Step 3: Set Up Your AWS Account for Catalog Ingestion
Catalog ingestion uses Amazon Web Services (AWS) tools to upload your catalog and manage the users who have access to the tool used to store your catalog. Before uploading your catalog file, you need to set up your AWS account and exchange account information with your Amazon representative.
- About the AWS Bucket
- Procedure Overview
- Step A: Sign In or Sign Up for an AWS Account (New AWS Users Only)
- Step B: Send Your 12-Digit AWS Account ID to Your Amazon Representative
- Step C: Obtain the S3 Bucket Information for Your App from Your Amazon Representative
- Step D: Grant Permission to an IAM AWS User to Upload Files to Your S3 Catalog Bucket
- Step E: Test Your IAM User Policy
- Step F: Set Up the AWS Command Line Interface (CLI) (or An Alternative)
- Next Steps
About the AWS Bucket
Your Fire TV representative will create your AWS S3 bucket for catalog ingestion and provide you with access to your bucket. Because Amazon creates the S3 bucket, the bucket will not appear in your AWS S3 console. However, you should be able to access the bucket via the Command Line Interface (CLI) to view the bucket contents and upload files to the bucket. The commands used to interact with your S3 bucket are given in the next sections.
Procedure Overview
Setting up your AWS account is a one-time process that you will need to complete before you can start uploading catalog files to Amazon. To set up and test your AWS account:
- Sign in or sign up for an AWS account.
- Send your 12-digit AWS Account ID (this is different than an IAM User ID) to your Amazon representative.
- Obtain the S3 bucket information for your app from your Amazon representative.
- Grant permission to an Identity and Access Management (IAM) AWS user to upload files to your S3 catalog bucket.
- Test your IAM user policy.
- Set up the AWS CLI.
- Test the catalog upload using a sample CDF file with the AWS Command Line Interface (CLI) to verify that you can upload catalog files.
Step A: Sign In or Sign Up for an AWS Account (New AWS Users Only)
To upload your catalog file to our service on Amazon S3, you must have an Amazon Web Services (AWS) account. If you have an AWS account, sign in to that account. If you do not already have an account with AWS, you will need to create one.
To create an AWS Account:
- Go to http://aws.amazon.com/
- Click the Sign in to the Console button, which takes you to the login screen.
- Type your email address or mobile telephone number.
- Choose the I am a new user option.
- Click the Sign in using our secure server button.
- Follow the prompts to create your account.
Step B: Send Your 12-Digit AWS Account ID to Your Amazon Representative
For the Catalog service to grant access to the S3 catalog bucket that Amazon creates for you, send the 12-digit Account ID of your AWS account to your Amazon representative using a secure method.
To find your AWS Account ID:
-
For account owners (root account users), the AWS account ID is on the Security Credentials page, under the Account Identifiers tab.
-
For IAM or federated users, the AWS account ID is shown in the Support Center, in the upper right corner. (If you have not yet set up your IAM users, the next section describes how to do so. Note that you will need the name of the S3 bucket from your Amazon representative to set up the security policy for your IAM users.)
Step C: Obtain the S3 Bucket Information for Your App from Your Amazon Representative
After you send your AWS Account ID to your Amazon representative, your representative will send you an S3 bucket name. This catalog bucket is unique to your account and may only be accessed by your account. No other Catalog Integration partner can see or access your S3 catalog bucket.
Step D: Grant Permission to an IAM AWS User to Upload Files to Your S3 Catalog Bucket
Configure an Identity and Access Management (IAM) AWS user with at least the "S3 PutObject" permission to all of S3 or at least your S3 catalog bucket. This permission will allow that user to upload files to your S3 bucket.
Although you can use your AWS root credentials to access Amazon S3 and your catalog bucket, the AWS best practice is to create separate Identity and Access Management (IAM) users and use those credentials to interact with AWS.
For example, you can create an IAM user that has full administrator access to S3 but to no other AWS services or create a limited-access IAM user who can only upload catalog data but not access any other part of the account. Set up an IAM user for your AWS account for each person in your organization who will need access to your S3 bucket. Having separate IAM users for different members of your organization will allow you to enable only the necessary permissions for each user.
Create a New IAM User
To create a new IAM user:
- Sign in to the AWS Console.
- Under Security, Identity & Compliance, click IAM to display the Welcome to Identity and Access Management page.
- Under Security Status, click Create individual IAM users to expand that menu item, then click Manage Users to view the list of IAM users associated with your AWS account.
- Click Add user to create your new user. You see the Add user details page.
- In the User name field, type a user name. As desired, add more users by clicking Add another user.
- In the Select AWS access type section, select both check boxes — for both Programmatic access and AWS Management Console access. For the Console access, you're asked to select Console password and password reset options.
-
Click Next: Permissions (at the bottom of the screen). You see the Set permissions screen for the users, with several permission options. The next section, Giving IAM Users Access to Your Amazon S3 Bucket, covers more details about permissions. For now, just click Next: Review.
If successful, you see a "Success" message for the created user along with the user's security credentials.
-
Copy the Access key ID, Secret access key, and Password for the user.
Any user who is going to access the Catalog Integration S3 bucket will need the access keys for that IAM user. The access keys include an Access key ID and a Secret access key. The Secret access key is only available when you create an IAM user, although you can generate a new Secret access key at any time. (You can find the Access key ID on the IAM Users page under the Security Credentials tab.)
