From a24e986b2b64a957e64be539cd655ea6eaf405c0 Mon Sep 17 00:00:00 2001 From: eleith Date: Tue, 17 Nov 2020 16:44:26 -0800 Subject: [PATCH] do not require gs bucket permissions to init repository a gs service account may only have object permissions on an existing bucket but no bucket create/get permissions. these service accounts currently are blocked from initialization a restic repository because restic can not determine if the bucket exists. this PR updates the logic to assume the bucket exists when the bucket attribute request results in a permissions denied error. this way, restic can still initialize a repository if the service account does have object permissions fixes: https://github.com/restic/restic/issues/3100 --- changelog/unreleased/issue-3100 | 10 ++++++++++ internal/backend/gs/gs.go | 5 +++++ 2 files changed, 15 insertions(+) create mode 100644 changelog/unreleased/issue-3100 diff --git a/changelog/unreleased/issue-3100 b/changelog/unreleased/issue-3100 new file mode 100644 index 000000000..8ce0a7eda --- /dev/null +++ b/changelog/unreleased/issue-3100 @@ -0,0 +1,10 @@ +Bugfix: Do not require gs bucket permissions when running init + +Restic used to require bucket level permissions for the gs backend +in order to initialize a restic repository. + +It now allows a gs service account to initialize a repository if the +bucket does exist and the service account has permissions to write/read +to that bucket. + +https://github.com/restic/restic/issues/3100 diff --git a/internal/backend/gs/gs.go b/internal/backend/gs/gs.go index 096420be7..0b0cea8be 100644 --- a/internal/backend/gs/gs.go +++ b/internal/backend/gs/gs.go @@ -136,6 +136,11 @@ func Create(cfg Config, rt http.RoundTripper) (restic.Backend, error) { ctx := context.Background() exists, err := be.bucketExists(ctx, be.bucket) if err != nil { + if e, ok := err.(*googleapi.Error); ok && e.Code == http.StatusForbidden { + // the bucket might exist! + // however, the client doesn't have storage.bucket.get permission + return be, nil + } return nil, errors.Wrap(err, "service.Buckets.Get") }