chore(iam): improved error wrapping and test parameterization

test/s3/iam/s3_sts_assume_role_test.go

@@ -6,6 +6,7 @@ import (
 	"io"
 	"net/http"
 	"net/url"
+	"os"
 	"strings"
 	"testing"
 	"time"
@@ -198,9 +199,15 @@ func TestSTSAssumeRoleWithValidCredentials(t *testing.T) {
 		t.Skip("SeaweedFS STS endpoint is not running at", TestSTSEndpoint)
 	}
 
-	// Use test credentials from config - these should be configured in iam_config.json
-	accessKey := "admin"
-	secretKey := "admin"
+	// Use test credentials from environment or fall back to defaults
+	accessKey := os.Getenv("STS_TEST_ACCESS_KEY")
+	if accessKey == "" {
+		accessKey = "admin"
+	}
+	secretKey := os.Getenv("STS_TEST_SECRET_KEY")
+	if secretKey == "" {
+		secretKey = "admin"
+	}
 
 	t.Run("successful_assume_role", func(t *testing.T) {
 		resp, err := callSTSAPIWithSigV4(t, url.Values{

weed/iam/integration/iam_manager_trust.go

@@ -20,7 +20,7 @@ func (m *IAMManager) ValidateTrustPolicyForPrincipal(ctx context.Context, roleAr
 	// Get role definition
 	roleDef, err := m.roleStore.GetRole(ctx, m.getFilerAddress(), roleName)
 	if err != nil {
-		return fmt.Errorf("role not found: %s", roleName)
+		return fmt.Errorf("failed to get role %s: %w", roleName, err)
 	}
 
 	if roleDef.TrustPolicy == nil {