This is for those who have their own AWS account and probably haven't heard of this neat feature.
For some time Amazon have offered IAM (Identity and Access Management) for when you wanted to grant limited access to a server/process. This avoided the danger of exposing your main AWS api keys which are the keys to the kingdom. Asking for non IAM keys is considered a big no-no .
IAM is great - but you still can't hand out IAM keys willy nilly. This means that traditionally, if you wanted users to upload content to one of your s3 buckets, or access one of your SQS queues - you should do it via a server app that authenticates your users - and then talks to the AWS services.
However, with a "token vending machine" you can actually have access direct from client devices (mobiles/cell phones, browsers, client apps) directly to AWS services. Take a look at the following as I try to explain this:
There are sample apps provided by amazon that show how to do this (but fear not, clickstarts are provided that set this up for you!). The Token Vending Machine runs as a service that the client devices connect to - obtaining a limited (in time, and access) token - and then accessing, directly, via the AWS apis, the Amazon services!
This is pretty powerful - there is a lot of interest in the mobile space for "backends as a service" and this gives you a way to use Amazon services, where they suit, directly as backends, securely.
Mark P spent quite a bit of time digging this up and you can read more about his findings here .
Of course - the clickstarts are available that set this up, hosted in your CloudBees account: both for anonymous clients and authenticated clients. Once you have one of these running, you will need your IAM credentials and then look at the client code to access them to obtain the tokens (read on ).