Camio provides the option to read and write video, images, and metadata using the Google Cloud Storage (GCS) and BigQuery datasets associated with your own Google Billing Account.
Even though Camio itself uses Google Cloud Storage and BigQuery by default (so the underlying storage system is exactly the same), Camio BYOS enables your team to control the storage policies, retention, permissions, backups, capacity, and billing directly from your own Google Cloud Platform account.
This article describes:
- How Bring Your Own Storage works
- Creating credentials to access your storage
- Providing the access credentials to Camio
How BYOS works
BYOS with Google Cloud Storage
Google Cloud Storage supports signed URLs. These enable the Camio Box gateway to write directly to your bucket(s) using URLs that the server provides for specific write requests. Signed URLs also enable Camio to serve video, images, and metadata from your own buckets directly from GCS from their Web Browsers (without passing through Camio servers). One big benefit of signed URLs is that the credentials to access your encrypted content are never stored on client devices.
BYOS with BigQuery
Google BigQuery organizes tables and views in datasets. So the Service Accounts you create for Camio to read and write to your BigQuery dataset are used for the event streaming, access logs, and reporting in Camio.
Creating credentials to access your storage
In order for Camio to access the specific Google Cloud Storage bucket(s) and BigQuery dataset you've chosen to use with Camio, you need to create and supply two separate credentials that allow Camio to read and write to your storage.
Read and Write Service Accounts
- Create two IAM Service Accounts for Camio to use when accessing the buckets and BigQuery dataset:
- one for reading (e.g. firstname.lastname@example.org)
- one for writing (e.g. email@example.com)
- Create the key for each Service Account. You'll upload these keys to your Camio Account in the section below.
No Roles or permissions are provided at the point of Service Account creation, since each bucket and dataset will specify the permissions granted to the Service Accounts above.
Granting permission to the Service Accounts
Google Cloud Storage Permissions
- Create a bucket in GCP's Cloud Storage if you do not already have bucket(s) to use with Camio.
- Add the IAM Service Accounts to the bucket-level policy, granting them their respective read/write access. For each bucket you would like Camio to use, give
- the reading Service Account the Storage Object Viewer Role, and
- the writing Service Account the Storage Object Creator Role.
(You can view the scope of these roles here)
BigQuery Dataset Permissions
- Create the BigQuery dataset to be used by Camio.
- Add the Service Accounts to the BigQuery dataset using predefined BigQuery Roles giving:
- the reading Service Account the BigQuery Data Viewer, and BigQuery Job User Roles, and
- the writing Service Account the BigQuery Data Editor, and BigQuery Job User Roles.
Providing the access credentials to Camio
- read Service Account Key
- write Service Account Key
- video bucket name (e.g. "acmeproject1_camio_video")
- images and metadata bucket name (e.g. "acmeproject1_camio_metadata")
- dataset ID in BigQuery (e.g. "acmeproject1.camio_data")
When you press Save, Camio begins storing and serving your video, images, and metadata in your own bucket(s) and using your own BigQuery dataset for all reporting.