Menu
Amazon AppStream
Developer Guide

This documentation is for an older version of Amazon AppStream. For information about the latest version, see the Amazon AppStream 2.0 Developer Guide.

Amazon AppStream Sample Entitlement Service

The Amazon AppStream SDK includes a sample entitlement service with source code that you can use with your streaming application. The source code is available from the links in Downloads.

You can deploy the sample entitlement service by completing the following tasks:

Step 1: Create a Key Pair

Amazon EC2 uses public–key cryptography to encrypt and decrypt login information. Public–key cryptography uses a public key to encrypt a piece of data, such as a password, then the recipient uses the private key to decrypt the data. The public and private keys are known as a key pair.

To deploy the sample entitlement service, you need a key pair. You can use an existing key pair that is stored in the same region where you will deploy the sample entitlement service. If you want to use an existing key pair, go to Step 2: Create a Custom Policy with the Required Permissions.

If you do not have a key pair, use the following procedure to create one.

To create a key pair

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. From region selector in the top navigation bar, select the region where you want to deploy your streaming application.

  3. In the navigation pane, click Key Pairs.

  4. Click Create Key Pair.

  5. For Key pair name enter a name and then click Create.

  6. The private key file (KeyPairName.pem) is automatically downloaded by your browser. Save the private key file in a safe place.

    Important

    This is the only chance for you to save the private key file. You will need this file to connect to the instance you will create in the next step.

Your new key pair appears in the Amazon EC2 console. In the next step, you will create a group or user with the correct permissions that will deploy the sample entitlement service.

For more information about key pairs, see Creating Your Key Pair Using Amazon EC2 in the Amazon Elastic Compute Cloud User Guide.

Step 2: Create a Custom Policy with the Required Permissions

After you create a key pair, you will need to create a policy with the appropriate permissions that a group or user will use to deploy the entitlement service. You create this policy in the AWS Identity and Access Management service. IAM is a web service that enables AWS customers to manage group or user permission in AWS.

To create a policy to deploy the entitlement service.

  1. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, click Policies and then click Create Policy.

  3. In Create Your Own Policy, click Select.

  4. In Review Policy, do the following:

    1. For Policy Name, type a name to identify this policy. The name will appear in the AWS CloudFormation console.

    2. Leave Description blank.

    3. For Policy Document, copy and paste the following:

      Copy
      { "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1403040000000", "Effect": "Allow", "Action": [ "appstream:CreateSession", "appstream:GetApiRoot", "appstream:GetApplication", "appstream:GetApplications", "appstream:GetApplicationStatus", "appstream:GetSession", "appstream:GetSessions", "appstream:GetSessionStatus", "appstream:UpdateSessionState" ], "Resource": [ "*" ] }, { "Sid": "Stmt1403040053000", "Effect": "Allow", "Action": [ "dynamodb:*" ], "Resource": [ "*" ] }, { "Sid": "Stmt1403040077000", "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": [ "*" ] } ] }
    4. Click Create Policy.

Step 3: Create a Group and a User to Deploy the Entitlement Service

After creating the policy, you will need a user or group with that policy. You can use an existing group or user to deploy the sample entitlement service by adding the appropriate permissions.

To create a group with the required permissions

  1. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, click Groups and then click Create New Group.

  3. In the Group Name box, type the name of this new group and click Next Step.

  4. In Filter of Attach Policy, select Customer Managed Policies, select your policy, and then click Next Step.

  5. In Review, check that you selected the correct policy and then click Create Group.

To create a user and add that user to the group

  1. In the navigation pane, click Users and then click Create New Users.

  2. For Enter User Names, type a name for your user. Select Generate an access key for each user and then click Create.

  3. In the Create User dialog box, click Download Credentials and save the file to a safe place. The comma separated value file contains the access key and secret key that you will need to deploy the sample entitlement service.

    Important

    Store this information in a secure place. This is the only time you will be able to get the secret key. If you lose this information, you will need to create a new access key and secret key.

  4. Click Close.

  5. In the navigation pane, click Groups, and then click the name of the group.

  6. In Summary, click Add Users to the Group.

  7. Click Add Users to Group. Select the user you created in the previous step and then click Add Users.

Verify that your user is a member of this group.

Step 4: Deploy the Sample Entitlement Service

You will use AWS CloudFormation to deploy the sample entitlement service. When deployment is complete, you will get the URL for the entitlement service. You will need the URL to configure the entitlement service and connect the client application to the streaming application.

To deploy the sample entitlement service on AWS CloudFormation

  1. Open the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation.

  2. Click Actions and then click Create Stack or Create New Stack.

  3. On the Select Template page, do the following:

    1. For Name under Stack, type a name for the entitlement service.

    2. For Source, select Specify an Amazon S3 template URL and then type https://s3.amazonaws.com/appstream-sdk/appstreamEntitlementService.template.

    3. Click Next.

  4. In Specify Parameters, do the following:

    1. For KeyName, type the name of your key pair.

    2. For Password, type a password with at least eight characters that meets the following requirements:

      • Contain one number, one letter, one special character.

      • Contain one special characters (@, #, $ %, ^, &, +, or =).

      • Must not contain any spaces.

    3. For UserAccessKey, type the Access Key Id of the user you created in the previous step. This value is in the credential file that you downloaded and stored in a safe place when you created the user.

    4. For UserSecretKey, type the Secret Access Key of the user you created in the previous step.

    5. Click Next.

  5. On the Options page, click Next.

  6. On the Review page, review the values for the configuration of the stack to and then click Create to launch the stack.

This process may take several minutes to complete. While the stack is launching, its status is set to CREATE_IN_PROGRESS.

When the status of your stack changes to CREATE_COMPLETE, your entitlement service is deployed and ready to use. You will need to get the URL of the entitlement service to connect your client application to your streaming application.

To locate the URL of the sample entitlement service

  1. In the AWS CloudFormation console, select the sample entitlement service you just deployed.

  2. Click the down arrow in the Events tab and click Outputs to display details about the stack at the bottom of the browser window. The PublicDNS key displays the URL of the sample entitlement service.

Step 5: Configure the Sample Entitlement Service

After you successfully deployed the sample entitlement service, you need to configure this service to allow specific users to connect to your streaming application. The sample entitlement service is on a host with port 8080 open. To configure the entitlement service, go to http://publicDNS:8080/web/ to open the configuration page.

Important

Always include a trailing forward slash ("/") at the end of the URL to access the entitlement service.

To configure the sample entitlement service

  1. Make a list with the User IDs and email addresses of the users who will connect to your streaming application.

  2. In a browser, open http://publicDNS:8080/web/.

    Note

    If you cannot open the configuration page, see Sample Entitlement Service Problems for more information.

  3. For PIN, type the entitlement service password and click Sign In.

  4. In the Entitlement Service Sample page, click Grant access only to users listed below.

  5. For each user that you want to connect to the streaming application, type their User ID, Name, and email address, select All Entitlements, and click Add User. The users you add to this page can connect to your streaming application. Other users will receive an error message.

    By default, the email address of the AWS account that created the entitlement service and the email address user@domain.com have can connect to the streaming application.

After you configure the sample entitlement service, send the Public DNS of the entitlement service to the users that will connect to the streaming application.