s3: Add warning if key ID or secret is empty

Also add debug message if no credential types are available.

Closes #2388

changelog/unreleased/issue-2388

@@ -0,0 +1,7 @@
+Enhancement: Add warning for S3 if partial credentials are provided
+
+Check if both the AWS key ID and secret environment variables are set
+before connecting to the remote server and report an error if not.
+
+https://github.com/restic/restic/issues/2388
+https://github.com/restic/restic/pull/3532

cmd/restic/global.go

@@ -554,6 +554,12 @@ func parseConfig(loc location.Location, opts options.Options) (interface{}, erro
 			cfg.Secret = os.Getenv("AWS_SECRET_ACCESS_KEY")
 		}
 
+		if cfg.KeyID == "" && cfg.Secret != "" {
+			return nil, errors.Fatalf("unable to open S3 backend: Key ID ($AWS_ACCESS_KEY_ID) is empty")
+		} else if cfg.KeyID != "" && cfg.Secret == "" {
+			return nil, errors.Fatalf("unable to open S3 backend: Secret ($AWS_SECRET_ACCESS_KEY) is empty")
+		}
+
 		if cfg.Region == "" {
 			cfg.Region = os.Getenv("AWS_DEFAULT_REGION")
 		}

internal/backend/s3/s3.go

@@ -69,6 +69,15 @@ func open(ctx context.Context, cfg Config, rt http.RoundTripper) (*Backend, erro
 		},
 	})
 
+	c, err := creds.Get()
+	if err != nil {
+		return nil, errors.Wrap(err, "creds.Get")
+	}
+
+	if c.SignerType == credentials.SignatureAnonymous {
+		debug.Log("using anonymous access for %#v", cfg.Endpoint)
+	}
+
 	options := &minio.Options{
 		Creds:     creds,
 		Secure:    !cfg.UseHTTP,