address comments

weed/s3api/auth_credentials.go

@@ -63,7 +63,7 @@ type Identity struct {
 	Account      *Account
 	Credentials  []*Credential
 	Actions      []Action
-	PrincipalArn string // ARN for IAM authorization (e.g., "arn:aws:iam::user/username")
+	PrincipalArn string // ARN for IAM authorization (e.g., "arn:aws:iam::account-id:user/username")
 }
 
 // Account represents a system user, a system user can
@@ -511,7 +511,7 @@ func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action)
 		// - Explicit DENY in bucket policy → immediate rejection
 		// - Explicit ALLOW in bucket policy → grant access (bypass IAM checks)
 		// - No policy or indeterminate → fall through to IAM checks
-		if iam.s3ApiServer != nil && bucket != "" {
+		if iam.s3ApiServer != nil && iam.s3ApiServer.policyEngine != nil && bucket != "" {
 			principal := buildPrincipalARN(identity)
 			allowed, evaluated, err := iam.s3ApiServer.policyEngine.EvaluatePolicy(bucket, object, string(action), principal)
 			

weed/s3api/s3_policy_templates_test.go

@@ -495,7 +495,7 @@ func TestPolicyValidation(t *testing.T) {
 				// Check resource format
 				for _, resource := range stmt.Resource {
 					if resource != "*" {
-						assert.Contains(t, resource, "arn:aws:s3:::", "Resource should be valid SeaweedFS S3 ARN: %s", resource)
+						assert.Contains(t, resource, "arn:aws:s3:::", "Resource should be valid AWS S3 ARN: %s", resource)
 					}
 				}
 			}