Configuring Vault Digital Publishing

When users take content out of Vault to use on websites or other digital channels, they risk publishing content that is no longer compliant. Vault allows organizations to push regulated content to various distribution channels and easily withdraw superseded or obsolete content, eliminating that risk. With Vault Digital Publishing you can leverage the performance benefits of a CDN (Content Delivery Network), allowing you to serve content quickly to global audiences, and the regulatory benefits of Vault, allowing you to easily withdraw content from the same system where you review and approve.

Note: This feature is only available for Commercial Vaults (PromoMats and MedComms) and was called Vault CDN Support in a previous release.

Supported CDN

Vault Digital Publishing allows you to integrate your Vault with Amazon CloudFront, utilizing your organization’s own Amazon S3 bucket.

Your S3 buckets will need to be properly set up in order to allow Vault access.

Setting Up Amazon S3 Buckets

Before Vault Digital Publishing can work, you must set up your Amazon S3 buckets with the appropriate permissions to allow Vault to read and write to the bucket. Permissions to manage bucket and object access can be configured using bucket policies. See the AWS S3 documentation for more information on bucket ownership.

Setting Up Amazon S3 Buckets with Bucket Policies

Note: You cannot use bucket policies to set up a Logging Bucket. See the AWS CloudFront documentation for more information on setting up a Logging Bucket using ACLs.

Create the buckets that you will need. If you’re using Vault Digital Publishing for Production and Staging environments, you’ll need to create two buckets. Note that the bucket names do not matter for Vault Digital Publishing but need to be distinct.
Ensure that ACLs are disabled. By default, disabling ACLs assigns the bucket owner ownership of all objects within the bucket and the ability to define bucket policies to manage access.
Edit the bucket policy by adding a statement with the following settings:
- Effect: Allow
- Principal: "CanonicalUser": "6aa09b8b08a72fa7c87711134cbbdca1a855f619b5679ad7a90b9d947420928f"
- Action: DeleteObject, GetObject, PutObject
- Resource: arn:aws:s3:::${BucketName}/*
Validate each S3 bucket you wish to use with Vault Digital Publishing using a verification file.

Setting Up Amazon CloudFront

Before Vault Digital Publishing can work, you must set up your Amazon CloudFront using the following steps:

In CloudFront, create an Origin Access Identity. Make note of the Amazon S3 canonical User ID. Vault will utilize this ID later when populating Digital Publishing Settings.
In CloudFront, create the web distributions that you will need. If you’re using Vault Digital Publishing for Production and Staging environments, you’ll need to create two distributions. Make note of the domain name. Vault will utilize this later when populating Digital Publishing Settings.

Distribution Settings

We recommend using the following distribution settings:

Origin Domain Name: S3 bucket for either Production or Staging
Restrict Bucket Access: Yes
Origin Access Identity: Use an Existing Identity and select the Origin Access Identity created in the previous step.
Grant Read Permissions: No, I Will Update Permissions

How to Enable Vault Digital Publishing

Before beginning enablement, you must set up your Amazon S3 buckets to allow Vault Digital Publishing.

To enable and set up Vault Digital Publishing:

From Admin > Settings, click Edit.
Select the Enable Digital Publishing checkbox.
Optional: Select Enable Push to Staging checkbox to enable pushing to a staging environment.
Optional: Select Enable CDN Usage Extraction checkbox to allow usage extraction.
Navigate to Admin > Configuration > Document Fields. Add the Digital Publishing (cdn_content__v), Production CDN URL (production_cdn_url__v), and (optional) Staging CDN URL (staging_cdn_url__v)shared fields to any document types where you want to use Vault Digital Publishing.
Navigate to Admin > Settings > Digital Publishing Settings and provide Amazon S3 details for the Production Bucket, (optional) Staging Bucket, and (optional) Logging Bucket. Learn more about Digital Publishing Settings.
After saving, refresh your browser window and Digital Publishing Settings will appear as a menu item on the left side of the UI.

Digital Publishing Settings

After enabling Vault Digital Publishing, you must configure settings to connect to the CDN.

