diff --git a/website/content/docs/configuration/session-recording/create-storage-bucket.mdx b/website/content/docs/configuration/session-recording/create-storage-bucket.mdx index 75ef87f682..1d0b2c9f81 100644 --- a/website/content/docs/configuration/session-recording/create-storage-bucket.mdx +++ b/website/content/docs/configuration/session-recording/create-storage-bucket.mdx @@ -19,12 +19,17 @@ For more information about using session recording to audit user sessions, refer ### Create a storage bucket -Complete the following steps to create a storage bucket in Boundary for session recording: +Select a storage provider. + + + + +Complete the following steps to create a storage bucket in Boundary. -The required fields for creating a storage bucket vary depending on whether you configured the AWS S3 bucket with static or dynamic credentials: +The required fields for creating a storage bucket depend on whether you configured the Amazon S3 bucket with static or dynamic credentials: @@ -65,11 +70,11 @@ The required fields for creating a storage bucket vary depending on whether you ```shell-session $ boundary storage-buckets create \ - -bucket-name mybucket1 \ + -bucket-name mys3bucket \ -plugin-name aws \ - -worker-filter ‘“dev” in “/tags/type”’ \ - -attributes ‘{“region”:”us-east-1”,”disable_credential_rotation”:true,"role_arn":"arn:aws:iam::123456789012:role/S3Access"}’ \ - -scope-id o_1234567890 + -scope-id o_1234567890 \ + -worker-filter ‘“s3” in “/tags/type”’ \ + -attributes ‘{“region”:”us-east-1”,”disable_credential_rotation”:true,"role_arn":"arn:aws:iam::123456789012:role/S3Access"}’ ``` Replace the values above with the following required AWS secrets and any optional [attributes](/boundary/docs/concepts/domain-model/storage-buckets) you want to associate with the Boundary storage bucket: @@ -99,18 +104,19 @@ The required fields for creating a storage bucket vary depending on whether you 1. Log in to Boundary. -1. Select **Storage Buckets** in the navigation bar. -1. Select **New Storage Bucket**. +1. Click **Storage Buckets** in the navigation bar. +1. Click **New Storage Bucket**. 1. Complete the following fields to create the Boundary storage bucket: - **Name**: (Optional) The name field is optional, but if you enter a name it must be unique. - **Description**: (Optional) An optional description of the Boundary storage bucket for identification purposes. - **Scope**: (Required) A storage bucket can belong to the Global scope or an Org scope. It can only associated with targets from the scope it belongs to. + - **Provider**: (Required) The external storage bucket provider. - **Bucket name**: (Required) Name of the AWS bucket you want to associate with the Boundary storage bucket. - **Bucket prefix**: (Optional) A base path where session recordings are stored. - **Region**: (Required) The AWS region to use. - **Credential type**: (Required) The type of credential you want to use to authenticate to the external storage. - The required fields for creating a storage bucket vary depending on whether you configured the AWS S3 bucket with static or dynamic credentials: + The required fields for creating a storage bucket vary depending on whether you configured the Amazon S3 bucket with static or dynamic credentials: - **Static**: Authenticates to the storage bucket using an access key that AWS generates. - **Dynamic**: Authenticates to the storage bucket using credentials that were generated by AWS `AssumeRole`. @@ -146,7 +152,77 @@ The required fields for creating a storage bucket vary depending on whether you -1. Select **Save**. +1. Click **Save**. + + + + + + + +Complete the following steps to create a storage bucket in Boundary. + + + + + + + MinIO requires a service account to set up a Boundary storage bucket. Refer to the [Configure MinIO](/boundary/docs/configuration/session-recording/storage-providers/configure-minio#minio-requirements) page to learn more. + + + +1. Log in to Boundary. +1. Use the following command to create a storage bucket in Boundary: + + ```shell-session + $ boundary storage-buckets create \ + -bucket-name myminiobucket \ + -plugin-name minio \ + -scope-id o_1234567890 \ + -bucket-prefix="foo/bar/zoo" \ + -worker-filter '"minio" in "/tags/type"' \ + -attr endpoint_url="https://my-minio-instance.dev/s3-api" \ + -attr region="REGION" \ + -attr disable_credential_rotation=true \ + -secret access_key_id="KEY" \ + -secret secret_access_key="SECRET" + ``` + + Replace the values above with the following required secrets and any optional [attributes](/boundary/docs/concepts/domain-model/storage-buckets) you want to associate with the Boundary storage bucket: + + - `endpoint_url` (Required): Fully-qualified endpoint pointing to a MinIO S3 API. + - `bucket-name`: (Required) Name of the MinIO bucket you want to associate with the Boundary storage bucket. + - `region`: (Optional) The region to configure the storage bucket for. + - `worker-filter`: (Required) A filter that indicates which Boundary workers have access to the storage. The filter must match an existing worker in order to create a Boundary storage bucket. + - `disable_credential_rotation`: (Optional) Controls whether the plugin will rotate the incoming credentials and manage a new MinIO service account. If this attribute is set to `false`, or not provided, the plugin will rotate the incoming credentials to create a new MinIO service account, then delete the incoming credentials. + This option must be set to `true` if you use dynamic credentials. + - `access_key_id` (Required): The MinIO service account's access key to use with this storage bucket. + - `secret_access_key` (Required): The MinIO service account's secret key to use with this storage bucket. + + + + +1. Log in to Boundary. +1. Click **Storage Buckets** in the navigation bar. +1. Click **New Storage Bucket**. +1. Complete the following fields to create the Boundary storage bucket: + - **Name**: (Optional) The name field is optional, but if you enter a name it must be unique. + - **Description**: (Optional) An optional description of the Boundary storage bucket for identification purposes. + - **Scope**: (Required) A storage bucket can belong to the Global scope or an Org scope. + It can only associated with targets from the scope it belongs to. + - **Provider**: (Required) The external storage bucket provider. + - **Endpoint URL**: (Required) The fully-qualified endpoint pointing to a MinIO S3 API. + - **Bucket name**: (Required) Name of the AWS bucket you want to associate with the Boundary storage bucket. + - **Region**: (Optional) The region to configure the storage bucket for. + - **Access key ID** (Required): The MinIO service account's access key to use with this storage bucket. + - **Secret access key** (Required): The MinIO service account's secret key to use with this storage bucket. + - **Worker filter**: (Required) A filter that indicates which Boundary workers have access to the storage. The filter must match an existing worker in order to create a Boundary storage bucket. + - **Disable credential rotation**: (Optional) Controls whether the plugin will rotate the incoming credentials and manage a new MinIO service account. If this attribute is set to false, or not provided, the plugin will rotate the incoming credentials, using them to create a new MinIO service account, then delete the incoming credentials. + +1. Click **Save**. + + +