Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IAM roles, supported in 0.7.3, appear to no longer work in master #1422

Closed
TheWalkers opened this issue Nov 16, 2017 · 6 comments
Closed

IAM roles, supported in 0.7.3, appear to no longer work in master #1422

TheWalkers opened this issue Nov 16, 2017 · 6 comments
Labels
backend: s3 type: bug

Comments

@TheWalkers
Copy link

Output of restic version

v0.7.3-237-g06bd606d

How did you run restic exactly?

/usr/local/bin/restic -r s3:s3.amazonaws.com/restic-test-repo -p /root/.restic_pass init
create backend at s3:s3.amazonaws.com/restic-test-repo failed: client.MakeBucket: Anonymous access is forbidden for this operation

Running 0.7.3 with the same command line options on the same instance:

/usr/local/bin/restic_0.7.3_linux_amd64 -r s3:s3.amazonaws.com/restic-test-repo -p /root/.restic_pass init
created restic backend ffc0ca4517 at s3:s3.amazonaws.com/restic-test-repo

Please note that knowledge of your password is required to access
the repository. Losing your password means that your data is
irrecoverably lost.

What backend/server/service did you use?

AWS S3

Expected behavior

restic should use IAM roles if no credentials are provided.

Actual behavior

Steps to reproduce the behavior

Do you have any idea what may have caused this?

Do you have an idea how to solve the issue?

I will be reviewing commits after 0.7.3 to see if I can spot a likely culprit.
@TheWalkers
Copy link
Author

git bisect shows the breaking commit @ 042adeb.

@TheWalkers
Copy link
Author

The problem appears to be that the credential chaining is not working as expected.

            &credentials.Static{
                    Value: credentials.Value{
                            AccessKeyID:     cfg.KeyID,
                            SecretAccessKey: cfg.Secret,
                    },
            },

causes minio to try to access S3 with an empty AccessKeyID and SecretAccessKey, if those aren't defined. It never falls back to IAM.

Happy to submit a PR that only includes the static credentials in the chain if they exist, but not sure if that's the correct approach. I welcome thoughts from folks who understand minio-go credential chaining better on whether that's appropriate.

@fd0
Copy link
Member

fd0 commented Nov 16, 2017

Thanks for the report. @harshavardhana would you mind having a quick look? If I remember correctly, IAM profiles were briefly removed from minio-go, is that correct?

@harshavardhana
Copy link
Contributor

Thanks for the report. @harshavardhana would you mind having a quick look? If I remember correctly, IAM profiles were briefly removed from minio-go, is that correct?

No @fd0 restic has IAM profiles supported , looks like a bug in chaining as mentioned by @TheWalkers

@harshavardhana harshavardhana mentioned this issue Nov 16, 2017
Merged
@harshavardhana
Copy link
Contributor

No @fd0 restic has IAM profiles supported , looks like a bug in chaining as mentioned by @TheWalkers

The fix is simple enough @TheWalkers would you mind testing this for us? #1422

@TheWalkers
Copy link
Author

Thanks @harshavardhana, I can confirm that that fix resolves the problem.

@fd0 fd0 closed this as completed in 41c8c94 Nov 24, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
backend: s3 type: bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@fd0 @harshavardhana @TheWalkers