I am currently using s3 backend (minio) for restic. I’m utilizing RESTIC_PASSWORD_FILE variable to keep that in a secure-enough folder, but couldn’t make AWS work. There are some notes in the forum/code which says AWS_SHARED_CREDENTIALS_FILE or MINIO_SHARED_CREDENTIALS_FILE is supported. But I couldn’t make it work, documentation also doesn’t mention something for it.
As with any problem report/question, you have to specify what the actual symptoms of the problem are. Please detail the configuration/environment variables you use, the command you run, and what you get as output.
My main goal is to make restic work without any special params. Current setup is working fine.
One problem is, since ENV variables are set globally on the host, every process can reach to these values. That’s all fine except AWS_SECRET_ACCESS_KEY.
I’d like to keep that value in a file like RESTIC_PASSWORD_FILE
A aws credentials file (there’s an example shown here: Configuration and credential file settings - AWS Command Line Interface) should just work. When that file is located in the home of the user calling restic, then it should be picked up automatically, as long as none of the aws environment variables is set. Btw, which restic version are you using?
As far as my linux knowledge goes I am not sure if I understand your concerns.
In my backup Job I read my restic-env file using the source command. As far as I know the env variables then are only available in the current session and cannot be read that easy by other processes.
You’re right, but this is not only about getting the backup.
I am on a multi user environment. All users should be able to run “restic” command without credential parameters, which is possible with global environment variables. That brings an issue that service users can also reach those credentials (e.g. a process dumping environment variables while crashing, exposing it unnecessarily). Not even mentioning if an outward-facing process having a security issue, letting someone to dump its /proc/$pid/environ.
Now I am going to use following 3 variables:
AWS_SHARED_CREDENTIALS_FILE=/path/of/minio/passfile
RESTIC_PASSWORD_FILE=/path/of/restic/passfile
RESTIC_REPOSITORY=s3:http://minio_host:minio_port/bucket_name
Leaking those values won’t pose a risk, since passfiles mentioned here is placed in a directory which is only readable by selected users who are meant to run restic command in the first place.