Registering a Bucket

Suggest Edits

Prerequisites

  • Media data must be stored in an S3 or Google Cloud Storage bucket

Giving Gantry read only access: register bucket and access secret

Note: Gantry also supports logging public objects via their https:url or private objects via presigned urls. Neither of these require registering the bucket and secret information. Note that because presigned urls come with an expiration time, you will not be able to access that data through Gantry once the presigned urls expire.

Prerequisites

  • Gantry CLI must be installed

1. Create a json file with parameters "access-key-id" and "secret-access-key".

In S3, create an access key..
In Google Cloud Storage create a HMAC Key.

{
    "access-key-id": "...",
    "secret-access-key": "..."
}

2. Register the key pair with Gantry via the CLI.

% export GANTRY_API_KEY="YOUR_API_KEY"

% gantry-cli secret create --name aws-key --secret-type AWS --secret-file bucket-key.json 
SUCCESS
--> Secret has been created.
 {'created_at': 'Tue, 28 Feb 2023 20:40:57 GMT', 'id': 'acdc5d41-fc1d-4986-8683-e57e338fe47e', 'organization_id': '47e04d28-24d3-47e7-9911-bbfc071c754e', 'secret_name': 'demo-secret', 'secret_type': 'AWS'}


% gantry-cli bucket create --name {bucket_name} --region {aws_region} --storage-type s3 --secret aws-key
SUCCESS
--> Bucket {bucket_name} has been registered.

% export GANTRY_API_KEY="YOUR_API_KEY"

% gantry-cli secret create --name gcs-key --secret-type GCP --secret-file bucket-key.json 
SUCCESS
--> Secret has been created.
 {'created_at': 'Tue, 28 Feb 2023 22:29:35 GMT', 'id': '0c2d3e95-e9b6-4ec7-b41e-0a74748c0a34', 'organization_id': '47e04d28-24d3-47e7-9911-bbfc071c754e', 'secret_name': 'gcs-key', 'secret_type': 'GCP'}

% gantry-cli bucket create --name {bucket_name} --region auto --storage-type gs --secret gcs-key
SUCCESS
--> Bucket {bucket_name} has been registered.

Updating the bucket secret
In cases where the role changes or needs to be edited, the bucket secret can be updated.

% gantry-cli bucket  update-secret --bucket {bucket_name} --storage-type S3 --secret-id {new_secret_id}

% gantry-cli bucket  update-secret --bucket {bucket_name} --storage-type gs --secret-id {new_secret_id}

Common issues

If the permissions on the bucket are incorrect, it might look like Gantry logging has failed (because it won't have access). Ensure the IAM read-only user is configured correctly.

For AWS, the IAM user needs the following permissions:

  • S3 ObjectActions: s3:GetObject, s3:GetObjectVersion
  • S3 bucket permission: s3:GetBucketLocation

If you are using user managed KMS keys, the user also needs kms:Decrypt permission for the bucket KMS key. For default server side encryption, this is not required.

Updated 8 days ago