[Preview] Bring Your Own Storage (BYOS) with Wasabi Cloud Storage

Camio provides the option to read and write video, images, and metadata using Wasabi Cloud Storage.

Camio BYOS enables your team to control the storage policies, retention, permissions, backups, capacity, and billing directly from your own Wasabi account. 

This article describes:

How BYOS works

BYOS with Wasabi Cloud Storage

Wasabi Cloud Storage supports signed URLs, which provide limited permission and time to make a request to your storage. These enable the Camio Box gateway to write directly to your bucket(s). Signed URLs also enable Camio to serve video, images, and metadata in your buckets securely and directly from Wasabi to your Web Browser via the Camio Web App. Another benefit of signed URLs is that the credentials to access your encrypted content are never stored on client devices.

To configure Wasabi storage with Camio, you will need to provide information about the buckets you would like to connect with Camio, such as the name of the bucket, as well as credentials to read and write to those buckets through signed URLs.

Configure the amount of buckets and credentials as needed

The amount of buckets, as well as the amount of credentials per bucket, to use with Camio are configurable. At a maximum, Camio allows up to three separate buckets, for storage of Video, Images, and Metadata, and two separate credentials for each bucket, for Read and Write access. 

The amount of separate buckets and credentials provided can be reduced as needed, so long as the provided credential(s) allow the minimum required access to read or write to the provided bucket(s) as specified.

Creating storage buckets

If you do not already have storage buckets prepared for use with Camio, the following will provide basic instructions on how to create storage buckets with Wasabi.

The steps to create a storage bucket can be found here in Wasabi’s official documentation, including specifics on the various bucket settings that can be configured when creating a new bucket.

The following are abbreviated steps for both creating a bucket through the Wasabi console, and collecting the information to provide Camio for bucket access:

  1. Navigate to the Buckets page from the Data Access section of the left navigation bar.
  2. On the top right of the Buckets page, click the Create Bucket button.
  3. A form will appear where you can configure your new bucket before creation. You will need to save the following information about the bucket to provide Camio: 
    1. The unique Bucket Name for the new bucket
    2. The Regional Endpoint of the bucket. When you configure a Region for the bucket, the Regional Endpoint will appear on the right side of your selection. Above this is a clipboard button allowing you to copy the full endpoint to your clipboard.
  4. Configure the desired settings for your bucket, and click the Create Bucket button at the bottom of the form to confirm your choices and create the bucket. Your new bucket will now be listed on the Buckets page. 
  5. By selecting the bucket from the listing on the Buckets page, you can view the contents of the bucket. 
  6. To view the Amazon Resource Name (ARN) of the bucket, required for configuring Policies for the bucket’s access, click on the gear icon on the top right of the Objects section of the bucket’s page, and navigate to the Policies tab. There you will find the Bucket Policy Editor ARN, which you can easily copy using the provided copy to clipboard button.

You will need to provide the unique Bucket Name, as well as the associated Regional Endpoint, for each bucket you intend to use with your Camio account when you configure your BYOS settings.

Creating credentials to access your storage

In order for Camio to access the Wasabi storage bucket(s) you've chosen to use with Camio, you need to create and supply two separate credentials per bucket that allow Camio to read and write to your storage. 

To provide Camio the credentials needed to access your storage bucket(s), you will need to: 

  1. Create Policies with permissions to read and write to the storage buckets.
  2. Create programmatic Users with these Policies assigned to them, or to the User Group they are a part of.
  3. Generate Access Keys for each programmatic User to provide to your Camio Account.

Creating Policies with the required permissions for accessing storage:

Wasabi's official documentation for creating Policies can be found here.

The following are abbreviated steps for creating a Policy through the Wasabi console as required for Camio storage configuration.

  1. Navigate to the Policies page from the Data Access section of the left navigation bar.
  2. On the top right of the Policies page, click the Create Policy button.
  3. You can either use the Policy Generator or JSON editor to then configure the policy with the appropriate permissions.
    • If you are using the Visual Editor:
      1. The minimum permission required for Camio to read from a bucket is the s3:GetObject Action of the s3 Service/Policy Type.
      2. The minimum permission required for Camio to write to a bucket is the s3:PutObject Action of the s3 Service/Policy Type.
      3. In the Resource section, if you would like to specify a specific bucket for these permissions to apply to, enter the ARN of the bucket to restrict access to, appended with /* to indicate uniform access to all objects within the bucket, like so: arn:aws:s3:::BUCKET-NAME/*
    • If you are using the JSON editor, the JSON policy should include the following:
      1. An Effect field set to "Allow"
      2. An Action field set to (a list of) the action(s) providing the appropriate bucket access for Camio:
        • The minimum permission required for Camio to read from a bucket is “s3:GetObject”.
        • The minimum permission required for Camio to write to a bucket is “s3:PutObject”.
      3. A Resource field set to (a list of) the ARN (Amazon Resource Name) of the bucket(s) the policy should apply to, in the format “arn:aws:s3:::BUCKET-NAME/*”
  4. Proceed through the Policy creation process, configuring any other settings desired for the Policy in the proceeding sections, and click the Create Policy button at the bottom right of the page.

