From 708d7a2574ab084e93872c222a2c86b3c6bc7ddc Mon Sep 17 00:00:00 2001
From: Garry McNulty <garrmcnu@gmail.com>
Date: Thu, 30 Sep 2021 19:45:31 +0100
Subject: [PATCH] s3: Add warning if key ID or secret is empty

Also add debug message if no credential types are available.

Closes #2388
---
 changelog/unreleased/issue-2388 | 7 +++++++
 cmd/restic/global.go            | 6 ++++++
 internal/backend/s3/s3.go       | 9 +++++++++
 3 files changed, 22 insertions(+)
 create mode 100644 changelog/unreleased/issue-2388

diff --git a/changelog/unreleased/issue-2388 b/changelog/unreleased/issue-2388
new file mode 100644
index 000000000..3b4f1e763
--- /dev/null
+++ b/changelog/unreleased/issue-2388
@@ -0,0 +1,7 @@
+Enhancement: Add warning for S3 if partial credentials are provided
+
+Check if both the AWS key ID and secret environment variables are set
+before connecting to the remote server and report an error if not.
+
+https://github.com/restic/restic/issues/2388
+https://github.com/restic/restic/pull/3532
diff --git a/cmd/restic/global.go b/cmd/restic/global.go
index 360789eae..942c536ff 100644
--- a/cmd/restic/global.go
+++ b/cmd/restic/global.go
@@ -554,6 +554,12 @@ func parseConfig(loc location.Location, opts options.Options) (interface{}, erro
 			cfg.Secret = os.Getenv("AWS_SECRET_ACCESS_KEY")
 		}
 
+		if cfg.KeyID == "" && cfg.Secret != "" {
+			return nil, errors.Fatalf("unable to open S3 backend: Key ID ($AWS_ACCESS_KEY_ID) is empty")
+		} else if cfg.KeyID != "" && cfg.Secret == "" {
+			return nil, errors.Fatalf("unable to open S3 backend: Secret ($AWS_SECRET_ACCESS_KEY) is empty")
+		}
+
 		if cfg.Region == "" {
 			cfg.Region = os.Getenv("AWS_DEFAULT_REGION")
 		}
diff --git a/internal/backend/s3/s3.go b/internal/backend/s3/s3.go
index d94e7be84..be1830975 100644
--- a/internal/backend/s3/s3.go
+++ b/internal/backend/s3/s3.go
@@ -69,6 +69,15 @@ func open(ctx context.Context, cfg Config, rt http.RoundTripper) (*Backend, erro
 		},
 	})
 
+	c, err := creds.Get()
+	if err != nil {
+		return nil, errors.Wrap(err, "creds.Get")
+	}
+
+	if c.SignerType == credentials.SignatureAnonymous {
+		debug.Log("using anonymous access for %#v", cfg.Endpoint)
+	}
+
 	options := &minio.Options{
 		Creds:     creds,
 		Secure:    !cfg.UseHTTP,