[systemd-devel] Using LoadCredential for passing API key to s3 bucket mount unit
Lennart Poettering
lennart at poettering.net
Thu Sep 2 09:19:48 UTC 2021
On Mi, 01.09.21 13:31, Vladimir Timofeenko (vladimir at vtimofeenko.com) wrote:
> Hi,
>
> I am playing with the idea of using systemd mount to mount S3 bucket on
> the system using s3fs.
>
> To mount a bucket, an API key is required. s3fs can read the API key
> from a file specified as an option:
>
> s3fs $bucket_name $where -o passwd_file=${PATH_TO_PASSWORD_FILE} ...
>
> I tried to set up a .mount unit with LoadCredential directive:
>
> [Unit]
> Description=tmp bucket mount
> After=network.target
>
> [Mount]
> What=temp-bucket
> Where=/mnt/tmp
> Type=fuse.s3fs
> LoadCredential=password_file:/etc/s3fs/tmp_key
> Options=passwd_file="${CREDENTIALS_DIRECTORY}"/password_file,url=https://s3...
systemd only resolves env vars in ExecXYZ= lines, nowhere else. And
definitely not in Options=
> I have used a small wrapper that calls env before calling s3fs to
> investigate, and it appears that during the mount command execution
> ${CREDENTIALS_DIRECTORY} is created, but there is no subdirectory
> corresponding to the unit name.
$CREDENIALS_DIRECTORY should already point to a dir with the unit name
in it. i.e. what is the precise value?
I must admit I never tested credentials with mount units. We might be
missing something there, though I see no reason why it shouldn't work.
Consider filing an issue on github, if the creds stuff doesn't
work. But note that the env var replacement you need to do in mout
mount.fuse.s3fs wrapper script really, PID 1 won't do that for you.
Lennart
--
Lennart Poettering, Berlin
More information about the systemd-devel
mailing list