Use this file to discover all available pages before exploring further.
The recording_storage config field works for Amazon S3, Google Cloud Storage, and Azure Blob Storage — pick a provider, configure a one-time trust relationship on your side, and pass us the resulting non-secret identifiers.
No customer secrets are stored at Tavus. Every supported path uses provider-native federated identity (IAM role assumption, GCP Workload Identity Federation, or Entra ID Federated Credentials). You configure trust on your side; we receive short-lived tokens at runtime.
Recordings are typically available in your bucket within seconds to a few minutes after the call ends, depending on call length and provider. Once the recording lands, Tavus fires application.recording_ready (with storage_provider and a fully-qualified storage_uri) to your callback_url. See Webhooks and Callbacks.
S3 is the fastest path — recordings are written directly into your bucket as they finalize. Works in every AWS region.
1
Create an IAM role in your AWS account
Configure the role’s trust relationship with all three of the following — every field is mandatory:
Trusted AWS principal: AWS account ID 291871421005.
ExternalId:tavus.
Max session duration: 12 hours (43200 seconds). AWS roles default to 1 hour, but the recording service requests 12-hour sessions when assuming the role. A role with the default duration will fail validation at room creation with unable to assume role with given parameters.
About the trusted AWS account. Tavus’s recording infrastructure is operated through Daily.co; AWS account ID 291871421005 belongs to them. The same account ID is documented in Daily’s S3 setup guide for customers running their own security review. The ExternalId tavus is Tavus’s identifier with Daily, gating cross-account sts:AssumeRole per the confused-deputy AWS pattern.
The original setup using flat properties on properties (without the recording_storage object) continues to work. Existing integrations don’t need to change.
These map internally to provider: "s3". New integrations should use recording_storage — it’s the only way to access GCS, Azure, and unsupported S3 regions, and it’s where new fields will be added.
GCS uses Workload Identity Federation. Tavus exposes an OIDC issuer at https://recording-copy.tavus.io; you configure your GCP project to trust that issuer and bind it to a service account that has write access to your bucket.
Scope your trust to your account. The steps below bind trust using your Tavus Workspace ID as an attribute condition (attribute.customer_id). This ensures only recordings belonging to your account can authenticate to your GCP resources. Click your user profile on the Tavus platform to find your Workspace ID.
1
Create a Workload Identity Pool + Provider trusting Tavus
Create a service account and grant it write access to your bucket
BUCKET="your-recording-bucket"SA_EMAIL="tavus-recording-writer@${PROJECT_ID}.iam.gserviceaccount.com"gcloud iam service-accounts create tavus-recording-writer \ --project="$PROJECT_ID" \ --display-name="Tavus Recording Writer"gsutil iam ch "serviceAccount:${SA_EMAIL}:objectCreator" "gs://${BUCKET}"
3
Allow the federated identity to impersonate the service account
PROJECT_NUMBER=$(gcloud projects describe "$PROJECT_ID" --format='value(projectNumber)')# Replace <your_workspace_id> with your Tavus Workspace ID (find in Tavus platform — click your user profile)PRINCIPAL="principalSet://iam.googleapis.com/projects/${PROJECT_NUMBER}/locations/global/workloadIdentityPools/tavus-recording-pool/attribute.customer_id/<your_workspace_id>"gcloud iam service-accounts add-iam-policy-binding "$SA_EMAIL" \ --project="$PROJECT_ID" \ --role="roles/iam.workloadIdentityUser" \ --member="$PRINCIPAL"
4
Pass the federation identifiers on conversation creation
workload_identity_provider is the resource name without the //iam.googleapis.com/ prefix — Tavus prepends it.
Terraform setup for GCP
resource "google_iam_workload_identity_pool" "tavus" { workload_identity_pool_id = "tavus-recording-pool" display_name = "Tavus Recording Storage"}resource "google_iam_workload_identity_pool_provider" "tavus_worker" { workload_identity_pool_id = google_iam_workload_identity_pool.tavus.workload_identity_pool_id workload_identity_pool_provider_id = "tavus-worker" attribute_mapping = { "google.subject" = "assertion.sub" "attribute.customer_id" = "assertion.customer_id" } # Replace with your Tavus Workspace ID (find in Tavus platform — click your user profile) attribute_condition = "attribute.customer_id == '<your_workspace_id>'" oidc { issuer_uri = "https://recording-copy.tavus.io" }}resource "google_service_account" "tavus_writer" { account_id = "tavus-recording-writer" display_name = "Tavus Recording Writer"}resource "google_storage_bucket_iam_member" "writer" { bucket = "your-recording-bucket" role = "roles/storage.objectCreator" member = "serviceAccount:${google_service_account.tavus_writer.email}"}resource "google_service_account_iam_member" "wif_user" { service_account_id = google_service_account.tavus_writer.name role = "roles/iam.workloadIdentityUser" # Replace with your Tavus Workspace ID (find in Tavus platform — click your user profile) member = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.tavus.name}/attribute.customer_id/<your_workspace_id>"}
Azure Blob uses Entra ID Federated Credentials. Tavus exposes an OIDC issuer at https://recording-copy.tavus.io; you create an App Registration on your side that trusts JWTs from this issuer.
