This article demonstrates and explains how to play a recorded session of a Boundary target on a terminal/CLI & UI when for some known/unknown issues you're unable to list down the session recordings on the Boundary Admin UI, and there is a need to look at the recorded session.
This article assumes that you have a session recording already configured and it is being stored in external storage, in our case, it's AWS S3 services.
This article is a complete workaround for the scenario mentioned above and a few more if there are/will be any. If there are issues while playing/listing recordings on the Boundary Admin UI, please reach out to HashiCorp Support immediately.
Please note that the Boundary Session Recording feature is an Enterprise only feature.
Pre-requisites
The article is tested on Apple MacOS 14.6.1 Sonoma with the following:
- A Boundary Controller and an Ingress Worker v0.17.0+ent
- Up, configured, and running
- asciinema v2.4.0
- Downloaded and installed via Homebrew (brew install asciinema)
- awscli v2.17.38 or newer
- Configured with credentials that have appropriate access to perform operations on S3 service.
Play the recorded session on the Terminal/CLI
- Install "asciinema" by running "brew install asciinema" (for macOS only).
-
Filter the Boundary recordings from the external storage by querying the AWS S3 API directly by running the following commands as per the need:
#to fetch a recording for a particular day
% aws s3api list-objects-v2 --bucket <name_of_the_bucket> --query 'Contents[?contains(LastModified, `2024-08-14`)]' | grep -i "chr_*.*.meta"
#to fetch a recording between two distinct days
% aws s3api list-objects-v2 --bucket <name_of_the_bucket> --query "Contents[?LastModified>='2024-07-20'] | [?LastModified<='2024-8-14'].{ Key: Key, Size: Size, LastModified: LastModified }" | grep -i "chr_*.*.meta"
- The above commands are supposed to output as follows based on the number of recordings that you have and the timeframe you set in the command:
"Key": "S3_Folder_Hierarchy_If_Any/sr_GYBj8mGQQi.bsr/cr_87SStgokcs.connection/chr_Es265p5H4i.channel/channel-recording.meta",
- in this output:
- `sr_` denotes `session recording ID`.
- `cr_` denotes `connection ID`.
- `chr_` denotes `channel ID`.
- Download the filtered & required recording using its `channel ID` by running the command:
- As of writing this article, only one channel ID can be downloaded at a time.
#we need to first authenticate against Boundary, I'm using a password type auth method here.
% export BOUNDARY_ADDR=<Address_As_Per_Your_Setup>
% boundary authenticate password -auth-method-id=ampw_txxxxxEp -login-name=admin -scope-id=global
% boundary session-recordings download -id chr_Es265p5H4i
#this will save the recording as `chr_Es265p5H4i.cast` file.
-
Note: As of writing this article, there is no way to upload a recording (downloaded from external storage) to Boundary Controller if in case the Boundary storage policy has deleted that recording from Boundary DB.
- Run the following "asciinema" command to play the recording on the terminal:
% asciinema play chr_Es265p5H4i.cast
- We can also print the full output of the recorded session by running the following command:
% asciinema cat chr_Es265p5H4i.cast
Play the recorded session on the UI
To play a recorded session on the Boundary UI directly, all we need to do is first make sure that you're already authenticated to Boundary Admin UI on the browser.
We need a `session recording ID` for this purpose that you can either extract from the previous section's `aws s3api` outputs or run the following command because as of writing this article filtering is not supported on session recording APIs:
% boundary session-recordings list -recursive | grep -B 3 "Created Time:*.*23 Apr 2024"
this would output a list of recordings based on the created time specified in the command. You can copy the desired `sr_` ID and run it on the pre-authenticated Boundary browser's tab with the following as its prefix:
https://BOUNDARY_ADDR:9200/scopes/global/session-recordings/<'sr_'_ID_HERE>
this would take you to the recording page directly where you can play that individual recording.