Can you configure read-only access to an S3 Restic backup?

I have backups in Amazon S3 which I want to share with another party but limit their access to read-only - list snapshots, restore from a snapshot.

I can add a secondary password (via key add) and provide that to the other party however there doesn’t seem to be any access control here.

I’ve tried adding a secondary IAM user (to be used with the secondary password) and adjusted IAM policies to block write access. However restic fails with an error:

$ restic -v -r s3://s3.amazonaws.com/my-bucket snapshots 
enter password for repository: 
repository 0fc99253 opened (version 2, compression level auto)
created new cache in /home/atodorov/.cache/restic
Save(<lock/5775d0aa83>) failed: client.PutObject: User: arn:aws:iam::694552342904:user/  read-only is not authorized to perform: s3:PutObject on resource: "arn:aws:s3:::my-bucket/locks/5775d0aa83db9761ffe0aa370a6f7404d08bfb67bdab3bb1e0b92690ad14bb4c" because no identity-based policy allows the s3:PutObject action

It looks like even list/read operations are actually writing files.

Is read-only access even possible ?

1 Like

This post may help you: Is restoring with –no-lock safe?

2 Likes

Thanks. --no-lock + read-only permissions enforced via IAM policy works for me.

1 Like

Very well! Thanks for confirming.