Minio as a storage for recording session ERROR

Hi there,

Experiencing difficulties with launching session recording on Minio storage. In a test environment I created a Minio instance:

  1. A test-bucket
  2. User with a policy able to write to the storage
  3. Access Keys associated with the user

Here is my policy:

{
 "Version": "2012-10-17",
 "Statement": [
  {
   "Effect": "Allow",
   "Action": [
    "s3:DeleteObject",
    "s3:GetObject",
    "s3:GetObjectAttributes",
    "s3:PutObject"
   ],
   "Resource": [
    "arn:aws:s3:::boundary-recordings/*"
   ]
  },
  {
   "Effect": "Allow",
   "Action": [
    "s3:ListBucket"
   ],
   "Resource": [
    "arn:aws:s3:::boundary-recordings"
   ]
  },
  {
   "Effect": "Allow",
   "Action": [
    "admin:CreateServiceAccount",
    "admin:RemoveServiceAccount"
   ]
  }
 ]
}

Added as a storage from Admin UI of Boundary, and turned on a policy with deletion and retention rules.

My worker has in the config:

recording_storage_path = "/recording"
 recording_storage_minimum_available_capacity = "500MB"

Once I picked a target and turned on the Session recording, and using boundary desktop as a user trying to connect a target I get the error:

targets.(Service).AuthorizeSession: recording.(Repository).StartSessionRecording: failed to create BSR keys: unknown: error #0: kms.CreateBsrKeys: missing external bsr wrapper: invalid parameter

Would you like to retry?

As for root, worker-auth I’m using KMS “transit” from vault, and it’s working fine, what have I missed ? Thanks in advance.

Have you updated your controller’s config to have a kms with a purpose of “bsr”?

# Example
kms "aead" {
  purpose   = "bsr"
  aead_type = "aes-gcm"
  key       = "<REDACTED>"
  key_id    = "bsr_key"
}
2 Likes

Thanks! Once I did everything worked.

1 Like

@michael.li Is there an ability to set a preferred timezone for recordings timestamps?

To clarify, which timestamp are you referring to here? Is this something you’re seeing on the Admin UI? Some output on the CLI?

@michael.li I mean the time when the record was created:

This timezone isn’t mine.

Ah ok. What’s displayed there is UTC/Zulu time. I don’t believe there is a way to set a preference at this point. I’ll pass along the feedback to the appropriate team.

If you do use the Boundary CLI, I believe timestamps there are reported in your respective timezone.

boundary session-recordings read -id {RECORDING_ID}

@michael.li thanks. I do use CLI, but administrator will use just admin UI, so :slight_smile:

For context, the initial decision was to display UTC in order to assist any investigations when trying to correlate with other logs, which are likely to be in UTC.

We’ll continue to monitor feedback and make adjustments as needed. Thanks!

@michael.li well, count has started :slight_smile: Thanks!