Camio provides the option to read and write video, images, and metadata using the Google Cloud Storage associated with your own Google Billing Account.

Even though Camio itself uses Google Cloud Storage by default (so the underlying storage system is exactly the same), Camio BYOS enables your team to control the storage policies, retention, permissions, backups, capacity, and billing directly from your own Google Cloud Platform (GCP) account. 

This article describes:

• How Bring Your Own Storage works
• Creating storage buckets with Google Cloud Platform Cloud Storage
• Creating credentials to access your storage
• Setting CORS configurations to access your storage
• Providing the access credentials to Camio

How BYOS works

BYOS with Google Cloud Storage

Google Cloud Storage (GCS) supports signed URLs, which provide limited permission and time to make a request to your storage. These enable the Camio Box gateway to write directly to your bucket(s). Signed URLs also enable Camio to serve video, images, and metadata in your buckets securely and directly from Google Cloud Platform to your Web Browser via the Camio Web App. Another benefit of signed URLs is that the credentials to access your encrypted content are never stored on client devices.

To configure GCS storage with Camio, you will need to provide information about the buckets you would like to connect with Camio, such as the name of the bucket, as well as credentials to read and write to those buckets through signed URLs.

Configure the amount of buckets and credentials as needed

The amount of buckets, as well as the amount of credentials per bucket, to use with Camio are configurable. At a maximum, Camio allows up to three separate buckets, for storage of Video, Images, and Metadata, and two separate credentials for each bucket, for Read and Write access. 

The amount of separate buckets and credentials provided can be reduced as needed, so long as the provided credential(s) allow the minimum required access to read or write to the provided bucket(s) as specified.

Creating storage buckets

If you do not already have storage buckets prepared for use with Camio, the following will provide basic instructions on how to create storage buckets with GCS.

Detailed steps to create a storage bucket in GCS can be found in Google Cloud Platform’s official Cloud Storage documentation, including specifics on the various bucket settings that can be configured when creating a new bucket.

The following are abbreviated steps for creating a bucket through the console:

1. Access the GCP Dashboard of the desired GCP Project you would like to create the bucket in.
2. Navigate to the Buckets page of Cloud Storage from the GCP Dashboard.
3. At the top of the page, click the Create button to begin creating a new bucket.
4. You will be brought to a page to configure your new bucket before creation. Set a unique Bucket Name for the new bucket, and configure any desired bucket settings before confirming your choices by clicking the Create button at the bottom of the page.
5. Your new bucket will now be listed on the Buckets page of Cloud Storage for the given GCP Project.

You will need to provide the unique Bucket Name, as well as the associated GCP Project Name for each bucket you intend to use with your Camio account when you configure your BYOS settings.

The Bucket Name will also be required for setting CORS Rules on the given bucket.

Creating credentials to access your storage

In order for Camio to access the GCS storage bucket(s) you've chosen to use with Camio, you need to create and supply credentials per bucket that allow Camio to read and write to your storage. 

To provide Camio the credentials needed to access your storage bucket(s), you will need to create IAM service accounts, assign them permissions for access to your storage bucket(s), and generate service account key files to upload to your Camio Account.

To create and generate the required credentials:

1. Create two IAM service accounts for Camio to use when accessing the specific buckets:
   • one for reading (e.g. camio-storage-read@myproject.iam.gserviceaccount.com)
   • one for writing (e.g. camio-storage-write@myproject.iam.gserviceaccount.com)
2. Create a service account key for each service account. Creating a service account key will download a JSON Key File, which will need to be uploaded to your Camio Account at a later point.
   • Once the generated JSON Key File is successfully downloaded, it cannot be downloaded again. 
   • In the case a JSON key file is lost before saving to your Camio Account storage settings, you will need to delete the service account key associated with the lost key file on GCP, and create a new service account key.

No Roles or permissions are assigned to the service accounts at the point of creation, since each bucket will specify the permissions granted to the service accounts above. 

Once you have both the storage bucket(s) and IAM service account(s) you want to provide Camio, you will need to assign the IAM service account(s) permission to access your storage bucket(s), before providing the previously generated credentials files to Camio.

To assign the account the required permissions to access your storage:

1. Add the IAM Service Accounts to the bucket-level policy of the desired bucket(s), granting them their respective read/write access. For each bucket you would like Camio to use:
   • assign the reading Service Account the Storage Object Viewer Role, and
   • assign the writing Service Account the Storage Object Creator Role.
     (You can view the scope of these roles here)

You will need to provide the JSON Key File associated with the IAM service account(s) granted read and write permissions for each bucket you intend to use with your Camio account when you configure your BYOS settings.

Configuring CORS rules to allow the Camio Web App access to storage buckets

GCS allows configuring Cross-origin resource sharing (CORS) rules on a per bucket basis. Enabling CORS for the Camio domain(s) allows the Camio Web App to display your content such as video and images. If you choose not to enable CORS, some of your content will not be available for viewing in the app. 

The following instructions are for updating the CORS rules for a given bucket to allow access of resources by Camio domain(s).

1. Install one of GCP’s official command-line tools for interfacing with GCS:
   • gcloud, which can be installed from GCP's official gcloud documentation
   • gsutil, which can be installed from GCP's official gsutil documentation
2. Save the following CORS rules locally as a JSON file, and copy the full local file path of this CORS rules file.

   [
     {
       "maxAgeSeconds": 3600,
       "method": [
         "GET"
       ],
       "origin": [
         "https://camio.com",
         "https://*.camio.com"
       ],
       "responseHeader": [
         "Content-Type",
         "X-Csrf-Token",
         "Access-Control-Allow-Origin"
       ]
     }
   ]

3. For each bucket, run the appropriate command for updating CORS for a bucket based on the command-line tool you are using, replacing the following components:
   • BUCKET_NAME: The unique Bucket Name of the bucket to configure.
   • CORS_CONFIG_FILE: The full local file path of the JSON CORS rules.

   gcloud storage buckets update gs://BUCKET_NAME --cors-file=CORS_CONFIG_FILE

   gsutil cors set CORS_CONFIG_FILE gs://BUCKET_NAME

Providing the access credentials to Camio

To provide Camio access to your GCS storage buckets, you will need to provide the storage bucket and access credential information you've retrieved to the Camio settings page: https://camio.com/settings/storage 

By selecting Google Cloud Platform Cloud Storage from the dropdown menu for Storage Provider, the following sections will be listed to fill in per bucket:

• Bucket Information
• Read Credentials Information
• Write Credentials Information

If you would like to only configure one bucket for storage of videos, images, and metadata, check the checkbox for Use the same storage settings for videos, images, and metadata underneath the dropdown menu for Storage Provider.

The following storage and credentials information needs to be provided per bucket for use of Google Cloud Platform Cloud Storage with Camio:

• Bucket Information: The GCP Project Name (e.g. “acmeproject1”) and Bucket Name (e.g. "acmeproject1_camio_video") for storage.
• Read Credentials Information: The JSON Keyfile of the IAM service account with read permissions to the provided bucket.
• Write Credentials Information: The JSON Keyfile of the IAM service account with write permissions to the provided bucket.

After filling in the required information, navigate to the bottom of the page and click the Save button to save any storage setting changes to your Camio Account. 

When the Save button is pressed, Camio begins immediately storing and serving your video, images, and metadata to and from your own bucket(s).