Configure cloud storage

This is an Early Access feature. To enable it, contact Okta Support.

You can configure a gateway to automatically upload logs to Amazon Web Services (AWS) S3 or Google Cloud Platform either in addition to or instead of local storage. While temporary local storage is always required, you can control where logs are stored permanently.

You can add the following configuration block to /etc/sft/sft-gatewayd.yaml to configure cloud (Type: gcs) and local (Type: file) storage for a gateway:

# Add this configuration block to /etc/sft-gatewayd/sft-gatewayd.yaml


  - Type: file

    LogDir: /some/path

  - Type: s3

    Bucket: my-testing-bucket

    Region: us-west-2

    # The following may be optional. The AWS SDK can retrieve these from the env or IAM role if running the gateway on AWS.


    SecretKey: SECRET

    SessionToken: asdf1234

  - Type: gcs

    Bucket: my-gateway-bucket

    # The following may be optional. The GCP SDK can retrieve these from the env or cloud machine roles if running the gateway on GCP.

    # These are the credentials that you'll download from GCP in JSON.

    CredentialsFile: /path/to/some-service-user-asdf.json

    CredentialsJson: |


        "type": "service_account",

        "project_id": "asa-gateway-dev-test",

        "private_key_id": "<key id>",

        "private_key": "<some private key>",



Change the values in the configuration block to match your deployment.

You can add as many log destinations as you like. Log files are sent to their destinations in the order that they appear in your configuration. Logs are copied to these destinations after an SSH session ends.

Related topics

Session capture

Install an Advanced Server Access gateway

Enable session capture on a project