- Click Close. Then give the user the appropriate permissions by following the next section, Giving IAM Users Access to Your Amazon S3 Bucket.
For more details about creating IAM users, see Overview of Identity Management: Users.
Grant IAM Users Access to Your Amazon S3 Bucket
If you don't yet have any IAM users, see Creating a new IAM User in the previous section first. In this section, you will give your IAM users access to your S3 bucket. Before you start this task, you will need the name of your S3 bucket as provided by your Amazon representative.
To give existing IAM users access to your Amazon S3 bucket:
- Sign in to the AWS console.
- Under Security, Identity, & Compliance, click IAM.
- In the left column, click Users.
-
Click the user name that you would like to grant access to your S3 bucket.
On the user's detail page, the Permissions tab allows you to configure security policies for users. Two setups are commonly used for permissions: full access or limited access.
-
Choose the access you want for the user:
Option 1: Full AccessIf you are comfortable with the user having full access to all S3 functionality for the account, apply the "AmazonS3FullAccess" policy:
- On the Permissions tab, click Add permissions.
- Click the Attach existing policies directly box.
- In the Filter policies box, type AmazonS3FullAccess to filter the list of policies to this policy only.
- Select the check box next to AmazonS3FullAccess, and then click Next: Review at the bottom of the screen.
- You see a summary of the permissions you're attaching to the user. Click Add permissions.
For more details, see Adding and Removing IAM Policies (Console) in the AWS IAM documentation.
Option 2: Limited AccessTo restrict the user's access to only your catalog bucket, set up a new custom policy for your bucket:
- On the Permissions tab, click + Add inline policy.
- Click the JSON tab.
-
Do one of the following:
To allow all actions in S3 (but only S3), copy and paste the following bucket policy into the editor:
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:*" ], "Resource":[ "arn:aws:s3:::your-bucket-name", "arn:aws:s3:::your-bucket-name/*" ] } ] }
In the
"Action"
,s3:*
, the asterisk is a wildcard that grants permission for all Amazon S3 actions.To allow only certain actions against S3 versus all actions, copy and paste the following bucket policy into the editor:
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:ListBucket", "s3:ListBucketVersions", "s3:GetObject", "s3:GetObjectVersion", "s3:GetObjectAcl", "s3:GetObject", "s3:GetObjectVersion", "s3:PutObject", "s3:PutObjectAcl" ], "Resource":[ "arn:aws:s3:::your-bucket-name", "arn:aws:s3:::your-bucket-name/*" ] } ] }
Here the permitted actions are listed out in a more granular way. To upload files, you really just need two actions:
s3:PutObject
s3:PutObjectAcl
You can include the other actions, but they aren't required for uploading catalog files. For more details on permissions, see Specifying Permissions in a Policy. For more detail about the syntax in the
Resource
property, see Specifying Resources in a Policy. - Substitute the actual name of your S3 bucket for the
your-bucket-name
placeholder. -
Click Review policy.
You will see a status message either telling you that the policy is valid or an error message with instructions to fix the policy.
- In the Name field, type a unique name for the policy. This name can be anything that you choose (no spaces are allowed).
- Click Create policy. The policy is attached to the user.
Step E: Test Your IAM User Policy
To make sure that you have correctly set up your IAM users and their security policies, you can use AWS's Policy Simulator tool. To verify a policy using the Policy Simulator:
- In your web browser, navigate to the Policy Simulator.
- On the left pane, select the user whose policy you are verifying.
- On the right pane, select S3 from the Select Service drop-down list.
- From the Select action drop-down list, select PutObject.
- Click the toggle arrow just to the left of the Amazon S3 entry in the Service column to expand the simulation settings.
- Copy and paste
arn:aws:s3:::<Bucket_Name>/catalogs/*
into the ARN field, replacing the<Bucket_Name>
placeholder with the name of your S3 catalog bucket. - Click Run Simulation to run the simulation.
If the policy is valid, the simulator will display an "allowed" message; otherwise, it will display "denied" with an explanation of the issue.
Step F: Set Up the AWS Command Line Interface (CLI) (or An Alternative)
To interact with Amazon S3 and your catalog bucket, you can use any available tools for interacting with Amazon S3, including the following:
- The AWS Command Line Interface (CLI). See Getting Set Up with the AWS Command Line Interface for information.
- One of the AWS SDK tools to implement catalog upload with the programming language of your choice. For example, the AWS SDK for Java provides an S3 Client, with sample code. See Start Developing with Amazon Web Services for more information on the AWS developer tools.
Any S3 access tool you use, including your own implementation, must be initially configured with the Access Key ID and Secret Access Key for your IAM user. For example, to configure the AWS CLI, use the aws configure
command. The following example shows both the aws configure
command syntax and the prompts that follow as you configure the CLI:
$ aws configure
AWS Access Key ID [None]: AAAAAAAAAAAAAEXAMPLE
AWS Secret Access Key [None]: aAaaaAAaaAAA/A1AAAAA/aAaAaaAAEXAMPLEKEY
Default region name [None]: us-west-2
Default output format [None]: json
See Configuring the AWS Command Line Interface for information on configuring the AWS CLI.
Next Steps
After you set up your AWS permissions, go to Step 4: Upload Your Catalog File.