You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/guides/modules/security/pages/audit-logs.adoc
+80Lines changed: 80 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -199,6 +199,86 @@ After setting up audit log streaming follow these steps to validate the setup wa
199
199
. Set up appropriate alerts for connection failures or delivery interruptions.
200
200
201
201
202
+
=== Stream to S3-compatible storage
203
+
204
+
TIP: Select btn:[Other S3-compatible service] in the streaming dialog to connect to an S3-compatible endpoint such as MinIO.
205
+
206
+
207
+
The setup steps vary by provider. At a high level you will:
208
+
209
+
==== 1. Prepare your S3-compatible destination
210
+
211
+
. Create a bucket for audit logs in your S3-compatible service.
212
+
. Create or identify a role/principal that CircleCI can assume using OIDC. The exact process and identifier format depend on your provider. Examples include an AWS-style ARN (for example, `arn:aws:iam::...:role/...`) or a provider-specific role identifier (for example, MinIO `arn:minio:iam:::role/...`).
213
+
. Grant the role/principal permission to write objects to your bucket (minimum required: `s3:PutObject` on `<your-bucket>/*`). For example:
214
+
+
215
+
[source,json]
216
+
----
217
+
// minio S3 example policy
218
+
{
219
+
"Version": "2012-10-17",
220
+
"Statement": [
221
+
{
222
+
"Effect": "Allow",
223
+
"Action": [
224
+
"s3:PutObject"
225
+
],
226
+
"Resource": [
227
+
"arn:minio:s3:::<bucket-name>/*"
228
+
]
229
+
}
230
+
]
231
+
}
232
+
----
233
+
+
234
+
235
+
236
+
==== 2. Authentication and authorization considerations
237
+
238
+
**Key OIDC configuration details**:
239
+
240
+
When setting up the OIDC Identity Provider to trust CircleCI, use these parameters:
*(Remember to substitute your actual CircleCI Organization ID.)*
245
+
246
+
* **OpenID Client ID (Audience):**
247
+
Your **CircleCI Organization ID** (the `<ORG_ID>` value).
248
+
249
+
* **Scope:**
250
+
Use the standard required scope: `openid`.
251
+
252
+
**Validation and network requirements**:
253
+
254
+
* **Server Endpoint Connectivity:**
255
+
The **AWS S3 compatible server**, acting as the token validator, **must be able to reach** the CircleCI OIDC Provider endpoint to fetch the public keys required to **validate the token's cryptographic signature**.
256
+
257
+
* **Provider Validation:**
258
+
Your OIDC provider configuration must be set up to accept and successfully validate CircleCI's OIDC tokens for the configured **role or principal** you intend to grant access to within your storage solution.
259
+
260
+
NOTE: Ensure your **AWS S3 compatible server's** network configuration allows necessary outgoing connections to the internet, specifically to `oidc.circleci.com`, for token validation to succeed.
261
+
262
+
==== 3. Configure CircleCI to stream to your S3-compatible service
263
+
264
+
. Go to the link:https://app.circleci.com/[CircleCI web app] and navigate to menu:Organization Settings[Security].
265
+
. In menu:Audit Logs[Streaming audit logs], select btn:[Stream audit logs].
266
+
. Choose btn:[Other S3-compatible service].
267
+
. Confirm that you have completed the prerequisites by selecting btn:[Continue].
268
+
+
269
+
image::guides:ROOT:setup-s3-compatible-audit-logs.png[Set up S3-compatible storage for streaming]
270
+
. Fill out the fields as follows:
271
+
.. **Region**: Optional. Many S3-compatible providers default to `us-east-1` if not set.
272
+
.. **S3 Bucket Name**: The exact name of the bucket you created.
273
+
.. **Role ARN**: The role identifier recognized by your provider (for example, a provider-specific role ID/ARN).
274
+
.. **Endpoint**: The HTTPS endpoint of your S3-compatible API (for example, `https://s3.<region>.<provider-domain>` or your custom host and port).
275
+
. The configuration form appears as follows:
276
+
+
277
+
image::guides:ROOT:form-s3-compatible-audit-logs.png[Connect CircleCI to S3-compatible storage]
278
+
. Select btn:[Connect CircleCI to S3-compatible service].
279
+
280
+
When the connection is validated, the **Status** will show image:guides:ROOT:icons/passed.svg[passed icon, role="no-border"] **Connected**. Creating a streaming configuration pushes an empty file named `circleci_connectivity_test_<timestamp>` to the configured bucket to verify permissions.
281
+
202
282
=== Manage active streams
203
283
204
284
Once configured, you can view and manage audit log streams. The following options are available to you in the CircleCI web app:
0 commit comments