Skip to content

Support v4 Multi-Bucket Application Keys#30

Open
johnmaguire wants to merge 3 commits into
Backblaze:masterfrom
johnmaguire:support-v4-api
Open

Support v4 Multi-Bucket Application Keys#30
johnmaguire wants to merge 3 commits into
Backblaze:masterfrom
johnmaguire:support-v4-api

Conversation

@johnmaguire

@johnmaguire johnmaguire commented Apr 15, 2026

Copy link
Copy Markdown

Fixes #27 with the ultimate goal of solving restic/restic#5741

A new b2.CreateKeyMultiBucket was added to avoid breaking the type signature of b2.CreateKey, with support for multi-bucket application keys.

b2.CreateKey continues to use the old API (similar to the terraform provider's usage of bucket_id vs bucket_ids) in order to support clients which do not support multi-bucket application keys.

Client.CreateKey accepts a new BucketIDs option and selects CreateKeyMultiBucket when len(bucketIDs) > 1.

References:

@mlech-reef mlech-reef self-assigned this May 18, 2026

@mlech-reef mlech-reef left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

v4 b2_authorize_account response is parsed from the wrong location - restricted keys lose their scope

The v4 auth response nests key restrictions under apiInfo.storageApi.allowed:

  • storageApi.allowed.buckets[]{ id, name }
  • storageApi.allowed.namePrefix
  • storageApi.allowed.capabilities

But StorageAPIInfo reads bucketIds/bucketNames/namePrefix at the storageApi top level, where v4 emits nothing. So for any bucket- or prefix-restricted key, B2.buckets and B2.pfx come back empty. The client never learns its own restriction, lists outside the allowed scope, and B2 rejects with 401:

=== RUN   TestListBucketContentsWithKey
    integration_test.go:1079: b2_list_file_names: 401:
--- FAIL: TestListBucketContentsWithKey (6.24s)

This also breaks the headline feature: a multi-bucket key authorizes but the client forgets which buckets it's scoped to.

Master (v3) returned bucketId/bucketName at the top level, so this only surfaced with the v4 migration. Unrestricted/master keys are unaffected (their allowed is empty), which is why most tests pass.

@mlech-reef

Copy link
Copy Markdown
Collaborator

Adds a live integration test that mints a Multi-Bucket Application Key and
confirms it can list within each allowed bucket.
@johnmaguire

johnmaguire commented Jun 26, 2026

Copy link
Copy Markdown
Author

@mlech-reef Thanks for taking a look, and apologies on the miss - added an integration test for a multi-bucket key this time around and ran the suite.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Support Native API v4

2 participants