Configure Amazon S3 Cross-Account Storage for VideoEngager Call Recordings (Genesys Cloud) – VideoEngager

Applies to: AWS admins (S3 bucket owner account) and Genesys Cloud admins configuring SmartVideo recording storage.

Scope of this article

This guide covers storage only (S3 bucket + SmartVideo Storage settings). Assume your Kurento and Processing URLs are already configured.

Quick Setup

Create/choose your S3 bucket (bucket owner account).
Add an S3 bucket policy that allows Role 1 (Publish) to write recordings.
If you want in-product playback, also allow Role 2 (Playback) to read recordings.
In Genesys Cloud: SmartVideo Settings → Recording tab → configure Final Storage and Playback Storage to S3.
Save, wait 5 minutes, then run a test call and confirm files appear in S3.

What you need from VideoEngager Support

These values are deployment-dependent and must be provided by VideoEngager Support:

Publish role ARN (Role 1) – used to upload recording files to your bucket.
Playback role ARN (Role 2) – used only if VideoEngager playback needs to read files from your bucket.
(Optional) Recommended S3 prefix to scope access (e.g., recordings/<tenant>/).

Role 1 vs Role 2 — what they do (and what you control)

Role	Purpose	Recommended permissions	When you need it
Role 1: Publish	Uploads recording files to your S3 bucket	Write-only (PutObject + multipart upload actions)	Always (required to store recordings in your bucket)
Role 2: Playback	Reads recording files from your bucket for playback	Read-only (GetObject, optionally ListBucket scoped to prefix)	Only if you want playback via VideoEngager/SmartVideo

Security controls you have:

You can keep VideoEngager write-only by granting Role 1 upload permissions and not granting read.
You can enable playback by granting Role 2 read-only.
You can restrict access to a prefix (recommended), and optionally add an explicit Deny to ensure Role 1 can never read.

Step 1 — Prepare your S3 bucket (AWS)

Create or choose an S3 bucket in your AWS account (the bucket owner account).
Keep Block Public Access enabled.
(Recommended) Decide a prefix/folder for recordings, e.g. recordings/ or recordings/<tenant>/.

Step 2 — Add the S3 Bucket Policy (Cross-Account Access)

In AWS: S3 → your bucket → Permissions → Bucket policy. Use the patterns below and replace placeholders with values from Support.

✅ Recommended: separate Publish vs Playback permissions

This keeps least-privilege clean: Role 1 writes, Role 2 reads. If you don’t need playback via VideoEngager, you can omit the Role 2 statement entirely.

Option A (recommended): Prefix-scoped policy (best practice)

Replace:

<BUCKET> → your bucket name
<PREFIX> → e.g. recordings (no leading/trailing slash in placeholders below)
<PUBLISH_ROLE_ARN> → from VideoEngager Support
<PLAYBACK_ROLE_ARN> → from VideoEngager Support (optional if you need playback)

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Role1PublishWriteOnly",
      "Effect": "Allow",
      "Principal": { "AWS": "<PUBLISH_ROLE_ARN>" },
      "Action": [
        "s3:PutObject",
        "s3:AbortMultipartUpload"
      ],
      "Resource": [
         "arn:aws:s3:::<BUCKET>",
         "arn:aws:s3:::<BUCKET>/<PREFIX>/*"
      ]
    },
    {
      "Sid": "DenyRole1PublishReadBack",
      "Effect": "Deny",
      "Principal": { "AWS": "<PUBLISH_ROLE_ARN>" },
      "Action": [ "s3:GetObject" ],
      "Resource": "arn:aws:s3:::<BUCKET>/<PREFIX>/*"
    },
    {
      "Sid": "Role2PlaybackReadOnly",
      "Effect": "Allow",
      "Principal": { "AWS": "<PLAYBACK_ROLE_ARN>" },
      "Action": [ "s3:GetObject" ],
      "Resource": "arn:aws:s3:::<BUCKET>/<PREFIX>/*"
    }
  ]
}

Option B: Bucket-wide policy (simpler, less restrictive)

Use this only if you cannot use a prefix or want the fastest setup. This grants access across the entire bucket.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Role1PublishWriteOnly",
      "Effect": "Allow",
      "Principal": { "AWS": "<PUBLISH_ROLE_ARN>" },
      "Action": [
        "s3:PutObject",
        "s3:AbortMultipartUpload"
      ],
      "Resource": "arn:aws:s3:::<BUCKET>/*"
    },
    {
      "Sid": "Role2PlaybackReadOnly",
      "Effect": "Allow",
      "Principal": { "AWS": "<PLAYBACK_ROLE_ARN>" },
      "Action": [ "s3:GetObject" ],
      "Resource": "arn:aws:s3:::<BUCKET>/*"
    }
  ]
}

Step 3 — Configure S3 Storage in Genesys Cloud (SmartVideo)

Log in to Genesys Cloud.
Go to Apps → SmartVideo Settings.
Select the Recording tab.

Final Storage (where recordings are saved)

Scroll to Final Storage and enable Override the default storage configuration.
Set Storage Type → S3.
Relative path:
- Leave empty if your bucket policy is bucket-wide.
- If you used a prefix policy, set it to your prefix (example: recordings).
Under AWS S3 Configuration:
- Region → your bucket region
- Bucket → your bucket name

Playback Storage (used for playback)

Scroll to Playback Storage and enable Override the default storage configuration.
Set Storage Type → S3.
Use the same bucket/region (and prefix if used) as Final Storage.
If you want playback via VideoEngager/SmartVideo, ensure your bucket policy includes Role 2 (Playback) read access.

Save: Scroll to the bottom, click Save settings, then wait at least 5 minutes for changes to apply.

Step 4 — Validate

Place a test call and end it.
Check your S3 bucket for new recording objects (in your configured prefix if used).
If you enabled playback, confirm playback works in your agent experience.

Troubleshooting (fast checks)

Symptom	Most common cause	Fix
No files appear in S3	Publish role not allowed to write	Verify bucket policy includes `<PUBLISH_ROLE_ARN>` and allows `s3:PutObject` for your bucket/prefix.
Files appear, but playback fails	Playback role not allowed to read	Add the Role 2 (Playback) statement with `s3:GetObject`, scoped to the same bucket/prefix.
Files appear in the wrong “folder”	Prefix mismatch between policy and “Relative path”	Ensure the bucket policy `<PREFIX>` and SmartVideo “Relative path” match exactly.
Nothing changes after saving settings	Propagation delay	Wait 5 minutes, then run a new test call.

📞 Still not working?

Contact VideoEngager Support and include:

Your AWS bucket name + region
Your chosen prefix (if any)
The bucket policy you applied (sanitized is fine)
Timestamp of the test call
Whether playback is required (Role 2) or you want write-only storage (Role 1 only)