DOCS-418 & 729: Document SRA session recording and tunnel limitations with web-access recording guide

docs/Secrets Management/how-to-create-dynamic-secret/gcp-dynamic-secrets.md

@@ -188,6 +188,8 @@ akeyless dynamic-secret get-value --name <Path to your dynamic secret>
 
 3. Define a **Name** of the dynamic secret, and specify the **Location** as a path to the virtual folder where you want to create the new dynamic secret, using slash `/` separators. If the folder does not exist, it will be created together with the dynamic secret.
 
+    The Location determines where the dynamic secret appears in the Items hierarchy, so use the path that matches the folder structure you want users to see.
+
 4. Define the remaining parameters as follows:
 
     * **Delete Protection:** When enabled, it protects the secret from accidental deletion.

docs/Secure Remote Access/sra-admin-guides/sra-resource-types/sra-tunnels.md

@@ -10,7 +10,7 @@ metadata:
 next:
   description: ''
 ---
-Akeyless Secure Remote Access solution has a built-in `Tunnel` mode, which can be used to connect with various native and thick clients to remote hosts by way of Akeyless SRA SSH server, supported with a complete Audit Trail.
+Akeyless Secure Remote Access solution has a built-in `Tunnel` mode, which can be used to connect with various native and thick clients to remote hosts by way of Akeyless SRA SSH server, supported with connection-level audit events.
 
 While your local machine uses the [Akeyless Connect](https://docs.akeyless.io/docs/sra-akeyless-connect) CLI, any thick client can be used to establish the connection to a remote server within your internal network by way of the Akeyless SRA SSH server.
 
@@ -20,6 +20,13 @@ While your local machine uses the [Akeyless Connect](https://docs.akeyless.io/do
 
 * The [Secure Remote Access server](https://docs.akeyless.io/docs/sra-setup-k8s) deployed.
 
+## Limitations
+
+Because tunnel connections use end-to-end encryption between the client and the remote target, the SRA bastion cannot inspect the traffic. This has two important implications:
+
+* **No session recording**: Tunnel connections are not recorded. Traffic is encrypted between the client and the target, so the bastion cannot capture session content.
+* **Secretless access is not supported**: Unlike [portal-based connections](https://docs.akeyless.io/docs/sra-portal), tunnels require the user to have explicit `Read` permission on the secret item in Akeyless. The bastion cannot inject credentials into the tunnel without the user being able to see them.
+
 ## Usage
 
 > ⚠️ **Warning:**

docs/Secure Remote Access/sra-admin-guides/sra-session-management/_order.yaml

@@ -1,3 +1,4 @@
 - sra-sessions-overview
 - sra-session-forwarding
 - sra-rdp-recordings
+- sra-web-access-session-recording

docs/Secure Remote Access/sra-admin-guides/sra-session-management/index.md

@@ -12,7 +12,7 @@ next:
 ---
 Session Management provides users with full control over how session activities are recorded, stored, and forwarded for auditing and analysis. Through the platform’s UI, users can enable session recording and configure how session data is forwarded to external systems.
 
-Key actions include enabling session recording for various types of remote access sessions, configuring log forwarding for CLI-based sessions, and managing video recordings for RDP sessions.
+Key actions include enabling session recording for various types of remote access sessions, configuring log forwarding for CLI-based sessions, and managing video recordings for RDP and web-access sessions.
 
 ## Session Recording
 
@@ -22,10 +22,20 @@ Key actions include enabling session recording for various types of remote acces
 
 SRA allows you to automatically upload and store these video recordings in secure locations such as AWS S3 or Azure Blob Storage for long-term retention and review, or you can store them locally on the server.
 
+### Web Access Session Recording
+
+[Web access session recording](https://docs.akeyless.io/docs/sra-web-access-on-k8s) refers to the process of capturing browser-based web access sessions in Zero Trust Web Access (ZTWA). These recordings preserve the interactive web session and can be stored with the ZTWA deployment configuration.
+
+For full recording configuration options (quality, upload destination, compression, encryption, watchdog controls, and service-level overrides), see [Zero Trust Web Access on K8s](https://docs.akeyless.io/docs/sra-web-access-on-k8s).
+
 ### Terminal-Based Sessions
 
 For terminal-based sessions (such as SSH, DB, and Kubernetes), the system records a full transcript of the commands entered and their corresponding outputs. This data can be forwarded to external systems like Splunk, Elasticsearch, or by way of Syslog for monitoring and archiving. See more [here](https://docs.akeyless.io/docs/sra-session-forwarding).
 
