backrest icon indicating copy to clipboard operation
backrest copied to clipboard
verified publisher icon garethgeorge

Relax restrictions on how to provide credentials for the S3 backend

Open tatablack opened this issue 10 months ago • 3 comments

Context

Hi. I'm currently evaluating Backrest, running in Docker. I have successfully configured a repo using the S3 backend, pointing to a Backblaze bucket.

Problem

I'd like to use Docker Secrets for my AWS credentials, by storing the whole credentials file as a secret.

However, when configuring a repository backed by S3, Backrest assumes that both AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY have to be set (it triggers a "Missing env vars" error if they're not). Restic itself can detect credentials in other ways, though (see here for the list of environment variables it supports).

In short, I imagine the following would work, but I can't use it because of the UI check:

services:
  backrest:
    image: garethgeorge/backrest:v1.7.2
    container_name: backrest
    environment:
      - AWS_SHARED_CREDENTIALS_FILE=/run/secrets/b2_aws_credentials

secrets:
  b2_aws_credentials:
    external: true

The contents of b2_aws_credentials would be:

[default]
aws_access_key_id=<MY_KEY_ID>
aws_secret_access_key=<MY_ACCESS_KEY>

I could even set up different profiles, using different keys, and when configuring a repo in Backrest I'd only have to provide the AWS_PROFILE environment variable to pick the right one.

Solution

In principle, I think the environment variable checks should not be blocking; the errors could be warnings. Alternatively, you could skip the checks and instead test the connection before saving (same code path as "Test Configuration") but this would force the user to be online and the backend to exist (which, while likely true in the majority of cases, seems unnecessary 🤷🏻).

What do you think? 🙂

tatablack avatar Mar 02 '25 17:03 tatablack

Added support in https://github.com/garethgeorge/backrest/commit/154aef4c9a26248ec7f09c731465647b5359a995 for the additional environment variable to get this in for the next patch release, in the longer term I agree that relaxing the validation would be an improvement, it's unnecessarily strict right now.

garethgeorge avatar Mar 15 '25 03:03 garethgeorge

As a new user to backups, I found passing credentials via **ENVIRONMENT_VARIABLE=**... in the UI uniquely cumbersome. Kopia for instance simply asks for the access key ID and password, like any other UI. Can Backrest ask for just these, then construct whatever env vars it needs, behind the scenes?

tredondo avatar Apr 30 '25 20:04 tredondo

Agreed that it would be very convenient to have more specific GUI support for particular backends like S3, with labels like "enter key ID here" rather than having to manually construct an ENV_VAR=value string for this.

BrenBarn avatar Sep 01 '25 07:09 BrenBarn