From c0538bd074b034d8c638282a4015b7d88c66a53c Mon Sep 17 00:00:00 2001
From: Irena Rindos <irenarindos@users.noreply.github.com>
Date: Wed, 14 Jun 2023 11:18:20 -0400
Subject: [PATCH] docs: Update storage bucket worker requirement (#3320)

* docs: Update storage bucket worker requirement

* docs: Minor copy edits

---------

Co-authored-by: Dan Heath <76443935+Dan-Heath@users.noreply.github.com>
---
 .../session-recording/create-storage-bucket.mdx |  9 ++++++---
 .../docs/configuration/worker/pki-worker.mdx    | 17 ++++++++++++++++-
 2 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/website/content/docs/configuration/session-recording/create-storage-bucket.mdx b/website/content/docs/configuration/session-recording/create-storage-bucket.mdx
index 2300c7a452..97355d4c85 100644
--- a/website/content/docs/configuration/session-recording/create-storage-bucket.mdx
+++ b/website/content/docs/configuration/session-recording/create-storage-bucket.mdx
@@ -21,11 +21,12 @@ For more information about using session recording to audit user sessions, refer
 
 **Requirements**:
 - An AWS S3 storage bucket
-- A Boundary PKI worker with access to the AWS S3 storage bucket
 
    At this time, the only supported storage for storage buckets is AWS S3.
    In AWS S3, a storage bucket contains the bucket name, region, and optional prefix, as well as any credentials needed to access the bucket, such as the access and secret key.
+- A Boundary PKI worker with access to the AWS S3 storage bucket
 
+   This worker must be configured with a local recording storage path, defined as `recording_storage_path`. For more details, refer to [PKI workers](/boundary/docs/configuration/worker/pki-worker).
 - An AWS IAM role policy with the following statement:
    ```json
     {
@@ -68,9 +69,11 @@ Complete the following steps to create a storage bucket for session recording:
     Replace the values above with the following required AWS secrets and any optional [attributes](/boundary/docs/concepts/domain-model/storage-buckets) you want to associate with the storage bucket:
 
     - `region`: (Required) The AWS region to use.
+    - `bucket-name`: (Required) Name of the bucket in AWS.
     - `access_key_id`: (Required) The AWS access key to use.
     - `secret_access_key_id`: (Required) The AWS secret access key to use.
     This attribute contains the secret access key for static credentials.
+    - `worker-filter`: (Required) A filter that indicates which Boundary workers have access to the storage. The filter must match an existing worker in order to create a storage bucket.
     - `shared_credentials_file`: (Optional) The shared credentials file to use.
     - `shared_credentials_profile`: (Optional) The profile name to use in the shared credentials file.
 
@@ -91,7 +94,7 @@ Complete the following steps to create a storage bucket for session recording:
    - **Region**: (Required) The AWS region to use.
    - **Access key ID**: (Required) The access key ID that AWS generates for the IAM user to use with the storage bucket.
    - **Secret access key**: (Required) The secret access key that AWS generates for the IAM user to use with this storage bucket.
-   - **Worker filter** (Required) A filter that indicated which Boundary workers have access to the storage.
+   - **Worker filter** (Required) A filter that indicates which Boundary workers have access to the storage. The filter must match an existing worker in order to create a storage bucket.
    - **Disable credential rotation** (Optional) Although credentials are stored encrypted within Boundary, by default the [AWS plugin](https://github.com/hashicorp/boundary-plugin-aws) attempts to rotate the credentials you provide. The given credentials are used to create a new credential, and then the original credential is revoked. After rotation, only Boundary knows the client secret the plugin uses.
 
       Select this option to disable this behavior and prevent the automatic rotation of credentials.
@@ -102,4 +105,4 @@ Complete the following steps to create a storage bucket for session recording:
 </Tabs>
 
 Boundary creates the storage bucket and provides you with the bucket's ID.
-Once the storage bucket is created, you can use the bucket's ID to [enable session recording on targets](/boundary/docs/configuration/session-recording/enable-session-recording).
\ No newline at end of file
+Once the storage bucket is created, you can use the bucket's ID to [enable session recording on targets](/boundary/docs/configuration/session-recording/enable-session-recording).
diff --git a/website/content/docs/configuration/worker/pki-worker.mdx b/website/content/docs/configuration/worker/pki-worker.mdx
index 45774a3d8c..9cb475650a 100644
--- a/website/content/docs/configuration/worker/pki-worker.mdx
+++ b/website/content/docs/configuration/worker/pki-worker.mdx
@@ -73,7 +73,22 @@ kms "aead" {
 }
 ```
 
+## Session recording <sup>(HCP/ENT)</sup>
+[Session recording](/boundary/docs/configuration/session-recording) requires at least one PKI worker with access to local and remote storage.
+PKI workers used for session recording require an accessible directory defined by `recording_storage_path` for
+storing in-progress session recordings. On session closure, a local session recording is moved to remote storage and
+deleted locally.
+
+Development example:
+
+```hcl
+worker {
+  auth_storage_path="/boundary/demo-worker-1"
+  initial_upstreams = ["10.0.0.1"]
+  recording_storage_path="/local/storage/directory"
+}
+```
+
 ~> **Note:** `name` and `description` fields are not valid config fields for PKI
 workers. These fields are only valid for [KMS Workers](/boundary/docs/configuration/worker/kms-worker). `name` and
 `description` can only be set for PKI workers through the API.
-