The following two example JSON Policies contain the minimum requirements for Policies granting read and write permissions for a specific bucket:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": ["arn:aws:s3:::BUCKET-NAME/*"]
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": ["arn:aws:s3:::BUCKET-NAME/*"]
}
]
}

Creating a User with the required Policies for accessing storage:

Wasabi's official documentation for creating Users can be found here.

The following are abbreviated steps for creating a programmatic User through the Wasabi console as required for Camio storage configuration.

  1. Navigate to the Users page from Users and Groups section of the left navigation bar.
  2. Click the Create User button to begin creating a new User
  3. When prompted for Type of Access, you will want to select Programmatic (create API key)
  4. You will either want to attach the policies you created directly to the user, or add the user to a Group assigned the required policies, if you would like to more conveniently assign the same policies to multiple Users.
  5. Once complete, your new User should appear in the list of Users on the Users page.
  6. Upon creating a new programmatic user, Wasabi may automatically generate a new Access Key for that user. Make sure to save the provided Access Key (ID) and hidden Secret (Access) Key at this point, making sure to retain the associated IAM User with each Access Key pair. 
    1. The simplest way to do this is by clicking the Download CSV button at the bottom of the form to save the credentials in a CSV file format. This will also retain the associated user in the CSV file. You can otherwise copy and paste the keys directly from the page to where you please.
    2. The Secret Access Key of your new Access Key will only appear once after creation, so make sure to copy and save it somewhere secure, as you will need to provide it to your Camio Account for access to these credentials.
    3. In the case a Secret Access Key is lost before saving to your Camio Account storage settings, you will need to delete the Access Key associated with the missing Secret Access Key, and create a new Access Key as instructed in the previous step.

Creating an Access Key from a User for accessing storage:

Wasabi's official documentation for creating Access Keys for Users can be found here.

If you did not get an automatically generated Access Key upon new user creation, or simply want to create a new Access Key for a given user, the following are abbreviated steps for creating Access Keys as required for Camio storage configuration.

  1. Navigate to the Access Keys page from the Data Access section of the left navigation bar.
  2. Click the Create Access Key button, which will open a form to begin creating a new Access Key.
  3. Select the desired User from the dropdown to create an Access Key for, and click the Create button in the bottom right of the form.
  4. Make sure to copy and save the provided Access Key (ID) and hidden Secret (Access) Key on the next step of the form, for each Access Key you will use with Camio, making sure to retain the associated IAM User with each Access Key pair. 
    • The simplest way to do this is by clicking the Download CSV button at the bottom of the form to save the credentials in a CSV file format. This will also retain the associated user in the CSV file. You can otherwise copy and paste the keys directly from the page to where you please.
    • The Secret Access Key of your new Access Key will only appear once after creation, so make sure to copy and save it somewhere secure, as you will need to provide it to your Camio Account for access to these credentials.
    • In the case a Secret Access Key is lost before saving to your Camio Account storage settings, you will need to delete the Access Key associated with the missing Secret Access Key, and create a new Access Key as instructed in the previous step.

You will need to provide the Access Key ID and Secret Access Key associated with the Access Key(s) granting read and write permissions for each bucket you intend to use with your Camio account when you configure your BYOS settings.

Configuring CORS rules to allow the Camio Web App access to storage buckets

Wasabi currently does not support the configuration of custom CORS rules, and no extra action is required to give the Camio Web App access to Wasabi storage buckets.

Other configurations to consider

One of the benefits of using Camio’s Bring Your Own Storage is the ability to control what you store, including access, backup, and retention, with the storage provider you chose. Camio recommends configuring some form of retention or time-to-live for the buckets you chose to use with Camio. The following are retention and time-to-live configurations available for Wasabi buckets and objects. These settings can be changed at any time.

Object Lifecycle Management allows Wasabi users to configure automatic time-to-live for objects in a given bucket to help manage storage costs. The following link will take you to Wasabi’s official documentation for an overview of Object Lifecycle Management and instructions for configuring.

Compliance Mode allows Wasabi users to govern how long objects must be retained in a given bucket before they can be deleted. The following link will take you to Wasabi’s official documentation for an overview of Compliance Mode and instructions for configuring.

[Preview] Providing the access credentials to Camio

To provide Camio access to your Wasabi storage buckets, you will need to provide the storage bucket and access credential information you've retrieved to the Camio settings page: https://camio.com/settings/storage 

By selecting Wasabi from the dropdown menu for Storage Provider, the following sections will be listed to fill in per bucket:

  • Bucket Information
  • Read Credentials Information
  • Write Credentials Information

If you would like to only configure one bucket for storage of videos, images, and metadata, check the checkbox for Use the same storage settings for videos, images, and metadata underneath the dropdown menu for Storage Provider.

The following storage and credentials information needs to be provided per bucket for use of Wasabi Cloud Storage with Camio:

  • Bucket Information: The Bucket Name (e.g. "acmeproject1_camio_video") and Regional Endpoint (e.g. "s3.us-west-1.wasabisys.com") for storage.
  • Read Credentials Information: The Access Key ID and Secret Access Key of the User with read permissions to the provided bucket.
  • Write Credentials Information: The Access Key ID and Secret Access Key of the User with write permissions to the provided bucket.

After filling in the required information, navigate to the bottom of the page and click the Save button to save any storage setting changes to your Camio Account. 

When the Save button is pressed, Camio begins immediately storing and serving your video, images, and metadata to and from your own bucket(s).

Have more questions? Submit a request

Comments