Registering a Bucket

Prerequisites

  • Media data must be stored in an S3 or Google Cloud Storage bucket

Logging public objects

  • If the object is logged using its https: URL, it does not need to be registered with Gantry
  • If the object is logged using its URI, the bucket needs to be registered with Gantry. Credential registration is not required in this case
% gantry-cli bucket create --name {bucket_name} --region {aws_region} --storage-type s3
SUCCESS
--> Bucket {bucket_name} has been registered.
% gantry-cli bucket create --name {bucket_name} --region auto --storage-type gcs
SUCCESS
--> Bucket {bucket_name} has been registered.

Logging private objects

To log private objects, both the object and the access secret need to be registered. The exception is if you choose to log the private object via its presigned URL. Note that because presigned urls come with an expiration time, you will not be able to access that data through Gantry once the presigned urls expire.

Prerequisites

  • Gantry CLI must be installed

1. Create a json file with access information .

In S3, create an access key..
In Google Cloud Storage create a HMAC Key.

{
    "access-key-id": "xxx",
    "secret-access-key": "xxx"
}

2. Register the key pair with Gantry via the CLI.

% export GANTRY_API_KEY="YOUR_API_KEY"

% gantry-cli secret create --name aws-key --secret-type AWS --secret-file bucket-key.json 
SUCCESS
--> Secret has been created.
 {'created_at': 'Tue, 28 Feb 2023 20:40:57 GMT', 'id': 'acdc5d41-fc1d-4986-8683-e57e338fe47e', 'organization_id': '47e04d28-24d3-47e7-9911-bbfc071c754e', 'secret_name': 'demo-secret', 'secret_type': 'AWS'}


% gantry-cli bucket create --name {bucket_name} --region {aws_region} --storage-type s3 --secret aws-key
SUCCESS
--> Bucket {bucket_name} has been registered.
% export GANTRY_API_KEY="YOUR_API_KEY"

% gantry-cli secret create --name gcs-key --secret-type GCP --secret-file bucket-key.json 
SUCCESS
--> Secret has been created.
 {'created_at': 'Tue, 28 Feb 2023 22:29:35 GMT', 'id': '0c2d3e95-e9b6-4ec7-b41e-0a74748c0a34', 'organization_id': '47e04d28-24d3-47e7-9911-bbfc071c754e', 'secret_name': 'gcs-key', 'secret_type': 'GCP'}

% gantry-cli bucket create --name {bucket_name} --region auto --storage-type gcs --secret gcs-key
SUCCESS
--> Bucket {bucket_name} has been registered.

Updating the bucket secret
In cases where the role changes or needs to be edited, the bucket secret can be updated.

% gantry-cli bucket  update-secret --bucket {bucket_name} --storage-type S3 --secret-id {new_secret_id}
% gantry-cli bucket  update-secret --bucket {bucket_name} --storage-type gcs --secret-id {new_secret_id}

Common issues

If the permissions on the bucket are incorrect, it might look like Gantry logging has failed (because it won't have access). Ensure the IAM read-only user is configured correctly.

For AWS, the IAM user needs the following permissions:

  • S3 ObjectActions: s3:GetObject, s3:GetObjectVersion
  • S3 bucket permission: s3:GetBucketLocation

If you are using user managed KMS keys, the user also needs kms:Decrypt permission for the bucket KMS key. For default server side encryption, this is not required.