Using LoadCredential for passing API key to s3 bucket mount unit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

I am playing with the idea of using systemd mount to mount S3 bucket on
the system using s3fs.

To mount a bucket, an API key is required. s3fs can read the API key
from a file specified as an option:

s3fs $bucket_name $where -o passwd_file=${PATH_TO_PASSWORD_FILE} ...

I tried to set up a .mount unit with LoadCredential directive:

[Unit]
Description=tmp bucket mount
After=network.target

[Mount]
What=temp-bucket
Where=/mnt/tmp
Type=fuse.s3fs
LoadCredential=password_file:/etc/s3fs/tmp_key
Options=passwd_file="${CREDENTIALS_DIRECTORY}"/password_file,url=https://s3...

[Install]
WantedBy=multi-user.target

However mount start fails with s3fs not being able to read from
passwd_file:

s3fs: specified passwd_file is not readable.


I have used a small wrapper that calls env before calling s3fs to
investigate, and it appears that during the mount command execution
${CREDENTIALS_DIRECTORY} is created, but there is no subdirectory
corresponding to the unit name.

Is this a correct use for LoadCredential?


systemctl --version
systemd 248 (248)
+PAM -AUDIT -SELINUX -APPARMOR +IMA +SMACK +SECCOMP +GCRYPT +GNUTLS
+OPENSSL +ACL +BLKID -CURL -ELFUTILS -FIDO2 +IDN2 -IDN -IPTC +KMOD
+LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY +P11KIT -QRENCODE -BZIP2 +LZ4
-XZ -ZLIB +ZSTD -XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified

OS: Gentoo

--
With best regards,
--
Vladimir Timofeenko
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux