forked from TrueCloudLab/restic
gs: document required permissions
In the manual, state which standard roles the service account must have to work correctly, as well as the specific permissions required, for creating even more specific custom roles.
This commit is contained in:
parent
5f4f997126
commit
3b2106ed30
2 changed files with 30 additions and 5 deletions
|
@ -405,11 +405,22 @@ established.
|
||||||
Google Cloud Storage
|
Google Cloud Storage
|
||||||
~~~~~~~~~~~~~~~~~~~~
|
~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
Restic supports Google Cloud Storage as a backend. In order for this to work
|
Restic supports Google Cloud Storage as a backend.
|
||||||
you first need create a "service account" and download the JSON key file for
|
|
||||||
it. In addition, you need the Google Project ID that you can see in the Google
|
Restic connects to Google Cloud Storage via a `service account`_.
|
||||||
|
|
||||||
|
For normal restic operation, the service account must have the
|
||||||
|
``storage.objects.{create,delete,get,list}`` permissions for the bucket. These
|
||||||
|
are included in the "Storage Object Admin" role. For ``restic init``, the
|
||||||
|
service account must also have the ``storage.buckets.get`` and
|
||||||
|
``storage.buckets.create`` (if the bucket does not exist) permissions. These
|
||||||
|
are included in the "Storage Admin" role.
|
||||||
|
|
||||||
|
`Create a service account key`_ and download the JSON credentials file.
|
||||||
|
|
||||||
|
In addition, you need the Google Project ID that you can see in the Google
|
||||||
Cloud Platform console at the "Storage/Settings" menu. Export the path to the
|
Cloud Platform console at the "Storage/Settings" menu. Export the path to the
|
||||||
JSON credentials file and the project ID as follows:
|
JSON key file and the project ID as follows:
|
||||||
|
|
||||||
.. code-block:: console
|
.. code-block:: console
|
||||||
|
|
||||||
|
@ -432,6 +443,9 @@ The number of concurrent connections to the GCS service can be set with the
|
||||||
`-o gs.connections=10`. By default, at most five parallel connections are
|
`-o gs.connections=10`. By default, at most five parallel connections are
|
||||||
established.
|
established.
|
||||||
|
|
||||||
|
.. _service account: https://cloud.google.com/storage/docs/authentication#service_accounts
|
||||||
|
.. _Create a service account key: https://cloud.google.com/storage/docs/authentication#generating-a-private-key
|
||||||
|
|
||||||
|
|
||||||
Password prompt on Windows
|
Password prompt on Windows
|
||||||
~~~~~~~~~~~~~~~~~~~~~~~~~~
|
~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
|
@ -21,7 +21,13 @@ import (
|
||||||
storage "google.golang.org/api/storage/v1"
|
storage "google.golang.org/api/storage/v1"
|
||||||
)
|
)
|
||||||
|
|
||||||
// Backend stores data on an gs endpoint.
|
// Backend stores data in a GCS bucket.
|
||||||
|
//
|
||||||
|
// The service account used to access the bucket must have these permissions:
|
||||||
|
// * storage.objects.create
|
||||||
|
// * storage.objects.delete
|
||||||
|
// * storage.objects.get
|
||||||
|
// * storage.objects.list
|
||||||
type Backend struct {
|
type Backend struct {
|
||||||
service *storage.Service
|
service *storage.Service
|
||||||
projectID string
|
projectID string
|
||||||
|
@ -95,6 +101,11 @@ func Open(cfg Config) (restic.Backend, error) {
|
||||||
|
|
||||||
// Create opens the gs backend at the specified bucket and creates the bucket
|
// Create opens the gs backend at the specified bucket and creates the bucket
|
||||||
// if it does not exist yet.
|
// if it does not exist yet.
|
||||||
|
//
|
||||||
|
// In addition to the permissions required by Backend, Create requires these
|
||||||
|
// permissions:
|
||||||
|
// * storage.buckets.get
|
||||||
|
// * storage.buckets.create (if the bucket doesn't exist)
|
||||||
func Create(cfg Config) (restic.Backend, error) {
|
func Create(cfg Config) (restic.Backend, error) {
|
||||||
be, err := open(cfg)
|
be, err := open(cfg)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
Loading…
Reference in a new issue