Complete the following steps to create a storage bucket in Boundary.
<Tabs>
<Tab heading="UI">
1. Log in to Boundary.
1. Click **Storage Buckets** in the navigation bar.
1. Click **New Storage Bucket**.
1. Complete the following fields to create the Boundary storage bucket:
- **Name**: (Optional) The name field is optional, but if you enter a name it must be unique.
- **Description**: (Optional) An optional description of the Boundary storage bucket for identification purposes.
- **Scope**: (Required) A storage bucket can belong to the Global scope or an Org scope.
It can only associated with targets from the scope it belongs to.
- **Provider**: (Required) The external storage bucket provider.
- **Bucket name**: (Required) Name of the AWS bucket you want to associate with the Boundary storage bucket.
- **Bucket prefix**: (Optional) A base path where session recordings are stored.
- **Region**: (Required) The AWS region to use.
- **Credential type**: (Required) The type of credential you want to use to authenticate to the external storage.
The required fields for creating a storage bucket vary depending on whether you configured the Amazon S3 bucket with static or dynamic credentials:
- **Static**: Authenticates to the storage bucket using an access key that AWS generates.
- **Dynamic**: Authenticates to the storage bucket using credentials that were generated by AWS `AssumeRole`.
<Tabs>
<Tab heading="Static credentials">
- **Access key ID**: (Required) The access key ID that AWS generates for the IAM user to use with the storage bucket.
- **Secret access key**: (Required) The secret access key that AWS generates for the IAM user to use with this storage bucket.
- **Worker filter**: (Required) A filter that indicates which Boundary workers have access to the storage. The filter must match an existing worker in order to create a Boundary storage bucket.
- **Disable credential rotation**: (Optional) Prevents the AWS plugin from automatically rotating credentials.
Although credentials are stored encrypted in Boundary, by default the [AWS plugin](https://github.com/hashicorp/boundary-plugin-aws) attempts to rotate the credentials you provide.
The given credentials are used to create a new credential, and then the original credential is revoked.
After rotation, only Boundary knows the client secret the plugin uses.
</Tab>
<Tab heading="Dynamic credentials">
- **Role ARN**: (Required) The ARN (Amazon Resource Name) role that is attached to the EC2 instance that the self-managed worker runs on.
- **Role external ID**: (Optional) A required value if you delegate third party access to your AWS resources.
For more information, refer to the AWS documentation for [How to use an external ID when granting access to your AWS resources to a third party](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html).
- **Role session name**: (Optional) A unique identifier for the AWS session.
You can use this value to control how IAM principals and applications name their role sesions when they assume an IAM role.
By providing a session name, you enable tracking session actions in AWS CloudTrail logs.
For more information, refer to the AWS documentation for [Logging IAM and AWS STS API calls with AWS CloudTrail](https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html).
- **Role tags**: An object with key-value pair attributes that is passed when you assume an IAM role.
For more information, refer to the AWS documentation for [Passing session tags in AWS STS](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html).
- **Worker filter**: (Required) A filter that indicates which Boundary workers have access to the storage. The filter must match an existing worker in order to create a Boundary storage bucket.
- **Disable credential rotation**: (Required) Prevents the AWS plugin from automatically rotating credentials.
This option is required if you use dynamic credentials.
</Tab>
</Tabs>
1. Click **Save**.
</Tab>
<Tab heading="CLI">
The required fields for creating a storage bucket depend on whether you configured the Amazon S3 bucket with static or dynamic credentials:
@ -100,7 +154,20 @@ The required fields for creating a storage bucket depend on whether you configur
</Tabs>
</Tab>
</Tabs>
</Tab>
<Tab heading="MinIO">
Complete the following steps to create a storage bucket in Boundary.
<Note>
MinIO requires a service account to set up a Boundary storage bucket. Refer to the [Configure MinIO](/boundary/docs/configuration/session-recording/storage-providers/configure-minio#minio-requirements) page to learn more.
</Note>
<Tabs>
<Tab heading="UI">
1. Log in to Boundary.
@ -112,65 +179,19 @@ The required fields for creating a storage bucket depend on whether you configur
- **Scope**: (Required) A storage bucket can belong to the Global scope or an Org scope.
It can only associated with targets from the scope it belongs to.
- **Provider**: (Required) The external storage bucket provider.
- **Endpoint URL**: (Required) The fully-qualified endpoint pointing to a MinIO S3 API.
- **Bucket name**: (Required) Name of the AWS bucket you want to associate with the Boundary storage bucket.
- **Bucket prefix**: (Optional) A base path where session recordings are stored.
- **Region**: (Required) The AWS region to use.
- **Credential type**: (Required) The type of credential you want to use to authenticate to the external storage.
The required fields for creating a storage bucket vary depending on whether you configured the Amazon S3 bucket with static or dynamic credentials:
- **Static**: Authenticates to the storage bucket using an access key that AWS generates.