+> ℹ️ **Note:**
+>
+> Session recording and terminal session forwarding are different features. Use [RDP Recordings](https://docs.akeyless.io/docs/sra-rdp-recordings) for RDP video capture and [Zero Trust Web Access on K8s](https://docs.akeyless.io/docs/sra-web-access-on-k8s) for browser-based ZTWA video capture.
+
 ## Secret Locking and Rotation Timing
 
 For sessions that use **Static Secret** and **Rotated Secret** items, Session Management supports the following controls:

docs/Secure Remote Access/sra-admin-guides/sra-session-management/sra-rdp-recordings.md

@@ -12,6 +12,12 @@ next:
 ---
 RDP Session Recording is managed entirely through your Gateway's console under the **Remote Access** section in the Gateway settings. These sessions generate video recordings that can be uploaded to **AWS S3**, **S3-compatible object storage** (for example, NetApp StorageGRID), or **Azure Blob Storage** for secure storage, or can be saved locally.
 
+> ℹ️ **Note:**
+>
+> If you are working with browser-based Zero Trust Web Access recordings, use [Zero Trust Web Access on K8s](https://docs.akeyless.io/docs/sra-web-access-on-k8s).
+
+RDP recordings support configurable quality, compression, and encryption for stored sessions.
+
 ## Session Recording
 
 SRA supports the recording of RDP sessions. You can choose to store RDP Session Recordings by clicking **Remote Access -> Session Recording -> RDP Recordings**, clicking the slider to Enable, and then choosing the location to keep the recordings of those sessions.
@@ -32,11 +38,11 @@ Optionally compress the encoded video file using `GZIP`.
 
 * **When to use:** Enable compression to reduce storage footprint, especially for long sessions.
 
-#### Encryption (AES)
+#### Encryption
 
-Protect recordings at rest with AES-based encryption.
+Protect recordings at rest with encryption.
 
-* **Algorithm:** **AES** (Akeyless supported key types).
+* **Algorithm:** Encryption uses Akeyless-supported key types.
 * **Scope:** Entire video payload is encrypted after encoding (and after optional compression).
 * **Access:** Only authorized users with the appropriate permissions can decrypt and access the file.
 