Navigate to Admin > Settings > Digital Publishing Settings and click Edit.
Enter the details under Production Bucket, (optional) Staging Bucket, and (optional) Logging Bucket. To use Vault Digital Publishing, you must provide these details for the Production Bucket. The Staging Bucket is only needed if your organization will use a Staging environment.
Determine the region for your S3 bucket. This is located in the URL of your console. For example, the region for the following URL would be us-east-1: https://console.aws.amazon.com/console/home?region=us-east-1.
Go to the following URL https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region and locate the corresponding entry that matches your region. Copy the endpoint that uses the following format: s3.<your region>.amazonaws.com. In Vault, enter this value in the S3 Endpoint field.
Enter the S3 Bucket Name. This is the name of the bucket you’re connecting to, for example, vault-production, and can be found in the Amazon S3 console.
Enter the CDN Domain. This is specified in your Amazon CloudFront configuration that points to the S3 bucket.
Enter the CloudFront Origin Access Identity Canonical ID ARN (Amazon Resource Name) for the origin access identity that you created in CloudFront.
Follow the steps below to add the verification file to your buckets.

Validating

You must complete an additional validation step when adding a new bucket or editing an existing configuration. We recommend that you connect to both Vault and AWS Cloudfront/S3 to complete the validation steps. If you have multiple buckets configured for your Vault, you must validate each bucket in order to save configuration changes, even if the changes only apply to one bucket. To validate S3 buckets:

In Vault, navigate to Admin > Settings > Digital Publishing Settings and click Edit.
Click the Download Verification File link. Verification files are valid for 30 minutes and must be named verification.jwt.
Navigate to the root directory of your S3 bucket and upload the verifcation.jwt file you downloaded in the previous step, then click to open it.
In the Permissions tab, click Add Account, then add the following Canonical ID: 6aa09b8b08a72fa7c87711134cbbdca1a855f619b5679ad7a90b9d947420928f.
Set the Read object and Read object permissions checkboxes, then click Save.
Repeat steps 3-5 for each S3 bucket you use with Vault Digital Publishing. For example, if you have a Production Bucket, a Staging Bucket, and a Logging Bucket, you must add the validation file to all three buckets.
Return to the Digital Publishing Settings in Vault and click the Validate button for each bucket.

If Vault is not able to validate a specific bucket, you’ll see one of the following messages:

Unable to Connect
Unable to Write to Bucket
Unable to Delete from Bucket
Unable to Read from Bucket
Verification file not found in the bucket

Vault also validates that you have not used the same S3 Bucket Name and CDN Domain for the Production Bucket, and Staging Bucket, and Logging Bucket.

Note: Vault does not validate if the CDN Domain that you provided is valid and does not validate that the directory specified in the Logging Bucket section exists.

About CDN Usage Extraction

With Vault CDN Usage Extraction, you can configure to pull CloudFront usage data into your Vault and aggregate. You must have CloudFront logging enabled to allow usage extraction. Usage extraction allows you to utilize Vault’s reporting capabilities to view and analyze the usage of your content published through Vault CDN. Vault uses the Vault CDN Usage Extraction job to retrieve usage logs once a day and loads them into the Channel Usage object. If you don’t enable usage extraction, the Vault CDN Usage Extraction job is inactive and does not retrieve logging details.

Turning on CloudFront Usage Logging

CloudFront will only generate usage logs if this functionality is configured. To enable logging, navigate to AWS CloudFront:

Navigate to AWS CloudFront.
Click on the CloudFront distribution for which you want to configure to turn on usage logging.
Click Edit.
Under Logging, select On.
Specify a bucket to write the usage logs to. The best practice is to create a dedicated bucket for logging data.
Specify a Log Prefix in the form of <log prefix name>/. For example, logging/. Specifying a Log Prefix is required for the Vault usage extraction job to execute successfully.
Click Yes, Edit.

