From 615bdd7047de2a657c0a575d27f2a81f3d41719d Mon Sep 17 00:00:00 2001 From: Chris Lu Date: Thu, 8 Jan 2026 14:08:26 -0800 Subject: [PATCH] Fix STS authorization in streaming/chunked uploads During streaming/chunked uploads (SigV4 streaming), authorization happens twice: 1. Initial authorization in authRequestWithAuthType() - works correctly 2. Second authorization in verifyV4Signature() - was failing for STS The issue was that verifyV4Signature() only used identity.canDo() for permission checks, which always denies STS identities (they have empty Actions). This bypassed IAM authorization completely. This commit makes verifyV4Signature() IAM-aware by adding the same fallback logic used in authRequestWithAuthType(): - Traditional identities (with Actions) use legacy canDo() check - STS/JWT identities (empty Actions) fall back to IAM authorization Fixes: https://github.com/seaweedfs/seaweedfs/pull/7986#issuecomment-3723196038 --- weed/s3api/auth_signature_v4.go | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/weed/s3api/auth_signature_v4.go b/weed/s3api/auth_signature_v4.go index b4696bc17..a91bf06c3 100644 --- a/weed/s3api/auth_signature_v4.go +++ b/weed/s3api/auth_signature_v4.go @@ -248,7 +248,18 @@ func (iam *IdentityAccessManagement) verifyV4Signature(r *http.Request, shouldCh if r.Method != http.MethodGet && r.Method != http.MethodHead { action = s3_constants.ACTION_WRITE } - if !identity.canDo(Action(action), bucket, object) { + + // Traditional identities (with Actions from -s3.config) use legacy auth, + // JWT/STS identities (no Actions) use IAM authorization + if len(identity.Actions) > 0 { + if !identity.canDo(Action(action), bucket, object) { + return nil, nil, "", nil, s3err.ErrAccessDenied + } + } else if iam.iamIntegration != nil { + if errCode := iam.authorizeWithIAM(r, identity, Action(action), bucket, object); errCode != s3err.ErrNone { + return nil, nil, "", nil, errCode + } + } else { return nil, nil, "", nil, s3err.ErrAccessDenied } }