Headless Auth and Service Accounts
Production jobs should not depend on interactive browser prompts. Use service identities and predictable runtime config.
Headless Strategy
| Pattern | Use case | Notes |
|---|---|---|
| Service account JSON | GCS/Drive automation | Rotate keys regularly |
| Environment auth | S3-compatible systems | Keep secrets out of shell history |
| Managed config file | Systemd/cron jobs | Explicit --config path |
Example: Explicit Config Path
rclone sync /srv/data remote-prod:backup/data \
--config /etc/rclone/rclone.conf \
--log-file /var/log/rclone-sync.log
Example: Environment Credentials
rclone-env-auth.sh
export AWS_ACCESS_KEY_ID="REDACTED"
export AWS_SECRET_ACCESS_KEY="REDACTED"
rclone lsd :s3,env_auth:true:my-bucket
warning
Never hardcode secrets in committed scripts. Store credentials in protected environment files or secret managers.
Minimal Hardening Checklist
- Restrict config file permissions (
chmod 600). - Use separate remotes for staging and production.
- Keep backup credentials least-privilege.
- Log to file and monitor for auth failures.
Common Pitfalls
| Pitfall | Failure mode | Fix |
|---|---|---|
| Running config as root, job as non-root | Config not found in runtime | Use shared path with --config |
| Broad admin credentials | Blast radius too large | Create scoped backup-only policy |
| No token refresh plan | Job stops weeks later | Document and test reconnect procedure |