Configuration files are automatically written to whenever you make a change to your channel using
an Instant TV Channel editor.
Configuration files are read by Roku devices in order to display your channel.
Instant TV Channel provides free configuration file storage for
up to 100 video, audio, picture or text content items per channel.
If you have more than 100 content items in a channel,
you must provide Instant TV Channel with an
Amazon S3 "bucket"
to automatically store your Roku channel's configuration files in.
Amazon's S3 pricing
is separate from Instant TV Channel's monthly charges.
All Amazon S3 charges are billed directly by Amazon.
Amazon has a Free Tier
for new customers
which may include some or all of your S3 charges.
Instant TV Channel configuration files for a typical channel are very small,
and the S3 charges for them are often included within Amazon's Free Tier.
Even for a very large or popular Roku channel,
the total Amazon S3 cost for configuration file
storage will often be less than a dollar per month.
This step-by-step walk-through will guide you through the process of
creating an Amazon S3 bucket to store Instant TV Channel configuration files
and creating keys to allow secure access to your bucket.
The keys will provide restricted access to your new Configuration bucket
and will not be usable for any of your other Amazon services or S3 buckets.
You can use the same S3 Configuration bucket and keys for multiple channels.
Instant TV Channel automatically creates separate directories within the
Configuration bucket for each channel's configuration files.
Your configuration files will only be available using a time-limited signed URL
to Roku devices that have your channel installed.
In order to further secure your data,
your configuration files are stored and transmitted to Roku devices
in an encrypted format.
Create an S3 Bucket to store Configuration Files
Log into your AWS account and go to the S3 section of your AWS control panel.
Click the Create Bucket button.
This should be a new bucket that is used only for Instant TV Channel Roku configuration files.
Do not re-use a bucket that also contains content or non-Roku files!
Provide a Bucket Name, for example "my-config-bucket".
Very Important: Use only lower-case characters, digits, and dashes in your bucket name.
Instant TV Channel does not support the use of upper-case characters or other symbols in bucket names.
Good Bucket Name: test-bucket
Good Bucket Name: bucket123
Bad Bucket Name: test.bucket(contains unsupported period character ".")
Bad Bucket Name: bucket+123(contains unsupported plus character "+")
Bad Bucket Name: Test-Bucket(contains upper-case characters "T" and "B")
The bucket Region must be set to "US East (N. Virginia)".
Click the Create button, do not click the Next button.
The default ACL (Access Control List) on your new bucket is "Private",
meaning that an AWS key pair is required to access files in the bucket.
The bucket cannot be accessed using a plain http:// or https:// URL.
This is the correct setting for a Configuration bucket,
as it only allows the Instant TV Channel web site and your channel
running in a Roku device to access the configuration files.
You should never attempt to move or delete files from your Configuration bucket.
Doing so will cause unpredictable results
and may cause your Roku channel to be unviewable.
Create IAM Keys to Access the Configuration Bucket
Although you can use your AWS root account keys to access any S3 bucket that you create,
you may feel more comfortable providing Instant TV Channel with keys that only grant access to the Configuration bucket.
If you want to allow Instant TV Channel to use your root account keys to access your Configuration bucket,
you can skip this section and rejoin at Copy the Configuration Keys to your Channel below.
We will create two IAM users and two sets of keys to access your Configuration bucket.
One set of keys will grant read-write access to the bucket and will be used by
the Instant TV Channel web site to update your configuration files as you change
the layout and content of your Roku channel.
The other set of keys will grant read-only access to the bucket and
will be used to load configuration files directly into any Roku device that has your channel installed.
Because the Roku device does not need to alter the contents of the configuration files its keys can be read-only.
The use of read-only keys is optional,
if not present then any Roku device with your channel installed will use the read-write keys.
Go to the IAM (Identity and Access Management) section of your AWS control panel.
Click the Policies link on the left side of the page.
Click the Create policy button near the top of the page.
Click the JSON tab, and erase the sample lines of JSON text.
Copy the security policy below and paste it into the JSON text box.
Replace the two instances of
in the policy
with the name of the bucket that you just created.
This security policy allows files in the Configuration bucket to be created, read, modified, or deleted.
Click the Review policy button near the bottom of the page.
An error message will be displayed if there are any errors in the JSON text.
After correcting the errors, click the Review policy button again.
Provide a Policy Name, for example "my-rw-config-policy" ("rw" stands for read-write).
Click the Create policy button near the bottom of the page.
Click the Groups link on the left side of the page.
Click the Create New Group button near the top of the page.
Provide a group name, for example "my-rw-config-group",
then click the Next Step button near the bottom of the page.
The "Attach Policy" page is displayed.
Scroll down the list of policies until the "my-rw-config-policy" policy that you just created is visible,
or type the name of your newly created policy in the "Filter" box.
You may need to scroll through a large number of built-in AWS policies until your policy is visible.
Click the check-box to the left of your policy name,
making sure that no other check-boxes are checked,
then click the Next Step button near the bottom of the page.
Click the Create Group button near the bottom of the page.
Click the Users link on the left side of the page.
Click the Add User button near the top of the page.
Enter a new user name,
for example "my-rw-config-user".
Select an Access type of "Programmatic access".
Click the Next: Permissions button near the bottom of the page.
Click the check-box to the left of the previously created Group name,
then click the Next: Review button near the bottom of the page.
Click the Create user button near the bottom of the page.
Click the Show link beneath "Secret access key" or
click the Download .csv button to copy and save the Access Key ID and Secret Access Key.
These keys will be used exclusively for read-write access to your Configuration bucket.
They cannot be used to access any other AWS buckets or services.
Make sure that you save the keys for future use,
Amazon will not display them again.
If you misplace the keys you will have to create a new IAM user.
After copying the Security Credentials, click the Close button near the bottom of the page.
At this point we have a new IAM user that is a member of a new IAM group -
the user has the keys and the group has the security policy.
The keys for this IAM user can be used in the Roku channel to access the S3 bucket specified by the security policy.
Repeat each of the steps above,
beginning with Go to the IAM (Identity and Access Management) section...
to create a read-only IAM group, policy, user and keys.
This time use the security policy below for the Policy Document box,
replacing the two instances of
in the code below
with the name of the bucket that you previously created.
This security policy allows files in the Configuration bucket to be read, but not created, modified, or deleted.
Sign into Instant TV Channel and select the channel
that you want to configure for S3.
Go to the channel's Keys & CDNs page.
Under AWS S3 Configuration Storage,
copy the new Configuration bucket name into the Bucket Name box.
Copy the read-write IAM user's Access Key ID into the Read-Write Access Key ID box.
Copy the read-write IAM user's Secret Access Key into the Read-Write Secret Access Key box.
Copy the read-only IAM user's Access Key ID into the Optional Read-Write Access Key ID box.
Copy the read-only IAM user's Secret Access Key into the Optional Read-Write Secret Access Key box.
Click the TEST S3 CONFIGURATION STORAGE button and verify that
the S3 bucket Read-Write and Read-Only Tests Passed message is displayed.
If the test failed, verify that your S3 keys were copied correctly and try again.
If the test was successful,
change Use S3 for Configuration Storage to Yes to activate your S3 Configuration bucket.
A message will be displayed after your configuration files are copied from
one of Instant TV Channel's buckets into your own bucket.
Your channel's configuration files are now being
stored in your S3 Configuration bucket.
Roku devices that have your channel installed will access your channel's
configuration files directly from your S3 Configuration bucket.