Running the Amazon S3 Personal File Store Sample

This Amazon S3 Personal File Store sample is fully detailed in the Mobile Credential Management article. The sample demonstrates how to customize the token vending machine to give application users specific and constrained permissions to an Amazon S3 bucket. Each application user will get a "folder" of an Amazon S3 bucket as specified by the modified policy. This README details all the steps necessary to get the sample fully running:

Create an Amazon S3 bucket to use for the sample.
- Using the AWS Management Console create a new Amazon S3 bucket for testing with this sample. The name you choose for the bucket will be necessary for a number of steps to follow.
Customize and build the token vending machine specific for this sample.
Note: To build the token vending machine, you will need access to Ant and Java on your machine. The following steps need to be excuted from the command line:
- From a termincal application, change into the CustomTVM directory.
- Modify the TokenVendingMachinePolicy.json file in the src directory.
  - Replace the two instances of __BUCKET_NAME__ with the Amazon S3 bucket you already created to use for this application.
  - The default policy and sample substitution can be seen below.
- Build the token vending machine using ant.
  - From the command line, just enter ant. The CustomTVM is configured to automatically build everything that is necessary.
  - Running ant will produce a CustomTVM.war file. This will be used later in an upload to AWS Elastic Beanstalk.
Deploy the token vending machine to AWS Elastic Beanstalk.
- Follow these instructions for deploying the token vending machine to AWS Elastic Beanstalk. However, the following modifications to the instructions must be made:
  - When adding the policy to the TVMUser, don't use the default policy shown in the instructions. Instead the IAM User policy must be modified to restrict access to the appropriate Amazon S3 bucket necessary for this application. The policy to use with a sample bucket name subtitution can be seen below.
  - When the instructions ask you to select the IdentityTVM.war file, use the CustomTVM.war that was created when you built the CustomTVM above.
Run the sample iOS or Android application.
- Following the instructions in the READMEs located in the S3PersonalFileStore-iOS or S3PersonalFileStore-Android directories will allow you to run the mobile application in conjunction with the token vending machine.

TokenVendingMachinePolicy.json

You will need to update the default policy. Replace the occurrences of __BUCKET_NAME__ to an Amazon S3 bucket you created for this application. Do not modify the __USERNAME__ strings as those will be automatically updated by the token vending machine.

{"Statement":
    [
        {"Effect":"Allow","Action":["s3:PutObject","s3:GetObject","s3:DeleteObject"],"Resource":"arn:aws:s3:::__BUCKET_NAME__/__USERNAME__/*"},
        {"Effect":"Allow","Action":"s3:ListBucket","Resource":"arn:aws:s3:::__BUCKET_NAME__","Condition":{"StringLike":{"s3:prefix":"__USERNAME__/"}}},
        {"Effect":"Deny","Action":["iam:*", "sts:*", "sdb:*"],"Resource":"*"}
    ]
}

If you used my_s3_bucket as the bucket name for the substitution, your policy would result in the following:

{"Statement":
    [
        {"Effect":"Allow","Action":["s3:PutObject","s3:GetObject","s3:DeleteObject"],"Resource":"arn:aws:s3:::my_s3_bucket/__USERNAME__/*"},
        {"Effect":"Allow","Action":"s3:ListBucket","Resource":"arn:aws:s3:::my_s3_bucket","Condition":{"StringLike":{"s3:prefix":"__USERNAME__/"}}},
        {"Effect":"Deny","Action":["iam:*", "sts:*", "sdb:*"],"Resource":"*"}
    ]
}

IAM User Policy

The default IAM User Policy also needs to have the __BUCKET_NAME__ replaced. The bucket name here should match the bucket name used in the TokenVendingMachinePolicy.json object.

{
  "Statement": [
    {
        "Effect": "Allow",
        "Action": "sts:GetFederationToken",
        "Resource": "*"
    },
    {
        "Effect": "Allow",
        "Action": "iam:GetUser",
        "Resource": "*"
    },
    {
        "Effect": "Allow",
        "Action": ["s3:PutObject","s3:GetObject","s3:DeleteObject"],
        "Resource": "arn:aws:s3:::__BUCKET_NAME__/*"
    },
    {
        "Effect": "Allow",
        "Action": ["s3:ListBucket"],
        "Resource": "arn:aws:s3:::__BUCKET_NAME__"
    },
    {
        "Effect": "Allow",
        "Action": "sdb:*",
        "Resource": "*"
    }
  ]
}

If you used my_s3_bucket as the bucket name for the substitution, your would policy result in the following:

{
  "Statement": [
    {
        "Effect": "Allow",
        "Action": "sts:GetFederationToken",
        "Resource": "*"
    },
    {
        "Effect": "Allow",
        "Action": "iam:GetUser",
        "Resource": "*"
    },
    {
        "Effect": "Allow",
        "Action": ["s3:PutObject","s3:GetObject","s3:DeleteObject"],
        "Resource": "arn:aws:s3:::my_s3_bucket/*"
    },
    {
        "Effect": "Allow",
        "Action": ["s3:ListBucket"],
        "Resource": "arn:aws:s3:::my_s3_bucket"
    },
    {
        "Effect": "Allow",
        "Action": "sdb:*",
        "Resource": "*"
    }
  ]
}