@@ -155,3 +161,9 @@ akeyless gateway update remote-access-rdp-recording \
 --rdp-session-recording true \
 --rdp-session-storage local
 ```
+
+## Related Pages
+
+* [Web Access Session Recording](https://docs.akeyless.io/docs/sra-web-access-session-recording)
+* [Session Management](https://docs.akeyless.io/docs/sra-session-management)
+* [Session Log Forwarding](https://docs.akeyless.io/docs/sra-session-forwarding)

docs/Secure Remote Access/sra-admin-guides/sra-session-management/sra-web-access-session-recording.md

@@ -0,0 +1,104 @@
+---
+title: Web Access Session Recording
+excerpt: ''
+deprecated: false
+hidden: false
+metadata:
+  title: ''
+  description: ''
+  robots: index
+next:
+  description: ''
+---
+Web Access Session Recording captures browser-based Zero Trust Web Access (ZTWA) sessions for review, compliance, and incident investigation.
+
+> ℹ️ **Note:**
+>
+> If you are looking for Remote Desktop Protocol recordings, use [RDP Session Recording](https://docs.akeyless.io/docs/sra-rdp-recordings).
+
+## Feature Scope
+
+Web Access Session Recording covers:
+
+* Browser session video capture.
+* Recording quality selection.
+* Upload to S3 or S3-compatible storage.
+* Optional gzip compression before upload.
+* Optional server-side encryption options.
+* Lifecycle watchdog controls for recording duration and client-connect timing.
+
+This feature is configured in the Zero Trust Web Access chart `values.yaml`.
+
+## Configuration Surfaces
+
+Use these surfaces:
+
+* Primary: `sessionRecording` in `values.yaml`.
+* Advanced overrides:
+    * `dispatcher.config.recording`
+    * `webWorker.config.recording`
+
+Deployment guidance: [Zero Trust Web Access on K8s](https://docs.akeyless.io/docs/sra-web-access-on-k8s).
+
+## Configuration Reference
+
+### Base Recording Controls
+
+* `sessionRecording.enabled`: Enables worker-side recording capture.
+* `sessionRecording.quality`: Recording quality (`144p`, `240p`, `360p`, `480p`, `720p`, `1080p`).
+
+### Upload Controls
+
+* `sessionRecording.upload.enabled`
+* `sessionRecording.upload.s3Bucket`
+* `sessionRecording.upload.s3Region`
+* `sessionRecording.upload.s3Prefix`
+* `sessionRecording.upload.s3Endpoint` (optional S3-compatible endpoint)
+* `sessionRecording.upload.compress`
+
+### Encryption Controls
+
+* `sessionRecording.upload.sse.type` (`""`, `sse-s3`, `sse-kms`)
+* `sessionRecording.upload.sse.kmsKeyId`
+
+### Credentials and Secret Wiring
+
+* `sessionRecording.upload.existingSecretNames.s3`
+* `sessionRecording.upload.existingSecretNames.s3AccessKeyIdKey`
+* `sessionRecording.upload.existingSecretNames.s3SecretAccessKeyKey`
+
+If no secret is set, upload can use the AWS default credential chain.
+
+### Watchdog Controls
+
+* `sessionRecording.watchdog.clientConnectTimeoutSeconds`
+* `sessionRecording.watchdog.intervalSeconds`
+* `sessionRecording.watchdog.maxDurationSeconds`
+
+These settings help bound long-running recordings and clean up stalled sessions.
+
+### Service-Level Overrides
+
+Dispatcher upload override fields can be set in `dispatcher.config.recording`.
+
+Worker capture override fields (`enabled`, `quality`) can be set in `webWorker.config.recording`.
+
+Use overrides only when service-specific behavior must differ from the shared `sessionRecording` block.
+
+## End-to-End Workflow
+
+1. Enable recording in `sessionRecording.enabled`.
+2. Set desired recording quality.
+3. Enable upload and configure destination bucket and region.
+4. Configure credential secret references or identity-based authentication.
+5. Optionally configure compression and encryption.
+6. Optionally tune watchdog values for long-running workloads.
+7. Deploy or upgrade the chart.
+8. Start a ZTWA browser session and verify the recording artifact in the configured storage destination.
+
+## Related Pages
+
+* [RDP Session Recording](https://docs.akeyless.io/docs/sra-rdp-recordings)
+* [Session Management](https://docs.akeyless.io/docs/sra-session-management)
+* [Zero Trust Web Access on K8s](https://docs.akeyless.io/docs/sra-web-access-on-k8s)
+* [Session Log Forwarding](https://docs.akeyless.io/docs/sra-session-forwarding)

docs/Secure Remote Access/sra-setup/sra-web-access-on-k8s/index.md

@@ -14,6 +14,10 @@ Akeyless Zero Trust Web Access Bastion provides Secure Remote Access to internal
 
 This deployment can route sessions through an isolated remote browser or directly to the target server, based on secret configuration and policy.
 
+The non-privileged deployment model is supported, so you do not need to add a port `80` binding for the chart to run.
+
+ZTWA session recording captures browser-based web access sessions and supports configurable quality, compression, and encryption for stored recordings.
+
 This chart bootstraps the `Akeyless-Web-Access-Bastion` deployment on Kubernetes with Helm.
 
 ## Before you begin
@@ -109,6 +113,8 @@ The chart exposes resource requests and limits for workload and init containers.
 
 The chart templates also configure non-root execution for Web Dispatcher and Web Worker containers.
 
+ZTWA session recordings support configurable quality, compression, and encryption for stored sessions.
+
 Do not override default user or group security context values unless directed by Akeyless Support.
 
 Use this baseline for environments with strict Kubernetes admission policies:
@@ -226,6 +232,77 @@ env:
     value: "https://vault.akeyless.io"
 ```
 
