Bug Report: Service passing literal path as Access Key ID #19
Description
Description
Using this latest rustfs-flake, the RUSTFS_ACCESS_KEY and RUSTFS_SECRET_KEY variables are not loaded in properly, resulting in not being able to login on a fresh install.
It would seem that the rustfs NixOS module is using systemd LoadCredential logic for a binary that does not support the file: URI prefix in environment variables. This causes the binary to attempt authentication using the literal path string as the Access Key ID.
Steps to Reproduce
- Load the latest rustfs-flake module with example settings
- Attempt to login with the credentials on the web console
- 403 forbidden error, InvalidAccessKeyId error in logs
Details
- Version:
rustfs-1.0.0-alpha.85 - Environment: NixOS 25.11 with
sops-nixfor secret management.
Possible Root Cause
In the generated systemd unit, the module sets:
Environment="RUSTFS_ACCESS_KEY=file:%d/access-key"
The process environment expands this to: RUSTFS_ACCESS_KEY=file:/run/credentials/rustfs.service/access-key
The server then returns InvalidAccessKeyId because it may be trying to use that path string as the ID, instead of evaluating the file to get the data in the file.
Investigation Steps
- Set
services.rustfs.accessKeyFile = "/path/to/key";. - Start the service.
- Inspect environment:
cat /proc/<PID>/environ | tr '\0' '\n'.