Not leaking s3 credentials via global environment

Hi there :wave:

I am currently using s3 backend (minio) for restic. I’m utilizing RESTIC_PASSWORD_FILE variable to keep that in a secure-enough folder, but couldn’t make AWS work. There are some notes in the forum/code which says AWS_SHARED_CREDENTIALS_FILE or MINIO_SHARED_CREDENTIALS_FILE is supported. But I couldn’t make it work, documentation also doesn’t mention something for it.

Could someone can give a working example?


As with any problem report/question, you have to specify what the actual symptoms of the problem are. Please detail the configuration/environment variables you use, the command you run, and what you get as output.

Oops sorry I thought that was clear enough. Let me elaborate:

Currently ENV variables I set are:


My main goal is to make restic work without any special params. Current setup is working fine.

One problem is, since ENV variables are set globally on the host, every process can reach to these values. That’s all fine except AWS_SECRET_ACCESS_KEY.

I’d like to keep that value in a file like RESTIC_PASSWORD_FILE

A aws credentials file (there’s an example shown here: Configuration and credential file settings - AWS Command Line Interface) should just work. When that file is located in the home of the user calling restic, then it should be picked up automatically, as long as none of the aws environment variables is set. Btw, which restic version are you using?

I am trying not to lag from master branch generally:

restic 0.12.0 (v0.12.0-122-g58be5172-dirty) compiled with go1.16 on linux/amd64

I am not sure what to say, I was sure I tried that method but couldn’t make it work :thinking:

Looks like unsetting AWS_* parameters and just supplying an AWS_SHARED_CREDENTIALS_FILE directed to the credentials file’s path worked this time…

Sorry for the noise and thanks for the time.

As far as my linux knowledge goes I am not sure if I understand your concerns.

In my backup Job I read my restic-env file using the source command. As far as I know the env variables then are only available in the current session and cannot be read that easy by other processes.

Or am I wrong with that?

You’re right, but this is not only about getting the backup.

I am on a multi user environment. All users should be able to run “restic” command without credential parameters, which is possible with global environment variables. That brings an issue that service users can also reach those credentials (e.g. a process dumping environment variables while crashing, exposing it unnecessarily). Not even mentioning if an outward-facing process having a security issue, letting someone to dump its /proc/$pid/environ.

Now I am going to use following 3 variables:

Leaking those values won’t pose a risk, since passfiles mentioned here is placed in a directory which is only readable by selected users who are meant to run restic command in the first place.

1 Like

Thank you for the clearification.