+### Web access session recording configuration
+
+Use the `sessionRecording` block to configure browser-based session recording for ZTWA.
+
+```yaml
+sessionRecording:
+  enabled: true
+  quality: "360p" # 144p | 240p | 360p | 480p | 720p | 1080p
+  upload:
+    enabled: true
+    s3Bucket: "<S3_BUCKET_NAME>"
+    s3Region: "<AWS_REGION>"
+    s3Prefix: "<OPTIONAL_PREFIX>"
+    s3Endpoint: "<OPTIONAL_S3_COMPATIBLE_ENDPOINT>"
+    compress: false
+    sse:
+      type: "" # "" | sse-s3 | sse-kms
+      kmsKeyId: "<OPTIONAL_KMS_KEY_ID_OR_ARN>"
+    existingSecretNames:
+      s3: "<S3_CREDENTIALS_SECRET_NAME>"
+      s3AccessKeyIdKey: "access-key-id"
+      s3SecretAccessKeyKey: "secret-access-key"
+```
+
+When enabled, the worker captures the browser session and the dispatcher prepares the upload artifact and uploads it to S3 or S3-compatible storage.
+
+#### Recording quality
+
+Set `sessionRecording.quality` to one of:
+
+* `144p`
+* `240p`
+* `360p`
+* `480p`
+* `720p`
+* `1080p`
+
+#### Upload and encryption options
+
+Use `sessionRecording.upload` to control destination and storage behavior:
+
+* `enabled`: Turn upload on or off.
+* `s3Bucket`, `s3Region`, `s3Prefix`: Destination bucket and object path.
+* `s3Endpoint`: Optional custom endpoint for S3-compatible platforms.
+* `compress`: Gzip-compress before upload.
+* `sse.type`: Server-side encryption mode (`sse-s3` or `sse-kms`).
+* `sse.kmsKeyId`: KMS key ID or ARN when `sse-kms` is used.
+
+#### Credentials source
+
+Provide S3 credentials by using `sessionRecording.upload.existingSecretNames.s3`.
+
+If the secret is not set, the deployment falls back to the AWS default credential chain.
+
+#### Worker lifecycle watchdog controls
+
+Use `sessionRecording.watchdog` to tune long-running recording behavior:
+
+* `clientConnectTimeoutSeconds`: Timeout for initial browser websocket connection.
+* `intervalSeconds`: How often watchdog checks run.
+* `maxDurationSeconds`: Maximum wall-clock duration for one recording.
+
+#### Service-specific recording overrides
+
+For advanced setups, service-level `recording` blocks can override part of the top-level `sessionRecording` config:
+
+* `dispatcher.config.recording`: upload-related override fields for the dispatcher.
+* `webWorker.config.recording`: capture-related override fields (`enabled`, `quality`) for workers.
+
+Use these only when you need per-service behavior that differs from the shared `sessionRecording` defaults.
+
 ### HTTP proxy mode
 
 To enable HTTP proxy mode for remote access, set `WEB_PROXY_TYPE` in dispatcher `env`.

docs/Secure Remote Access/sra-user-guides/sra-desktop-application-beta.md

@@ -30,6 +30,10 @@ Who benefits from using this application?
 
 The Desktop Application creates a tunnel to the designated resource and securely injects the password. To support this process, any user working with the Desktop Application must have [read permission](https://docs.akeyless.io/docs/rbac#permissions-for-items-access-roles-auth-methods-and-targets) on the Secret Item.
 
+> ℹ️ **Note (Tunnel-Based Connections):**
+>
+> The Desktop Application establishes connections by way of an encrypted tunnel. Because the bastion cannot inspect tunnel traffic, **session recordings are not captured** for Desktop Application sessions. Additionally, **secretless access does not apply**—users must have explicit `Read` permission on the secret item. See [Tunnels](https://docs.akeyless.io/docs/sra-tunnels) for details.
+
 ## Installation Guide
 
 Download the relevant Desktop Application installer from ([https://download.akeyless.io/Akeyless_Artifacts/](https://download.akeyless.io/Akeyless_Artifacts/)).