AWS S3 Mount without access_key_id and secret_access_key

I am trying to install rclone as a desktop application into a user's PC ( rclone mount ) and I don't want to store the access_key_id and secret_access_key in the rclone.conf file in the end user's PC (as this is a security concern). Is there another alternative where I can use rclone mount without providing access_key_id and secret_access_key .

My work around:

  • Server side: Expose a new REST api which returns AWS S3 signature (V4 signature).
  • In rclone.conf add v2_auth = true
  • Modify backend/s3/v2sign.go (the sign method) and set the signature headers.
req.Header.Set("X-Amz-Content-Sha256", "value returned from server")
req.Header.Set("X-Amz-Date", "value returned from server")
req.Header.Set("Authorization", "value returned from server")

But the problem here is that , for every GET , HEAD , LIST, PUT and DELETE etc I need to call the new REST API and get the signature which is an overkill.

Is there a secure way to make rclone mount work without providing access_key_id and secret_access_key . Thanks.


the config file can be encrypted

what is the operating system of the end user?

run rclone mount as a different local user than the end-user.
in that way, the end-user will not have permission to see the config file.

Thank you asdffdsa :slight_smile: . But the documentation also say While this provides very good security, we do not recommend storing your encrypted rclone configuration in public if it contains sensitive information, maybe except if you use a very strong password. . In that case can the rclone developers please create a feature request where we can achieve this without storing anything on the end user's PC.

start a new post, using the feature template and define in detail, what your request is.
then other rcloners can comment.