Providing Access to Usage Logs Written by CloudFront

When CloudFront writes log files, it only provides permission to read the logs to the owner of the S3 bucket. In order for the Vault CDN Usage Extraction job to execute successfully, the proper read permission needs to be set for all usage logs written by the CloudFront usage logging process. Veeva has created a lambda function which will automatically grant the Veeva canonical ID read permission for all usage logs with a .gz extension written by CloudFront. The following steps can be used to set up the Lambda function:

Permissions Necessary for IAM Policy

The Lambda function requires certain permissions in order to execute. You can create a new policy for the Lambda function or you can modify an existing policy. At a minimum, the role that executes the Lambda function needs to have a policy that supports the following Actions on the following resources:

Effect	Action	Resource
Allow	`logs:CreateLogGroup`, `logs:CreateLogStream`, `logs:PutLogEvents`	`arn:aws:logs:::*`
Allow	`s3:GetObjectAcl`, `s3:GetBucketAcl`, `s3:PutObjectAcl`	`arn:aws:s3:::[bucket name]/*`, `arn:aws:s3:::[bucket name]` Replace Bucket Name with the bucket name where CloudFront usage logs are being written to.

The following is a JSON example of a policy with the appropriate permissions. In this example, the CloudFront is writing usage logs to the bucket with the name of cdn-logging.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "arn:aws:logs:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObjectAcl",

                "s3:GetBucketAcl",

                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::cdn-logging/*",
                "arn:aws:s3:::cdn-logging"
            ]
        }
    ]
}

Create a Lambda Function

The following steps refer to instructions to create a Lambda Function from your AWS console. For assistance with setting up the Lambda Function, contact Veeva Support.

To create a Lambda function:

From your AWS Console, select Lambda.
Click Create Function. Confirm that the Author from scratch (default) is selected.
Enter a name for the lambda function.
Select Python 3.8 from the Runtime drop-down list.
Select Create a custom role from the Role drop-down list. This takes you to a new page.
Confirm that Create a new IAM Role is selected.
Enter a role name or accept the default name.
Click Allow.
Confirm the role you created in the previous step displays beneath Existing Role.
Click Create Function.

Configure a Lambda Function

To configure your Lambda function:

Scroll to the Function code.
Select Upload a .ZIP file for the Code Entry Type
Upload the .ZIP file.
Confirm that the Runtime lists Python 3.8.
Click Save. Note that you should not modify this function; Vault does not support modifications to the code.

Configure Triggers for a Lambda Function

To configure triggers for a Lambda function:

Under the Designer section, click on S3 to add a trigger to your Lambda function. This adds S3 as a trigger and displays the Configure Triggers section.
Select the bucket where the CloudFront will write the usage logs
Confirm that the default Object Created (All) displays for the Event Type.
Leave the Prefix blank.
Enter .gz in the Suffix field.
Select Enable Trigger.
Click Add.
Click Save to save your Lambda function.

Vault Digital Publishing Settings for Usage Extraction

Navigate to Admin > Settings > Digital Publishing Settings and click Edit.
Go to the https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region and locate the corresponding entry that matches your region. Copy the endpoint that uses the following format: s3.\<your region\>.amazonaws.com. In Vault, enter this value in the S3 Endpoint field.
Enter the S3 Bucket Name. This is the name of the bucket you’re connecting to, for example, vault-logging, and can be found in the Amazon S3 console.
Enter the Logs Directory. This is the name of the directory where CloudFront logs are written. This directory is specified when turning on CloudFront usage logging for a distribution. For example, if you specified the name “logging/” in your CloudFront distribution, you will want to enter “logging” as the Logs Directory.
Enter the Distribution ID. This is the distribution ID of the CloudFront distribution. Vault utilizes this ID to extract the correct logs. The file extraction process looks up all files with the specified distribution ID in their filenames and then extracts the dates located with the files.
Click Validate. Vault validates the S3 Endpoint and bucket name are accurate and that users have the appropriate permissions to read files within that directory.

Viewing Channel Usage

Once the Vault CDN Usage Extraction job successfully run, the results of the extraction are written to the Channel Usage object.

When content is written to the Channel Usage object, data is grouped and aggregated by Activity Date, Activity Type, Document, Rendition Type, and Edge Location.

The Activity Count field will reflect the total number of occurrences based on this grouping.
The Edge Location field corresponds to the CloudFront edge location that served the request. Each edge location is identified by a three-letter code and an arbitrarily assigned number, for example DFW3. The three-letter code typically corresponds with the International Air Transport Association airport code for an airport near the edge location, but per AWS, are subject to change in the future.

You will need to provide the proper Read permission to the Channel Usage object to Vault users. After providing the proper permissions, you can set up additional configuration to include the Channel Usage object as a tab or configure a new report type using Channel Usage object as a primary object.