DOCS-418 & 729: Document SRA session recording and tunnel limitations with web-access recording guide

[harrison-akeyless]

Summary

Integrates DOCS-729 Zero Trust Portal v1.12.6 and ZTWA v2.0.0-rc2 release updates into product documentation and documents known SRA tunnel limitations for session recording and secretless access.

Changes

DOCS-418: SRA Tunnel Limitations

• Added Connection Limitations section to SRA tunnel documentation explaining:
  • Session recording is not supported through SRA tunnels
  • Secretless access cannot be used with SRA tunnel connections
  • Direct connection methods should be used when these features are required
• Updated Desktop Application documentation to clarify encrypted-tunnel sessions and recording implications
• Clarified tunnel audit coverage and secret access permission requirements

DOCS-729: Session Recording and Release Updates

• Consolidated RDP Session Recording: Merged two RDP recording pages into canonical sra-rdp-recordings.md with complete reference documentation including:

  • Storage options (local, AWS S3, S3-compatible, Azure Blob Storage)
  • Quality, compression, and encryption controls
  • Authentication methods (Gateway identity, explicit credentials)
  • CLI configuration examples

• Dedicated Web Access Session Recording Guide: Created sra-web-access-session-recording.md with comprehensive ZTWA recording documentation:

  • Browser session video capture configuration
  • Recording quality selection (144p–1080p)
  • S3/S3-compatible upload with credentials and secret management
  • Server-side encryption (SSE-S3, SSE-KMS)
  • Lifecycle watchdog controls for recording duration
  • Service-level configuration overrides

• Updated Session Management Overview: Clarified distinction between RDP and web-access session recording types with cross-references to canonical documentation pages

• GCP Dynamic Secrets Placement: Added guidance for configuring GCP dynamic secret locations in ZTWA deployments

• ZTWA Setup Documentation: Enhanced with complete session recording configuration surface documentation

Motivation

Customers needed clear documentation distinguishing between two different session recording implementations (RDP recording managed through Gateway CLI vs. ZTWA recording managed through Helm chart values). Additionally, tunnel limitations documentation prevents support escalations from users attempting unsupported feature combinations.

Resolves DOCS-418 and DOCS-729

Related Issues

• DOCS-418: Document SRA tunnel limitations
• DOCS-729: Zero Trust Portal v1.12.6 & ZTWA v2.0.0-rc2 Releases

[coderabbitai]

Warning

Rate limit exceeded

@harrison-akeyless has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 52 minutes and 20 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 90637b74-2933-4564-90b9-f8ef63f64345

📥 Commits

Reviewing files that changed from the base of the PR and between 8ae1b55 and d935c53.

📒 Files selected for processing (1)

• docs/Secure Remote Access/sra-admin-guides/sra-session-management/sra-rdp-recordings.md

📝 Walkthrough

Walkthrough

This PR updates SRA docs to clarify tunnel audit wording and limitations (no recording, no secretless access), adds web-access session recording docs and K8s configuration, updates RDP recording text, adjusts ordering, and adds a GCP dynamic secret location note.

Changes

Secure Remote Access tunnel limitations and session recording

Layer / File(s)	Summary
Tunnel-based connection limitations definition docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-tunnels.md	Tunnel audit description updated to "connection-level audit events." New Limitations section states tunnels cannot be inspected/recorded by the bastion and do not support secretless access (explicit Read required on secret items).
Desktop Application tunnel-based connections clarification docs/Secure Remote Access/sra-user-guides/sra-desktop-application-beta.md	Adds a "Tunnel-Based Connections" note: Desktop App sessions use encrypted tunnels, session recordings aren't captured, secretless access doesn't apply, and links to Tunnels doc.
Session recording pages and K8s config docs/Secure Remote Access/sra-admin-guides/sra-session-management/_order.yaml, docs/Secure Remote Access/sra-admin-guides/sra-session-management/index.md, docs/Secure Remote Access/sra-admin-guides/sra-session-management/sra-rdp-recordings.md, docs/Secure Remote Access/sra-admin-guides/sra-session-management/sra-web-access-session-recording.md, docs/Secure Remote Access/sra-setup/sra-web-access-on-k8s/index.md	Adds new Web Access Session Recording guide; expands Session Management to include web-access recordings; updates RDP recordings page (encryption wording generalized, related pages links); inserts ordering entry; and adds detailed sessionRecording Helm values and narrative in the K8s deployment guide.
GCP dynamic secrets location clarification docs/Secrets Management/how-to-create-dynamic-secret/gcp-dynamic-secrets.md	Adds a note clarifying the chosen "Location" path determines where the dynamic secret appears in the Console Items hierarchy and should match the desired folder structure visibility.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

• EldadH89

Poem

🐰 Through tunnels snug where secrets hide and flow,
I write a note so curious minds will know—
No video here, the bastion cannot see,
Permissions still gate what access will be.
Hops and Helm values documented below.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Title check	✅ Passed	The title clearly and concisely summarizes the main changes: documenting SRA tunnel limitations alongside a web-access recording guide. It references both core objectives (tunnel limitations and recording guide) and includes relevant ticket numbers.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch v1.0_docs-418-sra-tunnel-limitations

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

docs/Secure Remote Access/index.md (1)

46-46: ⚡ Quick win

Consider consistent formatting for permission names.

The content addition is excellent and clarifies an important distinction. However, there's a minor formatting inconsistency: this file uses Read (italic) while sra-tunnels.md line 28 and sra-desktop-application-beta.md line 35 use Read (inline code) for the same permission name. Consider using inline code formatting consistently across all three files.

