Developers can configure WorqHat to store call recordings in an Amazon S3 bucket of their choice. In this configuration, WorqHat does not store the recording on its own servers at any point in the process; recordings are written directly into the specified bucket.


This guide will go through how to configure S3 storage for WorqHat call recordings. Specifically, we will cover the following steps:

  • S3 bucket configuration requirements

  • Creating an IAM policy with appropriate permissions

  • Creating an IAM role for WorqHat to assume for storage

  • Configuring your WorqHat Workspace to store recordings in S3



Install the AWS CDK


Here's what you need to install to use the AWS CDK.


All AWS CDK developers, even those working in Python, Java, or C#, need Node.js 10.13.0 or later. All supported languages use the same back end, which runs on Node.js. We recommend a version in active long-term support, which, at this writing, is the latest 16.x release. Your organization may have a different recommendation.


Important

Node.js versions 13.0.0 through 13.6.0 are not compatible with the AWS CDK due to compatibility issues with its dependencies.

You must configure your workstation with your credentials and an AWS region if you have not already done so. If you have the AWS CLI installed, the easiest way to satisfy this requirement is to issue the following command:


aws configure


Provide your AWS access key ID, secret access key, and default region when prompted.


You may also manually create or edit the ~/.aws/config and ~/.aws/credentials (macOS/Linux) or %USERPROFILE%\.aws\config and %USERPROFILE%\.aws\credentials (Windows) files to contain credentials and a default region, in the following format.


  • I~/.aws/config or %USERPROFILE%\.aws\config

[default]
region=us-west-2


  • In ~/.aws/credentials or %USERPROFILE%\.aws\credentials 

[default]
aws_access_key_id=AKIAI44QH8DHBEXAMPLE
aws_secret_access_key=je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY




Although the AWS CDK uses credentials from the same configuration files as other AWS tools and SDKs, including the AWS Command Line Interface, it may behave slightly differently from these tools. In particular, if you use a named profile from the credentials file, the config must have a profile of the same name specifying the region. The AWS CDK does not fall back to reading the region from the [default] section in config. Also, do not use a profile named "default" (e.g. [profile default]). See Setting credentials for complete details on setting up credentials for the AWS SDK for JavaScript, which the AWS CDK uses under the hood.

AWS CDK does not natively support AWS IAM Identity Center (successor to AWS Single Sign-On).

To use IAM Identity Center with the CDK, use a tool such as yawsso.


Alternatively, you can set the environment variables AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_DEFAULT_REGION to appropriate values.


We strongly recommend against using your AWS root account for day-to-day tasks. Instead, create a user in IAM and use its credentials with the CDK. Best practices are to change this account's access key regularly and to use a least-privileges role (specifying --role-arn) when deploying. WorqHat with automatically create Roles to prevent the unauthorised access to your Accounts.



Install the AWS CDK Toolkit globally using the following Node Package Manager command.


npm install -g aws-cdk


Run the following command to verify correct installation and print the version number of the AWS CDK.


cdk --version




Shortcut: A custom WorqHat script to get set up


To help developers move faster, our team has created a GitHub repo with a custom script that will configure your S3 bucket for WorqHat recordings.


To use this script, you will need:

  • To enable AWS Integrations for WorqHat Workspaces from Integration Marketplace. 

  • Create an AWS account if you don't already have one.

  • Decided a Bucket Name

  • Decided your Bucket Region

  • Have Installed AWS CDK on your Developer Device

  • Have stored the AWS Credentials to your Device


Follow the instructions in the README for more information.


If you prefer to set the bucket up manually, keep reading.




Creating an IAM policy with appropriate permissions


AWS Identity and Access Management (IAM) is used to control access to various AWS resources, including S3 buckets. To allow WorqHat to store WebRTC call recordings into your designated bucket, WorqHat's account needs sufficient access to your bucket.


The first step to provide this access is to define an IAM policy with the appropriate permissions. The policy should be defined as follows:


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:ListBucketMultipartUploads",
        "s3:AbortMultipartUpload",
        "s3:ListBucketVersions",
        "s3:ListBucket",
        "s3:GetObjectVersion",
        "s3:ListMultipartUploadParts"
      ],
      "Resource": [
        "arn:aws:s3:::your-bucket-name",
        "arn:aws:s3:::your-bucket-name/*"
      ]
    }
  ]
}



Replace your-bucket-name in the "Resource" property above with the name of your designated S3 bucket.


To create the above policy, log into AWS and navigate to the IAM dashboard. Click on "Policies" in the left-hand menu. Next, click "Create" to paste the above policy into the JSON definition:






Create an IAM Role for WorqHat to assume Storage


The next step is to create an IAM role which will have the policy we created above attached to it. If you are already familiar with creating IAM roles, feel free to use the following values to create your role. If you'd like a bit more guidance on the process, you'll find it under the following role specification information.


IAM role specification for WorqHat call recording storage

  • Trusted Entity Type: AWS Account

  • Trusted AWS account ID: 291871421005

  • Required external ID: worqhat

  • Maximum session duration: 12 hours


IAM role creation walkthrough


You can find role creation in the same IAM service dashboard which we used to create the policy. Click on "Roles" in the left-hand menu, then click "Create Role". Once on the role creation page, take the following steps to create your role:

  • For "Trusted Entity Type", select "AWS Account"

  • Under "An AWS Account", select "Another AWS account"

  • Enter 291871421005 as the Account ID (this is WorqHat's account)

  • Use WorqHat as the "Require External ID".


Click "Next" and attach the policy you just created to the role:


Click "Next" once more, give your role a name in the subsequent prompt, and click "Create role".


Once the role is created, find it in your IAM Roles list and click "Edit". Set the "Maximum session duration" to "12 hours":


Finally, copy the ARN (Amazon Resource Name) of the role you just created on the role page in IAM:



With the policy and role in place, we are done with the AWS configuration.


Configuring your Workspace to store recordings in S3


To connect WorqHat Workspaces to S3 Bucket:


  • Enable AWS Integrations from the Integrations Marketplace.

  • Select Store in your own S3 Bucket Option when configuring your Virtual Meeting Settings

  • Add your Bucket Name, Bucket Region and ARN number in the Options

  • Click on Update to Update the Settings


The properties specified in the config are as follows:

  • bucket_name is the name of your S3 bucket

  • bucket_region is the region in which you created your S3 bucket

  • assume_role_arn is the ID of the role you created above


Conclusion


We hope this guide was helpful in showing you how to store your WorqHat video call recordings in your own S3 bucket. If you have any questions or run into any issues with the setup, please contact us.