Bring Your Own Storage (BYOS) with AWS S3 Cloud Storage

Camio provides the option to read and write video, images, and metadata using Amazon S3 Cloud Storage.

Camio BYOS enables your team to control the storage policies, retention, permissions, backups, capacity, and billing directly from your own Amazon Web Services account. 

This article describes:

How BYOS works

BYOS with Amazon S3 Cloud Storage

Amazon S3 Cloud Storage (S3) supports signed URLs, which provide limited permission and time to make a request to your storage. These enable the Camio Box gateway to write directly to your bucket(s). Signed URLs also enable Camio to serve video, images, and metadata in your buckets securely and directly from Amazon Web Services to your Web Browser via the Camio Web App. Another benefit of signed URLs is that the credentials to access your encrypted content are never stored on client devices.

To configure S3 storage with Camio, you will need to provide information about the buckets you would like to connect with Camio, such as the name of the bucket, as well as credentials to read and write to those buckets through signed URLs.

Configure the amount of buckets and credentials as needed

The amount of buckets, as well as the amount of credentials per bucket, to use with Camio are configurable. At a maximum, Camio allows up to three separate buckets, for storage of Video, Images, and Metadata, and two separate credentials for each bucket, for Read and Write access. 

The amount of separate buckets and credentials provided can be reduced as needed, so long as the provided credential(s) allow the minimum required access to read or write to the provided bucket(s) as specified.

Creating storage buckets

If you do not already have storage buckets prepared for use with Camio, the following will provide basic instructions on how to create storage buckets with S3.

Detailed steps for creating a storage bucket in S3 can be found here in the AWS official S3 documentation.

The following are abbreviated steps for creating a bucket through the console:

  1. Navigate to the Buckets page of S3 from the AWS Console.
  2. In the top right of the Buckets section, click the Create bucket button.
  3. You will be brought to a page to configure your new bucket before creation. Set a unique Bucket Name for the new bucket, and configure any desired bucket settings before confirming your choices by pressing the Create bucket button at the bottom of the page.
  4. Your new bucket will now be listed on the Buckets page of S3.

You will need to provide the unique Bucket Name for each bucket you intend to use with your Camio account when you configure your BYOS settings.

Creating credentials to access your storage

In order for Camio to access the S3 storage bucket(s) you've chosen to use with Camio, you need to create and supply two separate credentials per bucket that allow Camio to read and write to your storage. 

To provide Camio the credentials needed to access your storage bucket(s), you will need to: 

  1. Create Policies with permissions to read and write to the storage buckets.
  2. Create IAM Users with these Policies assigned to them, or the Group they are a part of.
  3. Generate Access Keys for each IAM User to provide to your Camio Account.

Creating Policies with the required permissions for accessing storage:

AWS official documentation for creating IAM Policies can be found here.

The following are abbreviated steps for creating a Policy through the console as required for Camio storage configuration.

  1. Navigate to the Policies page of IAM from the AWS Console.
  2. Click the Create Policy button on the upper right of the page.
  3. You can either use the Visual Editor or JSON editor to then configure the policy with the appropriate permissions.
    • If you are using the Visual Editor:
      1. The minimum permission required for Camio to read from a bucket is the GetObject Action under the Read section of the S3 Service Actions.
      2. The minimum permission required for Camio to write to a bucket is the PutObject Action under the Write section of the S3 Service Actions.
      3. In the Resource section, if you would like to specify a specific bucket for these permissions to apply to, select the option for a Specific resource, and under the object section that appears, click Add ARN (Amazon Resource Name) and enter the name of the bucket to restrict access to.
    • If you are using the JSON editor, the JSON policy should include the following:
      1. An Effect field set to "Allow"
      2. An Action field set to (a list of) the action(s) providing the appropriate bucket access for Camio:
        • The minimum permission required for Camio to read from a bucket is “s3:GetObject”.
        • The minimum permission required for Camio to write to a bucket is “s3:PutObject”.
      3. A Resource field set to (a list of) the ARN (Amazon Resource Name) of the buckets the policy should apply to, in the format “arn:aws:s3:::BUCKET-NAME/*”
  4. Proceed through the Policy creation process, configuring any other settings desired for the Policy in the proceeding sections, and click the Create Policy button at the bottom right of the page on the final Review step to complete the process.

The following two example JSON Policies contain the minimum requirements for Policies granting read and write permissions for a specific bucket:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": ["arn:aws:s3:::BUCKET-NAME/*"]
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": ["arn:aws:s3:::BUCKET-NAME/*"]
}
]
}

Creating an IAM user with the required Policies for accessing storage:

AWS official documentation for creating IAM Users can be found here.

The following are abbreviated steps for creating an IAM User through the console as required for Camio storage configuration.