Suggested formatting alignment

-6. Granular RBAC: Access can be tightly scoped so that each user is granted only the necessary permissions to the specific targets or resources they need (Users are restricted from accessing anything beyond their defined scope). For portal-based connections, users only need SRA permissions to initiate connections—without requiring any _Read_ access to the underlying secrets. **Note:** Secretless access does not apply to tunnel-based connections; those connections require explicit _Read_ permission on the secret item.
+6. Granular RBAC: Access can be tightly scoped so that each user is granted only the necessary permissions to the specific targets or resources they need (Users are restricted from accessing anything beyond their defined scope). For portal-based connections, users only need SRA permissions to initiate connections—without requiring any `Read` access to the underlying secrets. **Note:** Secretless access does not apply to tunnel-based connections; those connections require explicit `Read` permission on the secret item.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/Secure` Remote Access/index.md at line 46, The permission name
formatting is inconsistent: change the italicized _Read_ in the added line to
inline code formatting `Read` so it matches the other docs that use `Read` (the
permission token), i.e., locate the string "Read" in the new sentence about
native SSO integrations and replace the markdown italic with inline-code
backticks to keep permission-name formatting consistent across the docs.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@docs/Secure` Remote Access/index.md:
- Line 46: The permission name formatting is inconsistent: change the italicized
_Read_ in the added line to inline code formatting `Read` so it matches the
other docs that use `Read` (the permission token), i.e., locate the string
"Read" in the new sentence about native SSO integrations and replace the
markdown italic with inline-code backticks to keep permission-name formatting
consistent across the docs.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9202003c-d65a-4980-95c1-63f61b491b80

📥 Commits

Reviewing files that changed from the base of the PR and between 26bffa4 and 3d47dd0.

📒 Files selected for processing (3)

• docs/Secure Remote Access/index.md
• docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-tunnels.md
• docs/Secure Remote Access/sra-user-guides/sra-desktop-application-beta.md

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/Secure` Remote
Access/sra-admin-guides/sra-session-management/sra-rdp-recordings.md:
- Line 41: Update the hyphenation in the sentence under the "Algorithm" bullet:
replace the phrase "Akeyless supported key types" with "Akeyless-supported key
types" so the line reads "* **Algorithm:** Encryption uses Akeyless-supported
key types." Locate the bullet with the "**Algorithm:**" label in
sra-rdp-recordings.md and make this single-word hyphenation change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ed744143-89a7-43dd-bd9d-132f356e261c

📥 Commits

Reviewing files that changed from the base of the PR and between 3d47dd0 and 552bb19.

📒 Files selected for processing (4)

• docs/Secrets Management/how-to-create-dynamic-secret/gcp-dynamic-secrets.md
• docs/Secure Remote Access/sra-admin-guides/sra-session-management/index.md
• docs/Secure Remote Access/sra-admin-guides/sra-session-management/sra-rdp-recordings.md
• docs/Secure Remote Access/sra-setup/sra-web-access-on-k8s/index.md

✅ Files skipped from review due to trivial changes (2)

• docs/Secrets Management/how-to-create-dynamic-secret/gcp-dynamic-secrets.md
• docs/Secure Remote Access/sra-setup/sra-web-access-on-k8s/index.md

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

docs/Secure Remote Access/sra-admin-guides/sra-session-management/sra-rdp-recordings.md (1)

45-45: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Hyphenate the compound modifier in the algorithm bullet.

Use “Akeyless-supported key types” for correct grammar and readability.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/Secure` Remote
Access/sra-admin-guides/sra-session-management/sra-rdp-recordings.md at line 45,
Update the Algorithm bullet so the compound modifier is hyphenated: change the
phrase "Akeyless supported key types" to "Akeyless-supported key types" in the
line beginning with "**Algorithm:**" to improve grammar and readability.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/Secure` Remote
Access/sra-admin-guides/sra-session-management/sra-rdp-recordings.md:
- Around line 113-119: The "## Related Pages" heading is placed before the
storage subsections causing "### Azure Blob Storage" to be interpreted as its
child; move the "## Related Pages" block to the end of the document (after the
storage subsections) or alternatively demote it to "### Related Pages" so that
"### Azure Blob Storage" remains a child of "## Storage Options"; update the
headings around "## Storage Options", "### Azure Blob Storage" and "## Related
Pages" accordingly to restore proper hierarchy.

---

Duplicate comments:
In `@docs/Secure` Remote
Access/sra-admin-guides/sra-session-management/sra-rdp-recordings.md:
- Line 45: Update the Algorithm bullet so the compound modifier is hyphenated:
change the phrase "Akeyless supported key types" to "Akeyless-supported key
types" in the line beginning with "**Algorithm:**" to improve grammar and
readability.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8a0193f6-d4cb-461e-baf1-a0f7b65df33a

📥 Commits

Reviewing files that changed from the base of the PR and between 552bb19 and 8ae1b55.

📒 Files selected for processing (5)

• docs/Secure Remote Access/sra-admin-guides/sra-session-management/_order.yaml
• docs/Secure Remote Access/sra-admin-guides/sra-session-management/index.md
• docs/Secure Remote Access/sra-admin-guides/sra-session-management/sra-rdp-recordings.md
• docs/Secure Remote Access/sra-admin-guides/sra-session-management/sra-web-access-session-recording.md
• docs/Secure Remote Access/sra-setup/sra-web-access-on-k8s/index.md

✅ Files skipped from review due to trivial changes (3)

• docs/Secure Remote Access/sra-admin-guides/sra-session-management/_order.yaml
• docs/Secure Remote Access/sra-admin-guides/sra-session-management/sra-web-access-session-recording.md
• docs/Secure Remote Access/sra-admin-guides/sra-session-management/index.md