You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/guides/modules/security/pages/audit-logs.adoc
+57Lines changed: 57 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -199,6 +199,63 @@ After setting up audit log streaming follow these steps to validate the setup wa
199
199
. Set up appropriate alerts for connection failures or delivery interruptions.
200
200
201
201
202
+
=== Stream to S3-compatible storage
203
+
204
+
TIP: Select btn:[Other S3-compatible service] in the streaming dialog to connect to an S3-compatible endpoint such as MinIO.
205
+
206
+
207
+
The setup steps vary by provider. At a high level you will:
208
+
209
+
==== 1. Prepare your S3-compatible destination
210
+
211
+
. Create a bucket for audit logs in your S3-compatible service.
212
+
. Create or identify a role/principal that CircleCI can assume using OIDC. The exact process and identifier format depend on your provider. Examples include an AWS-style ARN (for example, `arn:aws:iam::...:role/...`) or a provider-specific role identifier (for example, MinIO `arn:minio:iam:::role/...`).
213
+
. Grant the role/principal permission to write objects to your bucket (minimum required: `s3:PutObject` on `<your-bucket>/*`). For example:
214
+
+
215
+
[source,json]
216
+
----
217
+
// minio S3 example policy
218
+
{
219
+
"Version": "2012-10-17",
220
+
"Statement": [
221
+
{
222
+
"Effect": "Allow",
223
+
"Action": [
224
+
"s3:PutObject"
225
+
],
226
+
"Resource": [
227
+
"arn:minio:s3:::<bucket-name>/*"
228
+
]
229
+
}
230
+
]
231
+
}
232
+
----
233
+
+
234
+
235
+
236
+
==== 2. Configure CircleCI to stream to your S3-compatible service
237
+
238
+
. Go to the link:https://app.circleci.com/[CircleCI web app] and navigate to menu:Organization Settings[Security].
239
+
. In menu:Audit Logs[Streaming audit logs], select btn:[Stream audit logs].
240
+
. Choose btn:[Other S3-compatible service].
241
+
. Confirm that you have completed the prerequisites by selecting btn:[Continue].
242
+
+
243
+
image::guides:ROOT:setup-s3-compatible-audit-logs.png[Set up S3-compatible storage for streaming]
244
+
. Fill out the fields as follows:
245
+
.. **Region**: Optional. Many s3-compatible providers default to `us-east-1` if not set.
246
+
.. **S3 Bucket Name**: The exact name of the bucket you created.
247
+
.. **Role ARN**: The role identifier recognized by your provider (for example, a provider-specific role ID/ARN).
248
+
.. **Endpoint**: The HTTPS endpoint of your S3-compatible API (for example, `https://s3.<region>.<provider-domain>` or your custom host and port).
249
+
. The configuration form appears as follows:
250
+
+
251
+
image::guides:ROOT:form-s3-compatible-audit-logs.png[Connect CircleCI to S3-compatible storage]
252
+
. Select btn:[Connect CircleCI to S3-compatible service].
253
+
254
+
When the connection is validated, the **Status** will show image:guides:ROOT:icons/passed.svg[passed icon, role="no-border"] **Connected**. Creating a streaming configuration pushes an empty file named `circleci_connectivity_test_<timestamp>` to the configured bucket to verify permissions.
255
+
256
+
NOTE: Ensure your endpoint is reachable from CircleCI and that your provider accepts and validates CircleCI OIDC tokens for the configured role/principal. Network policies, firewalls, TLS, and trust configuration must allow secure access from CircleCI to your endpoint.
257
+
258
+
202
259
=== Manage active streams
203
260
204
261
Once configured, you can view and manage audit log streams. The following options are available to you in the CircleCI web app:
0 commit comments