Applies to: AWS admins (S3 bucket owner account) and Genesys Cloud admins configuring SmartVideo recording storage.
Scope of this article
This guide covers storage only (S3 bucket + SmartVideo Storage settings). Assume your Kurento and Processing URLs are already configured.
Quick Setup
- Create/choose your S3 bucket (bucket owner account).
- Add an S3 bucket policy that allows Role 1 (Publish) to write recordings.
- If you want in-product playback, also allow Role 2 (Playback) to read recordings.
- In Genesys Cloud: SmartVideo Settings → Recording tab → configure Final Storage and Playback Storage to S3.
- Save, wait 5 minutes, then run a test call and confirm files appear in S3.
What you need from VideoEngager Support
These values are deployment-dependent and must be provided by VideoEngager Support:
- Publish role ARN (Role 1) – used to upload recording files to your bucket.
- Playback role ARN (Role 2) – used only if VideoEngager playback needs to read files from your bucket.
- (Optional) Recommended S3 prefix to scope access (e.g.,
recordings/<tenant>/).
Role 1 vs Role 2 — what they do (and what you control)
| Role | Purpose | Recommended permissions | When you need it |
|---|---|---|---|
| Role 1: Publish | Uploads recording files to your S3 bucket | Write-only (PutObject + multipart upload actions) | Always (required to store recordings in your bucket) |
| Role 2: Playback | Reads recording files from your bucket for playback | Read-only (GetObject, optionally ListBucket scoped to prefix) | Only if you want playback via VideoEngager/SmartVideo |
Security controls you have:
- You can keep VideoEngager write-only by granting Role 1 upload permissions and not granting read.
- You can enable playback by granting Role 2 read-only.
- You can restrict access to a prefix (recommended), and optionally add an explicit Deny to ensure Role 1 can never read.
Step 1 — Prepare your S3 bucket (AWS)
- Create or choose an S3 bucket in your AWS account (the bucket owner account).
- Keep Block Public Access enabled.
- (Recommended) Decide a prefix/folder for recordings, e.g.
recordings/orrecordings/<tenant>/.
Step 2 — Add the S3 Bucket Policy (Cross-Account Access)
In AWS: S3 → your bucket → Permissions → Bucket policy. Use the patterns below and replace placeholders with values from Support.
✅ Recommended: separate Publish vs Playback permissions
This keeps least-privilege clean: Role 1 writes, Role 2 reads. If you don’t need playback via VideoEngager, you can omit the Role 2 statement entirely.
Option A (recommended): Prefix-scoped policy (best practice)
Replace:
<BUCKET>→ your bucket name<PREFIX>→ e.g.recordings(no leading/trailing slash in placeholders below)<PUBLISH_ROLE_ARN>→ from VideoEngager Support<PLAYBACK_ROLE_ARN>→ from VideoEngager Support (optional if you need playback)
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Role1PublishWriteOnly",
"Effect": "Allow",
"Principal": { "AWS": "<PUBLISH_ROLE_ARN>" },
"Action": [
"s3:PutObject",
"s3:AbortMultipartUpload"
],
"Resource": [
"arn:aws:s3:::<BUCKET>",
"arn:aws:s3:::<BUCKET>/<PREFIX>/*"
]
},
{
"Sid": "DenyRole1PublishReadBack",
"Effect": "Deny",
"Principal": { "AWS": "<PUBLISH_ROLE_ARN>" },
"Action": [ "s3:GetObject" ],
"Resource": "arn:aws:s3:::<BUCKET>/<PREFIX>/*"
},
{
"Sid": "Role2PlaybackReadOnly",
"Effect": "Allow",
"Principal": { "AWS": "<PLAYBACK_ROLE_ARN>" },
"Action": [ "s3:GetObject" ],
"Resource": "arn:aws:s3:::<BUCKET>/<PREFIX>/*"
}
]
}Option B: Bucket-wide policy (simpler, less restrictive)
Use this only if you cannot use a prefix or want the fastest setup. This grants access across the entire bucket.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Role1PublishWriteOnly",
"Effect": "Allow",
"Principal": { "AWS": "<PUBLISH_ROLE_ARN>" },
"Action": [
"s3:PutObject",
"s3:AbortMultipartUpload"
],
"Resource": "arn:aws:s3:::<BUCKET>/*"
},
{
"Sid": "Role2PlaybackReadOnly",
"Effect": "Allow",
"Principal": { "AWS": "<PLAYBACK_ROLE_ARN>" },
"Action": [ "s3:GetObject" ],
"Resource": "arn:aws:s3:::<BUCKET>/*"
}
]
}Step 3 — Configure S3 Storage in Genesys Cloud (SmartVideo)
- Log in to Genesys Cloud.
- Go to Apps → SmartVideo Settings.
- Select the Recording tab.
Final Storage (where recordings are saved)
- Scroll to Final Storage and enable Override the default storage configuration.
- Set Storage Type → S3.
- Relative path:
- Leave empty if your bucket policy is bucket-wide.
- If you used a prefix policy, set it to your prefix (example:
recordings).
- Under AWS S3 Configuration:
- Region → your bucket region
- Bucket → your bucket name
Playback Storage (used for playback)
- Scroll to Playback Storage and enable Override the default storage configuration.
- Set Storage Type → S3.
- Use the same bucket/region (and prefix if used) as Final Storage.
- If you want playback via VideoEngager/SmartVideo, ensure your bucket policy includes Role 2 (Playback) read access.
Save: Scroll to the bottom, click Save settings, then wait at least 5 minutes for changes to apply.
Step 4 — Validate
- Place a test call and end it.
- Check your S3 bucket for new recording objects (in your configured prefix if used).
- If you enabled playback, confirm playback works in your agent experience.
Troubleshooting (fast checks)
| Symptom | Most common cause | Fix |
|---|---|---|
| No files appear in S3 | Publish role not allowed to write | Verify bucket policy includes <PUBLISH_ROLE_ARN> and allows s3:PutObject for your bucket/prefix. |
| Files appear, but playback fails | Playback role not allowed to read | Add the Role 2 (Playback) statement with s3:GetObject, scoped to the same bucket/prefix. |
| Files appear in the wrong “folder” | Prefix mismatch between policy and “Relative path” | Ensure the bucket policy <PREFIX> and SmartVideo “Relative path” match exactly. |
| Nothing changes after saving settings | Propagation delay | Wait 5 minutes, then run a new test call. |
📞 Still not working?
Contact VideoEngager Support and include:
- Your AWS bucket name + region
- Your chosen prefix (if any)
- The bucket policy you applied (sanitized is fine)
- Timestamp of the test call
- Whether playback is required (Role 2) or you want write-only storage (Role 1 only)
Comments
0 comments
Please sign in to leave a comment.