I want to use separate backblaze B2 buckets for backups and uploads. I don’t want discourse to have access to any buckets other than the two it is using.
Backblaze allows creating an application key to access either a single bucket, or all buckets.
But discourse requires that uploads and backups use the same S3 credentials, as far as I can tell, so there’s no way to do that.
Is there anything I’m missing?
Hi there 
welcome 
Perhaps this topic can help
Sadly, no. For Backblaze the example given just puts the backups in a /backups subdirectory of the (publicly readable) uploads bucket. I’m sure it’s possible to secure that, but it doesn’t seem like a great approach.
So I was able to setup an IAM user with 2 roles in AWS that allows for separate permissions for my backup and assets buckets. Each role is scoped to that bucket and has specific permissions. I believe that the backup is set to only put and not read or list. Where as the assets bucket is allowing all functions.
However this sounds like an issue with the Backblaze role specification is that correct? Seems like you can only attach a permission to 1 or all buckets and the way that it works with discourse is that they share the same permission keys?
Yup. Backblaze handling of application key permissions seems to be (drastically) simpler than AWS.
A Backblaze permission key seems to have access to either a single bucket or all buckets in the owners account.
So the discourse S3 interface is just fine for AWS S3 buckets, but not quite as good for Backblaze B2 buckets.
Sounds like you could use aws or create a different backblaze account