TheArchive/restic
1
0
Fork 0
mirror of https://github.com/restic/restic.git synced 2025-12-12 05:11:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #5527 from MichaelEischer/drop-s3-static-credentials

Browse Source 
s3: drop manual credentials loading from environment
This commit is contained in:
Michael Eischer
2025-10-03 19:57:55 +02:00
committed by GitHub
parent 76aa9e4f7c a30a36ca51
commit fd241b8ec7
2 changed files with 15 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
internal/backend/s3/s3.go
View File

@@ -57,12 +57,6 @@ func open(cfg Config, rt http.RoundTripper) (*Backend, error) {
return nil, fmt.Errorf("feature flag `s3-restore` is required to use `-o s3.enable-restore=true`")
}
if cfg.KeyID == "" && cfg.Secret.String() != "" {
return nil, errors.Fatalf("unable to open S3 backend: Key ID ($AWS_ACCESS_KEY_ID) is empty")
} else if cfg.KeyID != "" && cfg.Secret.String() == "" {
return nil, errors.Fatalf("unable to open S3 backend: Secret ($AWS_SECRET_ACCESS_KEY) is empty")
}
if cfg.MaxRetries > 0 {
minio.MaxRetry = int(cfg.MaxRetries)
}
@@ -112,7 +106,7 @@ func getCredentials(cfg Config, tr http.RoundTripper) (*credentials.Credentials,
}
// Chains all credential types, in the following order:
// - Static credentials provided by user
// - Static credentials (test only)
// - AWS env vars (i.e. AWS_ACCESS_KEY_ID)
// - Minio env vars (i.e. MINIO_ACCESS_KEY)
// - AWS creds file (i.e. AWS_SHARED_CREDENTIALS_FILE or ~/.aws/credentials)
@@ -121,13 +115,13 @@ func getCredentials(cfg Config, tr http.RoundTripper) (*credentials.Credentials,
// call to a pre-defined endpoint, only valid inside
// configured ec2 instances)
creds := credentials.NewChainCredentials([]credentials.Provider{
&credentials.EnvAWS{},
&credentials.Static{
&credentials.Static{ // test only
Value: credentials.Value{
AccessKeyID: cfg.KeyID,
SecretAccessKey: cfg.Secret.Unwrap(),
},
},
&credentials.EnvAWS{},
&credentials.EnvMinio{},
&credentials.FileAWSCredentials{},
&credentials.FileMinioClient{},
@@ -141,6 +135,14 @@ func getCredentials(cfg Config, tr http.RoundTripper) (*credentials.Credentials,
}
if c.SignerType == credentials.SignatureAnonymous {
keyID := os.Getenv("AWS_ACCESS_KEY_ID")
secret := os.Getenv("AWS_SECRET_ACCESS_KEY")
if keyID == "" && secret != "" {
return nil, errors.Fatalf("no credentials found. $AWS_SECRET_ACCESS_KEY is set but $AWS_ACCESS_KEY_ID is empty")
} else if keyID != "" && secret == "" {
return nil, errors.Fatalf("no credentials found. $AWS_ACCESS_KEY_ID is set but $AWS_SECRET_ACCESS_KEY is empty")
}
// Fail if no credentials were found to prevent repeated attempts to (unsuccessfully) retrieve new credentials.
// The first attempt still has to timeout which slows down restic usage considerably. Thus, migrate towards forcing
// users to explicitly decide between authenticated and anonymous access.