Boundary
Enable session recording on a target
You must enable session recording for any targets that you want to record sessions on. When you create a storage bucket, Boundary provides you with an ID. You use the storage bucket's ID to associate a target with the storage bucket.
Requirements:
- One or more storage buckets to store the recordings.
- Session recording is only supported for SSH targets at this time.
- A KMS key with the purpose
bsr
must be added to the controller configuration. The key is used for encrypting data and checking the integrity of recordings. Refer to Create the controller configuration and thebsr
KMS key documentation for more information about configuring a KMS block. - The targets must be configured with an ingress or egress worker filter that includes a worker with access to the storage bucket you created. Refer to SSH target attributes for more information.
- You must enable injected application credentials on any target that you want to use for session recording.
Complete the following steps to enable session recording on a target.
Log in to Boundary.
Do one of the following:
To enable an existing SSH target for session recording, run the following commmand:
boundary targets update ssh -scope-id p_1234567890 -id tssh_1234567890 -enable-session-recording true -storage-bucket-id sb_1234567890
Make sure to add the
-enable-session-recording true
flag to turn on session recording for the target. Add the-storage-bucket-id ID
for the storage bucket you want to associate with this target.To create a new target and enable it for session recording, run the following command:
boundary targets create ssh -scope-id p_1234567890 -default -port 22 -name test1 -address 99.12.345.67 -enable-session-recording true -storage-bucket-id sb_1234567890
Make sure to add the
-enable-session-recording true
flag to turn on session recording for the target. Add the-storage-bucket-id ID
for the storage bucket you want to associate with this target. You can configure any other target attributes.You can now view the target from the Targets page in the Boundary console.
The target is now enabled for session recording. Any user session that connects to the target is automatically recorded.