Using Amazon S3 for Secure Content Storage

This step-by-step walk-through will guide you through the process of using Amazon S3 (Simple Storage Service) to securely store your Roku video content. The video stream URLs generated using this walk-through are cryptographically signed, have built-in expiration dates, and will only function within your channel installed on a Roku player.

If your Instant TV Channel account contains multiple channels, the S3 Content bucket created in this walk-through can be used to store the video files for all of the channels in your account. You can create a folder structure within the S3 bucket to organize your videos by category, by channel, or any other criteria.

Do not use the method described in this walk-through for storing poster artwork, as it will greatly increase the time it takes for your Roku channel to load the menu images, particularly in large horizontal lists or grids. Please follow this walk-through to use Amazon S3 to store your poster images.

A note about Amazon AWS pricing: Amazon's S3 pricing is separate from Instant TV Channel's monthly charges. Amazon has a Free Tier for new customers which may include some or all of your S3 charges. All Amazon S3 charges are billed directly from Amazon, and are dependent mainly on the sizes of the files and how often they are accessed. For example, Amazon will bill you approximately $0.05 (five cents) for each download or play of a 500MB file.

DISCLAIMER: Instant TV Channel cannot guarantee that this AWS pricing information is accurate or complete. Please visit Amazon at for current pricing.

The following steps are only necessary if you wish to secure your content files so that they can only be accessed via your Roku channel and not via a web browser or other playback device. If your content is publicly accessible via regular http:// or https:// URLs, then you can skip this walk-through.

Please follow this walk-through to use Amazon S3 to store your video files using regular http:// or https:// URLs instead of using secure URLs.

Create an S3 "bucket" to store Roku Content

  1. Log into your AWS (Amazon Web Services) account and go to the S3 section of your AWS control panel.
  2. Click the Create Bucket button.
  3. Provide a Bucket Name, for example "my-content-bucket".

    Very Important: Use only lower-case characters, digits, and dashes in your bucket name. Instant TV Channel does not support the use of upper-case characters or other symbols in bucket names.

    Good Bucket Name: test-bucket
    Good Bucket Name: bucket123
    Bad Bucket Name: test.bucket (contains unsupported period character ".")
    Bad Bucket Name: bucket+123 (contains unsupported plus character "+")
    Bad Bucket Name: Test-Bucket (contains upper-case characters "T" and "B")
  4. The bucket Region must be set to "US East (N. Virginia)".
  5. Uncheck all of the checkboxes under "Block Public Access settings for bucket".
  6. Click the Create bucket button.

At this point your new S3 bucket is ready to store content files.

The default ACL (Access Control List) on your new bucket is "Private", meaning that a pair of AWS keys is required to access the bucket content. The bucket cannot be accessed using a plain http:// or https:// URL. This is usually the correct setting for a Content bucket, as it prevents content from being copied out of the bucket without your permission.

You can upload files to the new bucket by clicking the Upload button in the S3 control panel. For now, we will continue on with the creation of your AWS IAM Content user, but you can return to the AWS S3 control panel at any time to add new content.

Shortcut for S3 Bucket Keys

If your Amazon AWS account is used exclusively for your Roku channel you may wish to consider using your root account access key instead of using the IAM Content user and keys described below.

Your Amazon AWS root account access key provides access to all portions of your Amazon AWS account, whereas the IAM keys limit access to a specific S3 bucket or buckets within your AWS account.

To create a new Amazon AWS root account Access Key ID and Secrete Access Key:
  1. Browse to the Amazon AWS website at
  2. From the My Account/Console drop-down list in the upper right-hand corner of the page, select My Security Credentials. If you are already logged in, the drop-down list may display your Amazon login ID instead of My Account/Console.
  3. If prompted to do so, enter your Amazon AWS email address and password. You may also need to click a Continue to Security Credentials button.
  4. Click on the symbol next to the Access Keys link.
  5. Click on the Create New Access Key button.
  6. Click on the Download Key File button, and save the key file on your computer.
  7. DO NOT click the Close button until after you have verified that the key file can be opened and viewed.
  8. The key file contents will look like this:

    Your root account Access Key Id starts with the letters AKIA... and is 20 characters long.

    Your root account Secret Access Key is 40 characters long.

  9. After you have verified that you can view the key file, click the Close button on the Amazon Security Credentials page.
  10. Skip over the Create an IAM User section of this walk-through and continue at the Copy the Content Keys to your Channel section. Use your root account keys instead of the IAM user's keys.

