mirror of
https://github.com/restic/restic.git
synced 2024-12-22 15:57:07 +00:00
do not require gs bucket permissions to init repository
a gs service account may only have object permissions on an existing bucket but no bucket create/get permissions. these service accounts currently are blocked from initialization a restic repository because restic can not determine if the bucket exists. this PR updates the logic to assume the bucket exists when the bucket attribute request results in a permissions denied error. this way, restic can still initialize a repository if the service account does have object permissions fixes: https://github.com/restic/restic/issues/3100
This commit is contained in:
parent
5f3b802ee7
commit
a24e986b2b
2 changed files with 15 additions and 0 deletions
10
changelog/unreleased/issue-3100
Normal file
10
changelog/unreleased/issue-3100
Normal file
|
@ -0,0 +1,10 @@
|
|||
Bugfix: Do not require gs bucket permissions when running init
|
||||
|
||||
Restic used to require bucket level permissions for the gs backend
|
||||
in order to initialize a restic repository.
|
||||
|
||||
It now allows a gs service account to initialize a repository if the
|
||||
bucket does exist and the service account has permissions to write/read
|
||||
to that bucket.
|
||||
|
||||
https://github.com/restic/restic/issues/3100
|
|
@ -136,6 +136,11 @@ func Create(cfg Config, rt http.RoundTripper) (restic.Backend, error) {
|
|||
ctx := context.Background()
|
||||
exists, err := be.bucketExists(ctx, be.bucket)
|
||||
if err != nil {
|
||||
if e, ok := err.(*googleapi.Error); ok && e.Code == http.StatusForbidden {
|
||||
// the bucket might exist!
|
||||
// however, the client doesn't have storage.bucket.get permission
|
||||
return be, nil
|
||||
}
|
||||
return nil, errors.Wrap(err, "service.Buckets.Get")
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue