Jessica B. Kelly & The Void Conspiracy

Creating a Self-Hosted Music Storefront using AWS S3 and SendOwl

So with the recent news that BandCamp has been sold – again – many are wondering how they can sell and distribute their music in a way that is more artist-centric and does not rely on big distribution storefronts like BandCamp or SoundCloud. In this blog post by Jessica, she discusses how to do this using AWS and a digital distribution / payment processor company known as SendOwl.

S3 is optional but allows full control over the artifacts, if you do not need this level of control, skip all the AWS / S3 instructions and focus solely on the SendOwl portion of this guide.

This guide assumes that you are running your own website, although Jessica and the conspiracy use WordPress, this can be done with any site in which you can manipulate the HTML.

Step one: CREATE AN AWS ACCOUNT
STEP TWO: CREATE A IAM USER IN AWS WITH NO PERMISSIONS BUT HAVING AN ACCESS KEY / SECRET ACCESS KEY PAIR

Navigate to the IAM console, and add a new user with NO PERMISSIONS NOR ROLES. This is important because in the event the user gets compromised, you do NOT want them to have the keys to the kingdom. Click the create user button from the Users page within IAM to create this user as shown below.

Do NOT grant access to console for this user:

You can select the ‘Add User to Group’ option but do NOT add the user to any groups, we want this user to have as few (zero) permissions as possible.

Review and confirm that the user does not have console access nor permissions.

Click ‘create user’ to finish the process.

From the main Users page, click the user and then copy the ARN of the user, sticking it somewhere where you can refer to it shortly. Note, I’ve intentionally cut off part of the ARN in the screenshot below.

Next, under the ‘Security Credentials’ tab, we will need to create an Access Key / Secret Access Key pair. Click the ‘Create Access Key’ button and then select CLI for the use case.

After creating the Access Keys, COPY AND SECURE IN A TEXT FILE OR SOMEWHERE ELSE THE VALUES OF THE ACCESS KEY AND SECRET ACCESS KEY. THIS INFORMATION WILL NOT BE SHOWN TO YOU EVER AGAIN IN AWS AND IS CRITICAL FOR THE REST OF WHAT WE WILL DO

Ok, now that you have the ARN of the user you created as well as the keys, we can begin setting up the S3 bucket, the place where your mastered files will live, ultimately secured from intruding eyes.

STEP THREE: CREATE THE S3 BUCKET

In S3, create a bucket by clicking the ‘Create Bucket’ button.

Give the bucket a name and take all default settings except versioning, which you should set to true, so that in the event of an oopsie, you can rollback the contents of the bucket to a known good state. The availability zone for your media should be geographically close to where your site is hosted, if possible, but doesn’t matter too much as long as you remember which you picked.

Once you have the bucket created, go ahead and upload your files. I recommend .zips as the digital distribution / payment processor will serve up one file per purchase.

Ok, while your files are uploading, let’s navigate to SendOwl. Create an account if you haven’t already and then lets add a product (such as an album!)

First go to settings and set up the S3 access for your account. Click the ‘Self-hosted S3 key’ under Self-hosting and uploads in the Digital Files and orders section.

Enter in the access key and the secret access key from your non-privileged user. Don’t worry, we will configure S3 to use the key for read-only access shortly.

Now, let’s head back to S3 as your files should be uploaded by now, right?

Go to the permissions for the bucket you created (click the bucket and then the permissions tab from S3). We will want to update the bucket policy to allow read access for the user we created. Since the user has access keys, and SendOwl is using those access keys, SendOwl can fetch securely the files in your bucket!

Enter in the following for the bucket policy, replacing <USER> with the ARN for your user that you copied earlier, and replacing <BUCKET> with the name of your bucket, but keeping the trailing ‘/*’

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Allow Read Access to s3 bucket",
            "Effect": "Allow",
            "Principal": {
                "AWS": "<USER>"
            },
            "Action": [
                "s3:GetObject",
                "s3:GetObjectVersion"
            ],
            "Resource": "<BUCKET>/*"
        }
    ]
}

Save your changes, and now let’s grab the URL (by selecting the zip and then hitting the copy url button) of the S3-hosted file itself and head back to SendOwl.

STEP FOUR: ADD THE LINK TO THE ALBUM IN SENDOWL THAT THEY WILL USE TO PULL FROM S3

Add a product with ‘Enter URL’ selected and enter the URL of the .zip you copied from above.

Issue yourself a ‘free order’ and verify the download works.

At this point it is ALSO good to verify that hitting the URL directly in a browser DOES NOT work. Do this now. You should get a gross-looking page that says ‘access denied.’

Finally, if you are using WordPress you can find instructions for setting up a quick and easy checkout button via this help article SendOwl provides, but really the same instructions easily apply to anything you can get at the HTML for: https://help.sendowl.com/help/wordpress

STEP FIVE: OOH PRETTY

Voila, you now control your destiny!

Jessica Kelly

,