Add external storage locations

The External Storage page lets you add storage locations outside of Calabrio ONE. You can use these external storage locations when you export audio and screen recordings in bulk (see Export contacts in bulk). External storage is available as Amazon S3 buckets or Azure blobs.

Unlike the Calabrio ONE-hosted storage locations where you store audio recordings, screen recordings, and Analytics data during their retention period (see Configure storage profiles for QM and Analytics), your organization needs to create and manage these external storage locations independently. You cannot associate external storage locations with a storage profile.

Prerequisites

  • You have the Administer Tenant permission.
  • If you are using an Azure blob, you have the name of your organization’s Azure container name and connection string.
  • If you are using an Amazon S3 bucket:
    • You have the name of your organization’s Amazon S3 bucket. This is where Calabrio ONE exports your files.
    •  If you are using role assumption to grant access to your Amazon S3 bucket, you have the ARN for a role that is assigned the following:
      • A policy with these permissions for your S3 bucket: ListBucket, GetBucketLocation, and PutObject
      • A trust policy that allows a Calabrio production AWS account to assume a role. Contact Calabrio Support for the Calabrio AWS account information to use in the trust policy.
    • If you are not using role assumption to grant access to your Amazon S3 bucket, you have the access key and a secret key of an IAM user that is assigned to a policy that has these permissions for your S3 bucket: ListBucket, GetBucketLocation, and PutObject. Calabrio ONE accesses your S3 bucket with this user’s keys.

      EXAMPLE   

      The following policy grants the required permissions. You can assign this IAM user to a similar policy.

      Copy
      {
      “Version”: “<current policy language version>”,
      “Statement”: [
      {
      “Sid”: “Bucket”,
      “Effect”: “Allow”,
      “Action”: [
      “s3:ListBucket”,
      “s3:GetBucketLocation”
      ],
      “Resource”: [
      “arn:aws:s3:::<name of your S3 bucket>”
      ]
      },
      {
      “Sid”: “BucketContents”,
      “Effect”: “Allow”,
      “Action”: [
      “s3:PutObject”
      ],
      “Resource”: [
      “arn:aws:s3:::<name your S3 bucket>/*”
      ]
      }
      ]
      }

Page location

Application Management > Global > System Configuration > External Storage

Procedures

Add an Amazon S3 bucket as an external storage location using role assumption

  1. Select Create External Storage Location.
  2. In the Name field, enter a unique name for the S3 bucket.

    NOTE   This name identifies the external storage location in Calabrio ONE. It can be different from the name of the S3 bucket.

  3. From the Type drop-down list, select Amazon S3 (Immediate Access).
  4. Configure the AWS Storage Configuration section as follows. The values for the fields listed below come from your organization's AWS instance. Find the values and enter them into each of the fields listed below in Calabrio ONE.

    NOTE   Refer to AWS documentation for more information on creating an IAM role or managing access keys for IAM users.

    Field Description

    Use AWS IAM Role Assumption

    Keep this check box selected.

    Bucket Name

    Enter the name of the S3 bucket. This name is case-sensitive.

    Choose Region

    Select the Amazon region where the S3 bucket is located.

    Role ARN

    The Amazon Resource Name (ARN) for the role in your AWS account that grants access to the S3 bucket (or more generally, the AWS services) Calabrio ONE accesses. This role ARN should be in the standard AWS format:

    arn:aws:iam::<CUSTOMER_AWS_ACCOUNT_NUMBER:role/<ROLE_NAME>

  5. Click Save. The page refreshes.
  6. Select the storage location you just created from the Choose a storage location to edit drop-down list.
  7. In the AWS Storage Configuration section, select Show external ID.
  8. In AWS, configure your role’s Trust Policy to use the string of numbers and letters in the External ID field.

    IMPORTANT   The connection will not work until you complete this step.

    EXAMPLE   

    This is an example of a trust policy that you can add to the role:

    Copy
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {
                    "AWS": "<Calabrio account ARN>"
                },
                "Action": "sts:AssumeRole",
                "Condition": {
                    "StringEquals": {
                        "sts:ExternalId": "<Calabrio-generated external ID>"
                    }
                }
            }
        ]
    }
  9. (Optional) To verify your settings, click Test Connection.

Add an Amazon S3 bucket as an external storage location without using role assumption

  1. Select Create External Storage Location.
  2. In the Name field, enter a unique name for the S3 bucket.

    NOTE   This name identifies the external storage location in Calabrio ONE. It can be different from the name of the S3 bucket.

  3. From the Type drop-down list, select Amazon S3 (Immediate Access).
  4. Configure the AWS Storage Configuration section as follows. The values for the fields listed below come from your organization's AWS instance. Find the values and enter them into each of the fields listed below in Calabrio ONE.

    NOTE   Refer to AWS documentation for more information on creating an IAM role or managing access keys for IAM users.

    Field Description

    Use AWS IAM Role Assumption

    Clear this check box.

    Bucket Name

    Enter the name of the S3 bucket. This name is case-sensitive.

    Choose Region

    Select the Amazon region where the S3 bucket is located.

    IAM Access Key

    Enter the access key ID of the IAM user who is assigned to a policy that grants the permissions required to access the S3 bucket.

    IAM Secret Key

    Enter the secret access key of the IAM user who is assigned to a policy that grants the permissions required to access the S3 bucket.

  5. Click Save.
  6. (Optional) To verify your settings, click Test Connection.

Generate a new external ID for an existing Amazon S3 storage bucket

If the external ID that Calabrio ONE uses becomes compromised, you can generate a new one. An external ID is like a password for your organization's AWS account role. It is a unique identifier in AWS that Calabrio ONE uses when assuming the role in your AWS account for cross-account role access.

  1. Select Edit External Storage Location.
  2. Select the storage location from the Choose a storage location to edit drop-down list.
  3. In the AWS Storage Configuration section, click Generate new external ID. A confirmation message appears.
  4. Click Yes.
  5. In AWS, configure your role’s Trust Policy to use the new external ID in the condition element.

    IMPORTANT   The connection will not work until you complete this step.

    EXAMPLE   

    This is an example of a trust policy that you can add to the role:

    Copy
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {
                    "AWS": "<Calabrio account ARN>"
                },
                "Action": "sts:AssumeRole",
                "Condition": {
                    "StringEquals": {
                        "sts:ExternalId": "<Calabrio-generated external ID>"
                    }
                }
            }
        ]
    }
  6. (Optional) To verify your settings, click Test Connection.

Add an Azure blob as an external storage location

  1. Select Create External Storage Location.
  2. In the Name field, enter a unique name for the Azure blob.

    NOTE   This name identifies the Azure blob in Calabrio ONE. It can be different from the name of the Azure blob.

  3. From the Type drop-down list, select Azure Blob.
  4. In the Azure Storage Configuration section, enter the Container Name and the Connection String. These come from your organization’s Azure instance.
  5. (Optional) To verify your settings, click Test Connection.
  6. Click Save.

Related topics