Foundry Virtual Tabletop features integrated support for AWS S3 file storage which lets you use an AWS account and S3 buckets as a built-in browseable and uploadable storage location for media assets that are used within Foundry VTT. To enable this functionality, you must include an entry in your options.json config file which points towards another JSON file that contains your AWS credentials. If such a file is correctly specified and the AWS user has permission to access S3 buckets, those buckets will be available for use in the File Browser for players who are allowed to use it.


How To Enable S3 Support

Add an entry in the Config/options.json config file which exists in your user data location to include key "awsConfig" which provides a relative or absolute file path pointing to another JSON file contraining the following:

{
  "accessKeyId": "YOUR_ACCESS_KEY_ID",
  "secretAccessKey": "YOUR_SECRET_ACCESS_KEY",
  "region": "YOUR_PREFERRED_REGION"
}

Note that the AWS config file may also include other parameters which are passed to the S3 constructor as described by the JavaScript SDK documentation including options to support a custom endpoint for working with other S3-compatible services.


How To Restrict Bucket Permissions

You may not wish to allow your AWS account to access all S3 buckets from within Foundry VTT. To avoid this, you should create a specific IAM user whose access credentials are used by Foundry Virtual Tabletop. You can assign am IAM policy to this specific user which only permits access to certain buckets within your overall account. An example IAM policy which allows access to only the bucket named vtt-assets is shown below:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "*"
        }, 
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket",
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::vtt-assets",
                "arn:aws:s3:::vtt-assets/*"
            ]
        }
    ]
}

This policy allows the AWS user to list all of the available buckets (but not to see their contents unless specifically allowed) - this permission is important so the Foundry VTT software can discover which buckets may be used. It also allows permission to list the contents of a specific bucket or buckets, in this case the vtt-assets bucket. Lastly - it allows permission to read and write objects from that same vtt-assets bucket. This policy can be modified to allow access to a different set of buckets depending on your use case and needs.

For more information, see the following AWS support page: https://aws.amazon.com/premiumsupport/knowledge-center/s3-console-access-certain-bucket/


Enabling Cross-Origin Resource Sharing (CORS)

In order to use assets out of your S3 bucket from the virtual tabletop - you may need to set a CORS policy. To do this, navigate to the Permissions tab on the S3 bucket management panel. Under the CORS configuration section apply the following policy:

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
    <AllowedOrigin>*</AllowedOrigin>
    <AllowedMethod>GET</AllowedMethod>
    <AllowedMethod>POST</AllowedMethod>
    <AllowedMethod>HEAD</AllowedMethod>
    <MaxAgeSeconds>3000</MaxAgeSeconds>
    <AllowedHeader>*</AllowedHeader>
</CORSRule>
</CORSConfiguration>

For more information, see the following AWS support page: https://docs.aws.amazon.com/AmazonS3/latest/user-guide/add-cors-configuration.html.