[systemd-devel] Using LoadCredential for passing API key to s3 bucket mount unit
Vladimir Timofeenko
vladimir at vtimofeenko.com
Wed Sep 1 20:31:49 UTC 2021
Hi,
I am playing with the idea of using systemd mount to mount S3 bucket on
the system using s3fs.
To mount a bucket, an API key is required. s3fs can read the API key
from a file specified as an option:
s3fs $bucket_name $where -o passwd_file=${PATH_TO_PASSWORD_FILE} ...
I tried to set up a .mount unit with LoadCredential directive:
[Unit]
Description=tmp bucket mount
After=network.target
[Mount]
What=temp-bucket
Where=/mnt/tmp
Type=fuse.s3fs
LoadCredential=password_file:/etc/s3fs/tmp_key
Options=passwd_file="${CREDENTIALS_DIRECTORY}"/password_file,url=https://s3...
[Install]
WantedBy=multi-user.target
However mount start fails with s3fs not being able to read from
passwd_file:
s3fs: specified passwd_file is not readable.
I have used a small wrapper that calls env before calling s3fs to
investigate, and it appears that during the mount command execution
${CREDENTIALS_DIRECTORY} is created, but there is no subdirectory
corresponding to the unit name.
Is this a correct use for LoadCredential?
systemctl --version
systemd 248 (248)
+PAM -AUDIT -SELINUX -APPARMOR +IMA +SMACK +SECCOMP +GCRYPT +GNUTLS
+OPENSSL +ACL +BLKID -CURL -ELFUTILS -FIDO2 +IDN2 -IDN -IPTC +KMOD
+LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY +P11KIT -QRENCODE -BZIP2 +LZ4
-XZ -ZLIB +ZSTD -XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified
OS: Gentoo
--
With best regards,
--
Vladimir Timofeenko
More information about the systemd-devel
mailing list