restic: Improve error message if backend credentials are missing / invalid

Output of `restic version`

restic 0.8.3
compiled with go1.10 on linux/amd64

How did you run restic exactly?

restic -r s3:s3.amazonaws.com/backup.shrub.ca check

What backend/server/service did you use to store the repository?

Amazon S3

Expected behavior

Some sort of error, indicating that AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY is not defined.

Actual behavior

Fatal: unable to open config file: Stat: Access Denied.
Is there a repository at the following location?
s3:s3.amazonaws.com/backup.shrub.ca

Do you have an idea how to solve the issue?

If you define the expected variables, it runs:

# export AWS_ACCESS_KEY_ID=xxxx
# export AWS_SECRET_ACCESS_KEY=xxxx
# export RESTIC_PASSWORD=xxxx
# restic -r s3:s3.amazonaws.com/backup.shrub.ca check

About this issue

Original URL
State: open
Created 6 years ago
Reactions: 7
Comments: 18 (6 by maintainers)

Most upvoted comments

I just burned by this one. Wouldn’t have scratched my head for so long if the error message was clearer. I definitely would have scratched my head for a lot longer if I hadn’t found the discussion here.

MarkOnDuty on Oct 14, 2018

this is going to be a big issue in my environment where we are going to switch everything to instance profile, right now it is broken with version 0.9.5

Fatal: unable to open config file: Stat: The specified key does not exist.
Is there a repository at the following location?
s3:s3.amazonaws.com/testbucket

nbommu1 on Jul 31, 2019

There’s a difference between: • user supplied credentials which were invalid • user didn’t supply any credentials

You’re showing the same error in both cases. Further, the error is (somewhat) understandable to programmers, but not to end users.

Please indicate that no credentials were supplied and don’t attempt to connect in this case.

paulschreiber on Mar 15, 2018

I also encountered this issue while trying to use instance roles. I was missing a permission in my IAM role policy:

s3:GetBucketLocation

My restic version is 0.9.6 and my error was:

Fatal: unable to open config file: Stat: Head https://[bucket].s3.dualstack.us-east-1.amazonaws.com/[repo]/config: 301 response missing Location header
Is there a repository at the following location?
s3:s3.amazonaws.com/[bucket]/[repo]

After adding the missing permission it worked perfectly.

lgg42 on Jul 25, 2020

I suppose it’s technically possible that you’d allow world write to a bucket and store your backups there. It just seems … unlikely.
GCC 8 dramatically improved its error handling. A good summary of those improvements: https://developers.redhat.com/blog/2018/03/15/gcc-8-usability-improvements/

This error message is confusing, even for sophisticated users. restic appears to be simply printing the underlying (programmer) errors from errno.h to users.

Fatal: unable to open config file: Stat: Access Denied.
Is there a repository at the following location?
s3:s3.amazonaws.com/backup.shrub.ca

Which config file was it trying to open? Was this a local or remote config file? What’s the path to this file? Why is the error message asking the user questions? Why is the word “fatal” present? Why is the word “stat” present?

A good error message should:

Clearly and accurately state the problem
Give a reason for the error
Suggest corrective action

Here are examples of more helpful errors:

restic was unable to connect to the S3 bucket “backup.myserver.com,” as no credentials were supplied. Please supply credentials, such as setting AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY or something something IAM and try again.

restic was unable to connect to the S3 bucket “backup.myserver.com,” as the credentials supplied were rejected by the server. Please ensure that AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY (or IAM something something) are correct and try again.

paulschreiber on Mar 16, 2018