Create an IAM User to Access the Content Bucket

Although you can use your AWS root account keys to access any S3 bucket that you create, you may feel more comfortable providing Instant TV Channel with keys that only grant access to the Content bucket. If you want to allow Instant TV Channel to use your AWS root account keys to access your Content bucket, you can skip this section and rejoin at Copy the Content Keys to your Channel below.

  1. Go to the IAM (Identity and Access Management) section of your AWS control panel.
  2. Click the Policies link on the left side of the page.
  3. Click the Create policy button near the top of the page.
  4. Click the JSON tab, and erase the sample lines of JSON text.
  5. Copy the security policy below and paste it into the JSON text box. Replace the two instances of
    in the policy with the name of the bucket that you just created. This security policy allows files in the Content bucket to be read, but not created, modified, or deleted.
      "Version": "2012-10-17",
      "Statement": [
          "Effect": "Allow",
          "Action": [
          "Resource": [
  6. Click the Next: Tags button near the bottom of the page.
  7. Click the Next: Review button near the bottom of the page.
  8. Provide a new Policy Name, for example "my-ro-content-policy" ("ro" stands for read-only). You may optionally also enter a Policy Description.
  9. Click the Create policy button near the bottom of the page.
  10. Click the User groups link on the left side of the page.
  11. Click the Create group button near the top of the page.
  12. Provide a new User group name, for example "my-content-group".
  13. Scroll down to the list of policies, and locate the "my-ro-content-policy" policy that you just created, or type the name of your newly created policy in the "Filter" box. You may need to scroll through a large number of built-in AWS policies until your policy is visible.
  14. Check the checkbox to the left of your policy name. making sure that no other checkboxes are checked, then click the Create Group button near the bottom of the page.
  15. Click the Users link on the left side of the page.
  16. Click the Add Users button near the top of the page.
  17. Provide a new User name, for example "my-content-user".
  18. Click the Next button near the bottom of the page.
  19. Check the checkbox to the left of the previously created Group name, then click the Next button near the bottom of the page.
  20. Click the Create user button near the bottom of the page.
  21. Click the previously created User name from the list of users. This will display a Summary page for the user.
  22. Click the Security credentials link or tab.
  23. Click either of the Create access key buttons.
  24. Select Other, then click the Next button.
  25. Click the Create access key button.
  26. Click the Show link beneath "Secret access key" or click the Download .csv button to copy and save the Access Key ID and Secret Access Key. These keys will be used exclusively for read-only access to your Content bucket. They cannot be used to write or change the Content bucket, nor can they access any other AWS buckets or services. Make sure that you save the keys for future use, Amazon will not display them again. If you misplace the keys you will have to create a new IAM user.
  27. After copying the Security Credentials, click the Close button near the bottom of the page.

    At this point we have a new IAM user that is a member of a new IAM group - the user has the keys and the group has the security policy. This will allow the keys to be used in the Roku channel to access the S3 bucket specified by the security policy.

Copy the Content Keys to your Channel

  1. Sign into Instant TV Channel and select the channel that you want to configure for S3.
  2. Go to the channel's Services page.
  3. Under AWS S3 Secure Content Storage, copy the new IAM user's Access Key ID into the Access Key ID box.
  4. Copy the new IAM user's Secret Access Key into the Secret Access Key box.
  5. The Expiration Time is the amount of time that a content item's S3 URL is valid for, after that time expires the URL stops working. It should usually be greater than your longest content length. If you are unsure, set it to 1440 minutes (1 day).
  6. Use SSL should be left at "Yes".

Add S3 Content to your Channel

Video content is added to your Roku channel using the Content Editor.

If you created an S3 bucket named "my-content-bucket" and put a video content file named "video.mp4" into it, then the URL that would be used in Instant TV Channel to reference your content is: s3://my-content-bucket/video.mp4

The above URL is only accessible within a channel created using Instant TV Channel. For information about using an Amazon S3 bucket to contain publicly accessible streams that are accessible using a standard web browser please see this walk-through.
For a walk-through covering how to build a Roku channel using Instant TV Channel, please see this article.

Comments or questions about this Roku developer walk-through can be emailed to .

Instant TV Channel is a cloud-based tool for Roku developers and content providers that shortens development time and eases maintenance after deployment.


If you are considering subtitles for your Roku video content, our sister-site provides an easy-to-use and inexpensive solution. Click here for more information.

Access Code: ID1
Check out Instant TV Channel by adding our latest demonstration channel to your Roku player.

Instant TV Channel is not affiliated with nor endorsed by Roku Inc.