  1. Navigate to the Users page from the AWS Console.
  2. Click the Add Users button to begin creating a new IAM User
    1. When configuring details in the Specify user details section, the The IAM User does not require access to the AWS Management Console
    2. In the Set permissions section, attach the policies you previously created to the new IAM User, either directly to the user through the Attach policies directly option, or through the Add user to group option, to add the user to a Group assigned the required permissions, if you would like to more conveniently assign the same policies to multiple IAM Users.
  3. Once complete, your new IAM User should appear in the list of Users on the Users page.

Creating an Access Key from an IAM user for accessing storage:

AWS official documentation for creating Access Keys for IAM Users can be found here.

The following are abbreviated steps for creating Access Keys as required for Camio storage configuration.

  1. Navigate to the Users page from the AWS Console, and select the IAM User to create an Access Key for.
  2. Under the Security credentials tab, navigate to the Access keys section and click the Create access key button to begin creating an Access Key.
  3. In the Access key best practices & alternatives section, select the Application running outside AWS option, and take note of their best practices for managing Access Keys.
  4. On the final step of Access Key creation, Retrieve access keys, copy and save the provided Access Key ID and hidden Secret Access Key for each Access Key you will use with Camio, making sure to retain the associated IAM User with each Access Key. 
    • You can either copy and paste the keys directly from the page to where you please, or click the Download .csv file button at the bottom right of the page to save the credentials in a CSV file format.
      • When copying the Secret Access Key, make sure to either click the Copy icon to the left of the Secret Access Key, or reveal the contents of the Secret Access Key and select and copy it directly.
    • The Secret Access Key of your new Access Key will only appear once after creation, so make sure to copy and save it somewhere secure, as you will need to provide it to your Camio Account for access to these credentials.
    • In the case a Secret Access Key is lost before saving to your Camio Account storage settings, you will need to delete the Access Key associated with the missing Secret Access Key, and create a new Access Key as instructed in the previous step.

You will need to provide the Access Key ID and Secret Access Key associated with the Access Key(s) granting read and write permissions for each bucket you intend to use with your Camio account when you configure your BYOS settings.

Configuring CORS rules to allow the Camio Web App access to storage buckets

S3 allows configuring Cross-origin resource sharing (CORS) rules on a per bucket basis. Enabling CORS for the Camio domain(s) allows the Camio Web App to display your content such as video and images. If you choose not to enable CORS, some of your content will not be available for viewing in the app.

AWS official documentation for configuring CORS rules with S3 buckets can be found here.

The following are abbreviated steps for adding CORS rules to a bucket through the console as required for Camio storage configuration.

For each bucket:

  1. From the S3 Buckets page, select the bucket whose CORS rules will be configured from the list of buckets.
  2. On the bucket’s page, navigate to the Permissions tab, and scroll down to the Cross-origin resource sharing (CORS) section.
  3. Click the Edit button to the right of the section heading, where you will be brought to a new page. Copy and paste the following JSON-format CORS rules for Camio into the on-page text editor: 
    [
    {
    "AllowedMethods": [
    "GET"
    ],
    "AllowedOrigins": [
    "https://camio.com",
    "https://*.camio.com"
    ],
    "AllowedHeaders": [
    "Content-Type",
    "X-Csrf-Token",
    "Access-Control-Allow-Origin"
    ],
    "ExposeHeaders": []
    }
    ]
  4. Click the Save Changes button at the bottom of the page.

Providing the access credentials to Camio

To provide Camio access to your S3 storage buckets, you will need to provide the storage bucket and access credential information you've retrieved to the Camio settings page: https://camio.com/settings/storage 

By selecting Amazon Web Services (AWS): S3 from the dropdown menu for Storage Provider, the following sections will be listed to fill in per bucket:

  • Bucket Information
  • Read Credentials Information
  • Write Credentials Information

If you would like to only configure one bucket for storage of videos, images, and metadata, check the checkbox for Use the same storage settings for videos, images, and metadata underneath the dropdown menu for Storage Provider.

The following storage and credentials information needs to be provided per bucket for use of Amazon S3 Cloud Storage with Camio:

  • Bucket Information: The bucket name (e.g. "acmeproject1_camio_video") for storage.
  • Read Credentials Information: The AWS Access Key ID and AWS Secret Access Key of the IAM user with read permissions to the provided bucket.
  • Write Credentials Information: The AWS Access Key ID and AWS Secret Access Key of the IAM user with write permissions to the provided bucket.

After filling in the required information, navigate to the bottom of the page and click the Save button to save any storage setting changes to your Camio Account. 

When the Save button is pressed, Camio begins immediately storing and serving your video, images, and metadata to and from your own bucket(s).

Have more questions? Submit a request

Comments