diff --git a/weed/s3api/s3api_bucket_handlers.go b/weed/s3api/s3api_bucket_handlers.go
index 25a9d0209..81d12be43 100644
--- a/weed/s3api/s3api_bucket_handlers.go
+++ b/weed/s3api/s3api_bucket_handlers.go
@@ -60,8 +60,22 @@ func (s3a *S3ApiServer) ListBucketsHandler(w http.ResponseWriter, r *http.Reques
 	var listBuckets ListAllMyBucketsList
 	for _, entry := range entries {
 		if entry.IsDirectory {
-			if identity != nil && !identity.canDo(s3_constants.ACTION_LIST, entry.Name, "") {
-				continue
+			// Check permissions for each bucket
+			if identity != nil {
+				// For JWT-authenticated users, use IAM authorization
+				sessionToken := r.Header.Get("X-SeaweedFS-Session-Token")
+				if s3a.iam.iamIntegration != nil && sessionToken != "" {
+					// Use IAM authorization for JWT users
+					errCode := s3a.iam.authorizeWithIAM(r, identity, s3_constants.ACTION_LIST, entry.Name, "")
+					if errCode != s3err.ErrNone {
+						continue
+					}
+				} else {
+					// Use legacy authorization for non-JWT users
+					if !identity.canDo(s3_constants.ACTION_LIST, entry.Name, "") {
+						continue
+					}
+				}
 			}
 			listBuckets.Bucket = append(listBuckets.Bucket, ListAllMyBucketsEntry{
 				Name:         entry.Name,