This step-by-step walk-through will guide you through the process of
using Amazon S3 (Simple Storage Service)
to securely store your Roku video content.
The video stream URLs generated using this walk-through are cryptographically signed,
have built-in expiration dates,
and will only function within your channel installed on a Roku player.
If your Instant TV Channel account contains multiple channels,
the S3 Content bucket created in this walk-through can be used
to store the video files for all of the channels in your account.
You can create a folder structure within the S3 bucket to organize your
videos by category, by channel, or any other criteria.
Do not use the method described in this walk-through for storing poster artwork,
as it will greatly increase the time it takes for your Roku channel to load
the menu images,
particularly in large horizontal lists or grids.
Please follow this
to use Amazon S3 to store your poster images.
The following steps are only necessary if you wish to secure your content files
so that they can only be accessed via your Roku channel and not via a web
browser or other playback device.
If your content is publicly accessible via regular http:// or https:// URLs,
then you can skip this walk-through.
Please follow this
to use Amazon S3 to store your video files using regular http:// or https:// URLs instead of using secure URLs.
Create an S3 "bucket" to store Roku Content
Log into your AWS (Amazon Web Services) account and
go to the S3 section of your AWS control panel.
Click the Create Bucket button.
Provide a Bucket Name, for example "my-content-bucket".
Very Important: Use only lower-case characters, digits, and dashes in your bucket name.
Instant TV Channel does not support the use of upper-case characters or other symbols in bucket names.
Good Bucket Name: test-bucket
Good Bucket Name: bucket123
Bad Bucket Name: test.bucket(contains unsupported period character ".")
Bad Bucket Name: bucket+123(contains unsupported plus character "+")
Bad Bucket Name: Test-Bucket(contains upper-case characters "T" and "B")
The bucket Region must be set to "US East (N. Virginia)".
Uncheck all of the checkboxes under "Block Public Access settings for bucket".
Click the Create bucket button.
At this point your new S3 bucket is ready to store content files.
The default ACL (Access Control List) on your new bucket is "Private",
meaning that a pair of AWS keys is required to access the bucket content.
The bucket cannot be accessed using a plain http:// or https:// URL.
This is usually the correct setting for a Content bucket,
as it prevents content from being copied out of the bucket without
You can upload files to the new bucket by clicking the Upload
button in the S3 control panel.
For now, we will continue on with the creation of your AWS IAM Content user,
but you can return to the AWS S3 control panel at any time to add new content.
Create an IAM User to Access the Content Bucket
Although you can use your AWS root account keys
to access any S3 bucket that you create,
you may feel more comfortable providing Instant TV Channel
with keys that only grant access to the Content bucket.
If you want to allow Instant TV Channel to use your AWS root account keys
to access your Content bucket, you can skip this section
and rejoin at Copy the Content Keys to your Channel below.
Go to the IAM (Identity and Access Management) section of your AWS control panel.
Click the Policies link on the left side of the page.
Click the Create policy button near the top of the page.
Click the JSON tab, and erase the sample lines of JSON text.
Copy the security policy below and paste it into the JSON text box.
Replace the two instances of
in the policy
with the name of the bucket that you just created.
This security policy allows files in the Content bucket to be read, but not created, modified, or deleted.
Click the Next: Tags button near the bottom of the page.
Click the Next: Review button near the bottom of the page.
Provide a new Policy Name, for example "my-ro-content-policy" ("ro" stands for read-only).
You may optionally also enter a Policy Description.
Click the Create policy button near the bottom of the page.
Click the User groups link on the left side of the page.
Click the Create group button near the top of the page.
Provide a new User group name, for example "my-content-group".
Scroll down to the list of policies, and locate the "my-ro-content-policy" policy that you just created,
or type the name of your newly created policy in the "Filter" box.
You may need to scroll through a large number of built-in AWS policies until your policy is visible.
Check the checkbox to the left of your policy name.
making sure that no other checkboxes are checked,
then click the Create Group button near the bottom of the page.
Click the Users link on the left side of the page.
Click the Add Users button near the top of the page.
Provide a new User name,
for example "my-content-user".
Click the Next button near the bottom of the page.
Check the checkbox to the left of the previously created Group name,
then click the Next button near the bottom of the page.
Click the Create user button near the bottom of the page.
Click the previously created User name from the list of users.
This will display a Summary page for the user.
Click the Security credentials link or tab.
Click either of the Create access key buttons.
then click the Next button.
Click the Create access key button.
Click the Show link beneath "Secret access key" or
click the Download .csv button to copy and save the Access Key ID and Secret Access Key.
These keys will be used exclusively for read-only access to your Content bucket.
They cannot be used to write or change the Content bucket,
nor can they access any other AWS buckets or services.
Make sure that you save the keys for future use,
Amazon will not display them again.
If you misplace the keys you will have to create a new IAM user.
After copying the Security Credentials, click the Close button near the bottom of the page.
At this point we have a new IAM user that is a member of a new IAM group -
the user has the keys and the group has the security policy.
This will allow the keys to be used in the Roku channel to access the S3 bucket specified by the security policy.
Sign into Instant TV Channel and select the channel
that you want to configure for S3.
Go to the channel's Keys & CDNs page.
Under AWS S3 Secure Content Storage,
copy the new IAM user's Access Key ID into the Access Key ID box.
Copy the new IAM user's Secret Access Key into the Secret Access Key box.
The Expiration Time
is the amount of time that a content item's S3 URL is valid for,
after that time expires the URL stops working.
It should usually be greater than your longest content length.
If you are unsure, set it to 1440 minutes (1 day).
Use SSL should be left at "Yes".
Add S3 Content to your Channel
Video content is added to your Roku channel using the Content Editor.
If you created an S3 bucket named "my-content-bucket"
and put a video content file named "video.mp4" into it,
then the URL that would be used in Instant TV Channel
to reference your content is:
The above URL is only accessible within a channel created using
Instant TV Channel.
For information about using an Amazon S3 bucket to contain publicly accessible streams
that are accessible using a standard web browser
please see this
For a walk-through covering how to build a Roku channel using Instant TV Channel,
please see this
Comments or questions about this Roku developer walk-through can be emailed to .
Instant TV Channel
Instant TV Channel is a cloud-based tool for Roku developers and content providers that shortens development time and eases maintenance after deployment.