Scope your trust to your account. The steps below set the federated credential subject to your Tavus Workspace ID. This ensures only recordings belonging to your account can authenticate to your Azure resources. Click your user profile on the Tavus platform to find your Workspace ID.
1
Create an App Registration with a federated credential
TENANT_ID="<your-tenant-uuid>"SUBSCRIPTION="<your-subscription-uuid>"RESOURCE_GROUP="your-rg"STORAGE_ACCOUNT="yourrecordingsaccount"CONTAINER="conversation-recordings"# 1. Create an App Registrationaz ad app create --display-name "Tavus Recording Storage"APP_ID=$(az ad app list --display-name "Tavus Recording Storage" --query "[0].appId" -o tsv)# 2. Add the federated credential (this trusts JWTs from Tavus)cat > federation.json <<EOF{ "name": "tavus-recording-copy", "issuer": "https://recording-copy.tavus.io", "subject": "<your_workspace_id>", "audiences": ["api://AzureADTokenExchange"]}EOF# Replace <your_workspace_id> with your Tavus Workspace ID (find in Tavus platform — click your user profile)az ad app federated-credential create --id "$APP_ID" --parameters federation.json# 3. Create a service principal for the appaz ad sp create --id "$APP_ID"SP_ID=$(az ad sp show --id "$APP_ID" --query id -o tsv)
2
Grant the App Registration write access to the container
SCOPE="/subscriptions/${SUBSCRIPTION}/resourceGroups/${RESOURCE_GROUP}/providers/Microsoft.Storage/storageAccounts/${STORAGE_ACCOUNT}/blobServices/default/containers/${CONTAINER}"az role assignment create \ --assignee-object-id "$SP_ID" \ --assignee-principal-type ServicePrincipal \ --role "Storage Blob Data Contributor" \ --scope "$SCOPE"
3
Pass the federation identifiers on conversation creation
Subscription ID — the azurerm provider needs an explicit subscription ID. Either set export ARM_SUBSCRIPTION_ID=<your-sub-id> before terraform apply, or set subscription_id in your provider "azurerm" block. Without this, terraform plan hangs without a clear error.
resource "azuread_application" "tavus" { display_name = "Tavus Recording Storage"}resource "azuread_service_principal" "tavus" { client_id = azuread_application.tavus.client_id}resource "azuread_application_federated_identity_credential" "tavus" { application_id = azuread_application.tavus.id display_name = "tavus-recording-copy" description = "Tavus recording delivery" audiences = ["api://AzureADTokenExchange"] issuer = "https://recording-copy.tavus.io" # Replace with your Tavus Workspace ID (find in Tavus platform — click your user profile) subject = "<your_workspace_id>"}resource "azurerm_role_assignment" "writer" { scope = azurerm_storage_container.recordings.resource_manager_id role_definition_name = "Storage Blob Data Contributor" principal_id = azuread_service_principal.tavus.object_id}
The s3_key / storage_uri object key follows the pattern <conversation_id>/<file>.mp4. The conversation UUID prefix is stable; the filename is assigned by the recording service. Recordings are MP4 files.For GCS and Azure Blob, if delivery to your bucket exhausts retries (typically due to a misconfigured trust policy on your side), Tavus instead fires application.recording_copy_failed with error_code and error_message. The recording is retained in Tavus’s recording infrastructure for ~30 days as a manual recovery window. See event reference.
application.recording_ready arrives at your callback URL — typically within ~1 minute for an average call, longer for multi-hour recordings.
The storage_uri resolves — try opening it (or fetching it) from your cloud’s CLI.
If you see application.recording_copy_failed instead, the error_code is your starting point: DESTINATION_AUTH_FAILED is almost always a trust-policy issue (verify the issuer URI, subject claim, or assume-role principal).
