Enable session recording on a target

This feature requires HCP Boundary Plus or Boundary Enterprise

You must enable session recording for any targets that you want to record sessions on. When you create a storage bucket, Boundary provides you with an ID. You use the storage bucket's ID to associate a target with the storage bucket.

Requirements

One or more storage buckets to store the recordings.
Session recording is only supported for SSH targets at this time.
A KMS key with the purpose bsr must be added to the controller configuration. The key is used for encrypting data and checking the integrity of recordings. Refer to Create the controller configuration and the bsr KMS key documentation for more information about configuring a KMS block.
The targets must be configured with an ingress or egress worker filter that includes a worker with access to the storage bucket you created. Refer to SSH target attributes for more information.
You must enable injected application credentials on any target that you want to use for session recording. Refer to Configure targets with credential injection for more information about injecting application credentials.

Complete the following steps to enable session recording on a target.

Log in to Boundary.
Click Orgs in the navigation pane.
Select the org that contains the target you want to enable for session recording.
Select the project that contains the target you want to enable for session recording.
Select Targets in the navigation pane.
Do one of the following:
- To create a new target, select New Target.
- To edit an existing target, select the target, and then select Edit Form.
Configure the target with any relevant attributes. The following setting is required for session recording:
- Select SSH for the Type.
Click Save.
Click Enable recording.
Enable the Record sessions for this target option.
Select the storage bucket where you want to store recordings from this target.
You can also create a new storage bucket.
Click Save.

Log in to Boundary.
Do one of the following:
- To enable an existing SSH target for session recording, run the following commmand:
```
$ boundary targets update ssh -scope-id p_1234567890 -id tssh_1234567890 -enable-session-recording true -storage-bucket-id sb_1234567890
```
  Make sure to add the -enable-session-recording true flag to turn on session recording for the target. Add the -storage-bucket-id ID for the storage bucket you want to associate with this target.
- To create a new target and enable it for session recording, run the following command:
```
$ boundary targets create ssh -scope-id p_1234567890 -default -port 22 -name test1 -address 99.12.345.67 -enable-session-recording true -storage-bucket-id sb_1234567890
```
  Make sure to add the -enable-session-recording true flag to turn on session recording for the target. Add the -storage-bucket-id ID for the storage bucket you want to associate with this target. You can configure any other target attributes.
  You can now view the target from the Targets page in the Boundary console.

Apply the following Terraform policy:

resource "boundary_target" "address_foo" {
  name         = "address_foo"
  description  = "Foo target with an address"
  type         = "tcp"
  default_port = "22"
  scope_id     = boundary_scope.project.id
  address      = "127.0.0.1"

  # Add the next two lines to an existing target to enable session recording.
  # Modify the value of storage_bucket_id as appropriate
  enable_session_recording = true
  storage_bucket_id        = boundary_storage_bucket.aws_example.id
}

The target is now enabled for session recording. Any user session that connects to the target is automatically recorded.

Next steps

After you have enabled session recording, you may want to configure storage policies to codify the lifecycle management of your session recordings.