Closed JamesPHoughton closed 1 year ago
Are there different storage tiers with different costs, eg. long duration, high availability, etc.? Which do we want?
How do I access the bucket? Is this through the AWS console, logging in as my user?
How do we set who within our lab can access the bucket?
How do we give Daily permission to write to the bucket? How does Daily know where to write?
How do we give other researchers access to the bucket? How do we give our analysis programs access to the bucket?
How much does it actually cost to store videos?
Other thoughts In my experience, it's very important to map out how you expect the data to enter S3 and be utilized by users as soon as possible. The main things to keep in mind are:
This is documentation from daily on recording to custom s3 bucket. https://docs.daily.co/guides/products/live-streaming-recording/storing-recordings-in-a-custom-s3-bucket
Thanks @rivera-lanasm, this is a really helpful breakdown. Can you help me set up the following?
Daily has some requirements for access permissions, using this policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucketMultipartUploads",
"s3:AbortMultipartUpload",
"s3:ListBucketVersions",
"s3:ListBucket",
"s3:GetObjectVersion",
"s3:ListMultipartUploadParts"
],
"Resource": [
"arn:aws:s3:::your-bucket-name",
"arn:aws:s3:::your-bucket-name/*"
]
}
]
}
Daily docs Trusted Entity Type: AWS Account Trusted AWS account ID: 291871421005 Required external ID: deliberation Maximum session duration: 12 hours
We'll need the Amazon Resource Name (ARN) for the role, and the bucket region to include in the daily API calls.
From @rivera-lanasm:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucketMultipartUploads",
"s3:AbortMultipartUpload",
"s3:ListBucketVersions",
"s3:ListBucket",
"s3:GetObjectVersion",
"s3:ListMultipartUploadParts"
],
"Resource": [
"arn:aws:s3:::wattslab-deliberation-videos",
"arn:aws:s3:::wattslab-deliberation-videos/*"
]
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"AWS": "291871421005"
},
"Condition": {
"StringEquals": {
"sts:ExternalId": "deliberation"
}
}
}
]
}
## Questions for @rivera-lanasm
- [ ] Should we use [default encryption of videos](https://docs.aws.amazon.com/AmazonS3/latest/userguide/default-bucket-encryption.html)? What friction does it introduce, and what additional security does it buy beyond the existing permission set? Does it cost money?
- [ ] Is it a good idea to use "object lock" for our videos?
- [ ] How do we set up the intelligent tiering? Or is that enabled by default? There is a setting for an archive configuration, but that seems to be for the asynchronous access options.
- [ ] Do these ARN's need to be kept secret, or can they be committed to a public repository
## Todo:
- [ ] Delete old bucket `wattslab-deliberation-eyeson` that we are not using any more
- [ ] Check in with daily about why they suggest versioning, and what we expect it to cost.
ARN's themselves aren't sensitive information, they aren't credentials. https://devops.stackexchange.com/questions/11101/should-aws-arn-values-be-treated-as-secrets
I've only used default encryption, I've never read anything encouraging something other than that
Object lock is a setting you can enable when creating a bucket, and gives option to "lock" objects so they can't be deleted or overwritten. This seems like a similar service as bucket/object versioning. So maybe makes sense to go with one or the other https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock.html
I haven't set up s3 intelligent tiering before, but my understanding is that you can transfer from the default tier to intelligent tiering. I'll have to read more into this
After reaching out to daily to see why it wasn't working, they replied with:
On a previous case where we've seen the same error occur, this has been solved by increasing the maximum session duration to 12 hours
I've updated the session length to 12 hours.
We will need an S3 bucket that we can put recordings into. We won't be accessing the videos very frequently, at least at first - just to check them for QC. Eventually we'll want to run automated analysis against them.
I don't know much about how this works, so I have a few questions:
@rivera-lanasm