From 311a962011186ba4b4a91660351718fe491080d8 Mon Sep 17 00:00:00 2001 From: Nick Craig-Wood Date: Mon, 16 Apr 2018 12:14:35 +0100 Subject: [PATCH] s3: Look in S3 named profile files for credentials - fixes #2243 --- backend/s3/s3.go | 5 +++++ docs/content/s3.md | 28 +++++++++++++++++----------- 2 files changed, 22 insertions(+), 11 deletions(-) diff --git a/backend/s3/s3.go b/backend/s3/s3.go index a2420d4ac..083b2ec0f 100644 --- a/backend/s3/s3.go +++ b/backend/s3/s3.go @@ -640,6 +640,11 @@ func s3Connection(name string) (*s3.S3, *session.Session, error) { // * Secret Access Key: AWS_SECRET_ACCESS_KEY or AWS_SECRET_KEY &credentials.EnvProvider{}, + // A SharedCredentialsProvider retrieves credentials + // from the current user's home directory. It checks + // AWS_SHARED_CREDENTIALS_FILE and AWS_PROFILE too. + &credentials.SharedCredentialsProvider{}, + // Pick up IAM role if we're in an ECS task defaults.RemoteCredProvider(*def.Config, def.Handlers), diff --git a/docs/content/s3.md b/docs/content/s3.md index c19674846..b12b27a87 100644 --- a/docs/content/s3.md +++ b/docs/content/s3.md @@ -279,20 +279,26 @@ region`. ### Authentication ### -There are two ways to supply `rclone` with a set of AWS -credentials. In order of precedence: +There are a number of ways to supply `rclone` with a set of AWS +credentials, with and without using the environment. - - Directly in the rclone configuration file (as configured by `rclone config`) - - set `access_key_id` and `secret_access_key`. `session_token` can be - optionally set when using AWS STS. - - Runtime configuration: - - set `env_auth` to `true` in the config file - - Exporting the following environment variables before running `rclone` +The different authentication methods are tried in this order: + + - Directly in the rclone configuration file (`env_auth = false` in the config file): + - `access_key_id` and `secret_access_key` are required. + - `session_token` can be optionally set when using AWS STS. + - Runtime configuration (`env_auth = true` in the config file): + - Export the following environment variables before running `rclone`: - Access Key ID: `AWS_ACCESS_KEY_ID` or `AWS_ACCESS_KEY` - Secret Access Key: `AWS_SECRET_ACCESS_KEY` or `AWS_SECRET_KEY` - - Session Token: `AWS_SESSION_TOKEN` - - Running `rclone` in an ECS task with an IAM role (AWS only) - - Running `rclone` on an EC2 instance with an IAM role (AWS only) + - Session Token: `AWS_SESSION_TOKEN` (optional) + - Or, use a [named profile](https://docs.aws.amazon.com/cli/latest/userguide/cli-multiple-profiles.html): + - Profile files are standard files used by AWS CLI tools + - By default it will use the profile in your home directory (eg `~/.aws/credentials` on unix based systems) file and the "default" profile, to change set these environment variables: + - `AWS_SHARED_CREDENTIALS_FILE` to control which file. + - `AWS_PROFILE` to control which profile to use. + - Or, run `rclone` in an ECS task with an IAM role (AWS only). + - Or, run `rclone` on an EC2 instance with an IAM role (AWS only). If none of these option actually end up providing `rclone` with AWS credentials then S3 interaction will be non-authenticated (see below).