit www.roku.com for assistance.



Instant TV Channel is not affiliated with nor endorsed by Roku Inc.