Configure cloud storage
This is an Early Access feature. To enable it, contact Okta Support.
You can configure a gateway to automatically upload logs to Amazon Web Services (AWS) S3 or Google Cloud Platform either in addition to or instead of local storage. While temporary local storage is always required, you can control where logs are stored permanently.
You can add the following configuration block to /etc/sft/sft-gatewayd.yaml to configure cloud (Type: gcs) and local (Type: file) storage for a gateway:
# Add this configuration block to /etc/sft-gatewayd/sft-gatewayd.yaml
LogDestinations:
- Type: file
LogDir: /some/path
- Type: s3
Bucket: my-testing-bucket
Region: us-west-2
# The following may be optional. The AWS SDK can retrieve these from the env or IAM role if running the gateway on AWS.
AccessKeyId: AWSACCESSKEY
SecretKey: SECRET
SessionToken: asdf1234
- Type: gcs
Bucket: my-gateway-bucket
# The following may be optional. The GCP SDK can retrieve these from the env or cloud machine roles if running the gateway on GCP.
# These are the credentials that you'll download from GCP in JSON.
CredentialsFile: /path/to/some-service-user-asdf.json
CredentialsJson: |
{
"type": "service_account",
"project_id": "asa-gateway-dev-test",
"private_key_id": "<key id>",
"private_key": "<some private key>",
...
}
Change the values in the configuration block to match your deployment.
You can add as many log destinations as you like. Log files are sent to their destinations in the order that they appear in your configuration. Logs are copied to these destinations after an SSH session ends.