do not require gs bucket permissions to init repository

a gs service account may only have object permissions on an existing
bucket but no bucket create/get permissions.

these service accounts currently are blocked from initialization a
restic repository because restic can not determine if the bucket exists.

this PR updates the logic to assume the bucket exists when the bucket
attribute request results in a permissions denied error.

this way, restic can still initialize a repository if the service
account does have object permissions

fixes: https://github.com/restic/restic/issues/3100

changelog/unreleased/issue-3100

@@ -0,0 +1,10 @@
+Bugfix: Do not require gs bucket permissions when running init 
+
+Restic used to require bucket level permissions for the gs backend 
+in order to initialize a restic repository.
+
+It now allows a gs service account to initialize a repository if the 
+bucket does exist and the service account has permissions to write/read
+to that bucket.
+
+https://github.com/restic/restic/issues/3100

internal/backend/gs/gs.go

@@ -136,6 +136,11 @@ func Create(cfg Config, rt http.RoundTripper) (restic.Backend, error) {
 	ctx := context.Background()
 	exists, err := be.bucketExists(ctx, be.bucket)
 	if err != nil {
+		if e, ok := err.(*googleapi.Error); ok && e.Code == http.StatusForbidden {
+			// the bucket might exist!
+			// however, the client doesn't have storage.bucket.get permission
+			return be, nil
+		}
 		return nil, errors.Wrap(err, "service.Buckets.Get")
 	}