- **Dynamic**: Authenticates to the storage bucket using credentials that were generated by AWS `AssumeRole`.
<Tabs>
<Tab heading="Static credentials">
- **Access key ID**: (Required) The access key ID that AWS generates for the IAM user to use with the storage bucket.
- **Secret access key**: (Required) The secret access key that AWS generates for the IAM user to use with this storage bucket.
- **Worker filter**: (Required) A filter that indicates which Boundary workers have access to the storage. The filter must match an existing worker in order to create a Boundary storage bucket.
- **Disable credential rotation**: (Optional) Prevents the AWS plugin from automatically rotating credentials.
Although credentials are stored encrypted in Boundary, by default the [AWS plugin](https://github.com/hashicorp/boundary-plugin-aws) attempts to rotate the credentials you provide.
The given credentials are used to create a new credential, and then the original credential is revoked.
After rotation, only Boundary knows the client secret the plugin uses.
</Tab>
<Tab heading="Dynamic credentials">
- **Role ARN**: (Required) The ARN (Amazon Resource Name) role that is attached to the EC2 instance that the self-managed worker runs on.
- **Role external ID**: (Optional) A required value if you delegate third party access to your AWS resources.
For more information, refer to the AWS documentation for [How to use an external ID when granting access to your AWS resources to a third party](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html).
- **Role session name**: (Optional) A unique identifier for the AWS session.
You can use this value to control how IAM principals and applications name their role sesions when they assume an IAM role.
By providing a session name, you enable tracking session actions in AWS CloudTrail logs.
For more information, refer to the AWS documentation for [Logging IAM and AWS STS API calls with AWS CloudTrail](https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html).
- **Role tags**: An object with key-value pair attributes that is passed when you assume an IAM role.
For more information, refer to the AWS documentation for [Passing session tags in AWS STS](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html).
- **Region**: (Optional) The region to configure the storage bucket for.
- **Access key ID** (Required): The MinIO service account's access key to use with this storage bucket.
- **Secret access key** (Required): The MinIO service account's secret key to use with this storage bucket.
- **Worker filter**: (Required) A filter that indicates which Boundary workers have access to the storage. The filter must match an existing worker in order to create a Boundary storage bucket.
- **Disable credential rotation**: (Required) Prevents the AWS plugin from automatically rotating credentials.
This option is required if you use dynamic credentials.
</Tab>
</Tabs>
- **Disable credential rotation**: (Optional) Controls whether the plugin will rotate the incoming credentials and manage a new MinIO service account. If this attribute is set to false, or not provided, the plugin will rotate the incoming credentials, using them to create a new MinIO service account, then delete the incoming credentials.
1. Click **Save**.
</Tab>
</Tabs>
</Tab>
<Tab heading="MinIO">
Complete the following steps to create a storage bucket in Boundary.
<Tabs>
<Tab heading="CLI">
<Note>
MinIO requires a service account to set up a Boundary storage bucket. Refer to the [Configure MinIO](/boundary/docs/configuration/session-recording/storage-providers/configure-minio#minio-requirements) page to learn more.
</Note>
1. Log in to Boundary.
1. Use the following command to create a storage bucket in Boundary:
@ -199,28 +220,6 @@ Complete the following steps to create a storage bucket in Boundary.
- `access_key_id` (Required): The MinIO service account's access key to use with this storage bucket.
- `secret_access_key` (Required): The MinIO service account's secret key to use with this storage bucket.
</Tab>
<Tab heading="UI">
1. Log in to Boundary.
1. Click **Storage Buckets** in the navigation bar.
1. Click **New Storage Bucket**.
1. Complete the following fields to create the Boundary storage bucket:
- **Name**: (Optional) The name field is optional, but if you enter a name it must be unique.
- **Description**: (Optional) An optional description of the Boundary storage bucket for identification purposes.
- **Scope**: (Required) A storage bucket can belong to the Global scope or an Org scope.
It can only associated with targets from the scope it belongs to.
- **Provider**: (Required) The external storage bucket provider.
- **Endpoint URL**: (Required) The fully-qualified endpoint pointing to a MinIO S3 API.
- **Bucket name**: (Required) Name of the AWS bucket you want to associate with the Boundary storage bucket.
- **Region**: (Optional) The region to configure the storage bucket for.
- **Access key ID** (Required): The MinIO service account's access key to use with this storage bucket.
- **Secret access key** (Required): The MinIO service account's secret key to use with this storage bucket.
- **Worker filter**: (Required) A filter that indicates which Boundary workers have access to the storage. The filter must match an existing worker in order to create a Boundary storage bucket.
- **Disable credential rotation**: (Optional) Controls whether the plugin will rotate the incoming credentials and manage a new MinIO service account. If this attribute is set to false, or not provided, the plugin will rotate the incoming credentials, using them to create a new MinIO service account, then delete the incoming credentials.
Robin Beck
2 years ago