configure-minio.mdx

layout	page_title	description
docs	Configure MinIO	How to configure MinIO as a storage provider for Boundary session recording.

Configure MinIO as a storage provider

This feature requires HCP Boundary or Boundary Enterprise

This page describes how to configure MinIO as a storage provider for session recording with Boundary.

Requirements

Before you can create a storage bucket in Boundary, you must ensure that your environment meets certain requirements.

Session recording requires specific configuration for both the external storage provider and the Boundary worker.

Refer to Configure workers for session recording to learn about configuring self-managed workers for session recording.

When you determine storage requirements for the external bucket, you should consider:

• BSR storage considerations
• Storage bucket retention policies

MinIO requirements

• A MinIO storage bucket

  You must associate the Boundary storage bucket with a MinIO storage bucket. A Boundary MinIO storage bucket contains the bucket name, endpoint URL, optional region, optional prefix, and the service account credentials needed to access the bucket. To enable credential rotation, you cannot add a Boundary storage bucket without a MinIO service account. You can disable credential rotation when you create the Boundary storage bucket.

  At this time, the NetBSD operating system is not supported for the MinIO storage bucket.

• A MinIO service account and access keys

  You must provide service account access keys when you configure a Boundary storage bucket later on.

  Refer to the MinIO Access Keys documentation page to learn how to set up a MinIO service account.

• A MinIO storage bucket must be configured with R/W access. If you use a restricted IAM user policy, the following policy actions must be allowed at a minimum.

  {
    "Version": "2012-10-17",
    "Statement": [
       {
          "Action": [
            "s3:PutObject",
            "s3:GetObject",
            "s3:GetObjectAttributes",
            "s3:DeleteObject"
          ],
          "Effect": "Allow",
          "Resource": "arn:aws:s3:::test-session-recording-bucket/*"
       },
       {
          "Action": "s3:ListBucket",
          "Effect": "Allow",
          "Resource": "arn:aws:s3:::test-session-recording-bucket"
       }
    ]
  }

• HashiCorp recommends that you enable credential rotation. To enable credential rotation, use the following service account policy:

  {
    "Version": "2012-10-17",
    "Statement": [
       {
          "Action": [
            "s3:PutObject",
            "s3:GetObject",
            "s3:GetObjectAttributes",
            "s3:DeleteObject"
          ],
          "Effect": "Allow",
          "Resource": "arn:aws:s3:::test-session-recording-bucket/*"
       },
       {
          "Action": "s3:ListBucket",
          "Effect": "Allow",
          "Resource": "arn:aws:s3:::test-session-recording-bucket"
       },
       {
          "Action": [
          "admin:CreateServiceAccount",
          "admin:RemoveServiceAccount"
        ],
        "Effect": "Allow"
       }
    ]
  }

Resources

The following docs MinIO docs are relevant for configuring storage buckets and service accounts:

• Refer to the MinIO Policy Action Keys documentation to learn more about restricting IAM user policies.
• Refer to the MinIO Object Encryption with KES documentation to learn more about KMS and data encryption with vault key management.

Next steps

After you configure the external storage provider, you can create the storage bucket in Boundary.