Configure MinIO as a storage provider
This feature requires HCP Boundary or Boundary Enterprise
This page describes how to configure MinIO as a storage provider for session recording with Boundary.
Requirements
Before you can create a storage bucket in Boundary, you must ensure that your environment meets certain requirements.
Session recording requires specific configuration for both the external storage provider and the Boundary worker.
Refer to Configure workers for session recording to learn about configuring self-managed workers for session recording.
When you determine storage requirements for the external bucket, you should consider:
MinIO requirements
A MinIO storage bucket
You must associate the Boundary storage bucket with a MinIO storage bucket. A Boundary MinIO storage bucket contains the bucket name, endpoint URL, optional region, optional prefix, and the service account credentials needed to access the bucket. To enable credential rotation, you cannot add a Boundary storage bucket without a MinIO service account. You can disable credential rotation when you create the Boundary storage bucket.
Note
At this time, the NetBSD operating system is not supported for the MinIO storage bucket.
A MinIO service account and access keys
You must provide service account access keys when you configure a Boundary storage bucket later on.
Refer to the MinIO Access Keys documentation page to learn how to set up a MinIO service account.
A MinIO storage bucket must be configured with R/W access. If you use a restricted IAM user policy, the following policy actions must be allowed at a minimum.
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:PutObject", "s3:GetObject", "s3:GetObjectAttributes", "s3:DeleteObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::test-session-recording-bucket/*" }, { "Action": "s3:ListBucket", "Effect": "Allow", "Resource": "arn:aws:s3:::test-session-recording-bucket" } ] }
HashiCorp recommends that you enable credential rotation. To enable credential rotation, use the following service account policy:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:PutObject", "s3:GetObject", "s3:GetObjectAttributes", "s3:DeleteObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::test-session-recording-bucket/*" }, { "Action": "s3:ListBucket", "Effect": "Allow", "Resource": "arn:aws:s3:::test-session-recording-bucket" }, { "Action": [ "admin:CreateServiceAccount", "admin:RemoveServiceAccount" ], "Effect": "Allow" } ] }
Resources
The following docs MinIO docs are relevant for configuring storage buckets and service accounts:
- Refer to the MinIO Policy Action Keys documentation to learn more about restricting IAM user policies.
- Refer to the MinIO Object Encryption with KES documentation to learn more about KMS and data encryption with vault key management.
Next steps
After you configure the external storage provider, you can create the storage bucket in Boundary.