I am trying to install rclone as a desktop application into a user's PC ( rclone mount ) and I don't want to store the access_key_id and secret_access_key in the rclone.conf file in the end user's PC (as this is a security concern). Is there another alternative where I can use rclone mount without providing access_key_id and secret_access_key .
My work around:
- Server side: Expose a new REST api which returns AWS S3 signature (V4 signature).
- In rclone.conf add v2_auth = true
- Modify backend/s3/v2sign.go (the sign method) and set the signature headers.
req.Header.Set("X-Amz-Content-Sha256", "value returned from server")
req.Header.Set("X-Amz-Date", "value returned from server")
req.Header.Set("Authorization", "value returned from server")
But the problem here is that , for every GET , HEAD , LIST, PUT and DELETE etc I need to call the new REST API and get the signature which is an overkill.
Is there a secure way to make rclone mount work without providing access_key_id and secret_access_key . Thanks.
. But the documentation also say While this provides very good security, we do not recommend storing your encrypted rclone configuration in public if it contains sensitive information, maybe except if you use a very strong password. . In that case can the rclone developers please create a feature request where we can achieve this without storing anything on the end user's PC.