From d67b9a32c6b66a5d9a15d534dea32507ede6cc4c Mon Sep 17 00:00:00 2001 From: Steve Kriss Date: Wed, 16 May 2018 16:35:14 -0700 Subject: [PATCH 1/3] S3: add file credentials to chain Signed-off-by: Steve Kriss --- internal/backend/s3/s3.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/internal/backend/s3/s3.go b/internal/backend/s3/s3.go index 636a52b46..b8af5b0bf 100644 --- a/internal/backend/s3/s3.go +++ b/internal/backend/s3/s3.go @@ -55,6 +55,8 @@ func open(cfg Config, rt http.RoundTripper) (*Backend, error) { SecretAccessKey: cfg.Secret, }, }, + &credentials.FileAWSCredentials{}, + &credentials.FileMinioClient{}, &credentials.IAM{ Client: &http.Client{ Transport: http.DefaultTransport, From b358dd369b2cd01e354211d32455446e3e070c8b Mon Sep 17 00:00:00 2001 From: Steve Kriss Date: Wed, 16 May 2018 16:39:25 -0700 Subject: [PATCH 2/3] S3: rearrange credentials chain to be standard Signed-off-by: Steve Kriss --- internal/backend/s3/s3.go | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/internal/backend/s3/s3.go b/internal/backend/s3/s3.go index b8af5b0bf..8313e27ce 100644 --- a/internal/backend/s3/s3.go +++ b/internal/backend/s3/s3.go @@ -40,21 +40,24 @@ func open(cfg Config, rt http.RoundTripper) (*Backend, error) { minio.MaxRetry = int(cfg.MaxRetries) } - // Chains all credential types, starting with - // Static credentials provided by user. - // IAM profile based credentials. (performs an HTTP - // call to a pre-defined endpoint, only valid inside - // configured ec2 instances) - // AWS env variables such as AWS_ACCESS_KEY_ID - // Minio env variables such as MINIO_ACCESS_KEY + // Chains all credential types, in the following order: + // - Static credentials provided by user + // - AWS env vars (i.e. AWS_ACCESS_KEY_ID) + // - Minio env vars (i.e. MINIO_ACCESS_KEY) + // - AWS creds file (i.e. AWS_SHARED_CREDENTIALS_FILE or ~/.aws/credentials) + // - Minio creds file (i.e. MINIO_SHARED_CREDENTIALS_FILE or ~/.mc/config.json) + // - IAM profile based credentials. (performs an HTTP + // call to a pre-defined endpoint, only valid inside + // configured ec2 instances) creds := credentials.NewChainCredentials([]credentials.Provider{ - &credentials.EnvAWS{}, &credentials.Static{ Value: credentials.Value{ AccessKeyID: cfg.KeyID, SecretAccessKey: cfg.Secret, }, }, + &credentials.EnvAWS{}, + &credentials.EnvMinio{}, &credentials.FileAWSCredentials{}, &credentials.FileMinioClient{}, &credentials.IAM{ @@ -62,7 +65,6 @@ func open(cfg Config, rt http.RoundTripper) (*Backend, error) { Transport: http.DefaultTransport, }, }, - &credentials.EnvMinio{}, }) client, err := minio.NewWithCredentials(cfg.Endpoint, creds, !cfg.UseHTTP, "") if err != nil { From 0785fbd41807463c7870ee95785c55b3402b58a9 Mon Sep 17 00:00:00 2001 From: Steve Kriss Date: Wed, 16 May 2018 16:49:49 -0700 Subject: [PATCH 3/3] changelog entry Signed-off-by: Steve Kriss --- changelog/unreleased/pull-1782 | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 changelog/unreleased/pull-1782 diff --git a/changelog/unreleased/pull-1782 b/changelog/unreleased/pull-1782 new file mode 100644 index 000000000..ff65442ea --- /dev/null +++ b/changelog/unreleased/pull-1782 @@ -0,0 +1,7 @@ +Enhancement: Use default AWS credentials chain for S3 backend + +Adds support for file credentials to the S3 backend (e.g. ~/.aws/credentials), +and reorders the credentials chain for the S3 backend to match AWS's standard, +which is static credentials, env vars, credentials file, and finally remote. + +https://github.com/restic/restic/pull/1782 \ No newline at end of file