Boundary
Create a storage bucket
Enterprise
This feature requires HCP Boundary Plus or Boundary Enterprise
User sessions can be recorded and audited using Boundary 0.13 or greater. A Boundary resource known as a storage bucket is used to store the recorded sessions. The storage bucket represents a bucket in an external storage provider. Before you can enable session recording, you must create one or more storage buckets in Boundary and associate them with the external store.
A storage bucket can only belong to the global scope or an org scope. A storage bucket that is associated with the global scope can be associated with any target. However, a storage bucket in an Org scope can only be associated with targets in a project from the same org scope. Any storage buckets associated with an Org scope are deleted when the org itself is deleted.
For more information about using session recording to audit user sessions, refer to Auditing.
Requirements
Before you create a storage bucket in Boundary, you must:
- Configure workers for storage
- Configure one of the following storage providers:
Create a storage bucket
Select a storage provider.
Complete the following steps to create a storage bucket in Boundary.
Log in to Boundary.
Click Storage Buckets in the navigation bar.
Click New Storage Bucket.
Complete the following fields to create the Boundary storage bucket:
- Name: (Optional) The name field is optional, but if you enter a name it must be unique.
- Description: (Optional) An optional description of the Boundary storage bucket for identification purposes.
- Scope: (Required) A storage bucket can belong to the Global scope or an Org scope. It can only associated with targets from the scope it belongs to.
- Provider: (Required) The external storage bucket provider.
- Bucket name: (Required) Name of the AWS bucket you want to associate with the Boundary storage bucket.
- Bucket prefix: (Optional) A base path where session recordings are stored.
- Region: (Required) The AWS region to use.
- Credential type: (Required) The type of credential you want to use to authenticate to the external storage.
The required fields for creating a storage bucket vary depending on whether you configured the Amazon S3 bucket with static or dynamic credentials:
- Static: Authenticates to the storage bucket using an access key that AWS generates.
- Dynamic: Authenticates to the storage bucket using credentials that were generated by AWS
AssumeRole
.
Access key ID: (Required) The access key ID that AWS generates for the IAM user to use with the storage bucket.
Secret access key: (Required) The secret access key that AWS generates for the IAM user to use with this storage bucket.
Worker filter: (Required) A filter expression that indicates which Boundary workers have access to the storage. The filter must match an existing worker in order to create a Boundary storage bucket. Refer to filter examples to learn about worker tags and filters.
Disable credential rotation: (Optional) Prevents the AWS plugin from automatically rotating credentials.
Although credentials are stored encrypted in Boundary, by default the AWS plugin attempts to rotate the credentials you provide. The given credentials are used to create a new credential, and then the original credential is revoked. After rotation, only Boundary knows the client secret the plugin uses.
Click Save.
Boundary creates the storage bucket resource and provides you with the bucket's ID.
Next steps
After the storage bucket is created in Boundary, you can use the bucket's ID to enable session recording on targets.
Resources
The following docs are relevant to configuring storage buckets: