From 66661de746faa2927f08b2673ee71114d7dd5d2f Mon Sep 17 00:00:00 2001
From: Chris Lu <chris.lu@gmail.com>
Date: Sun, 8 Mar 2026 19:27:31 -0700
Subject: [PATCH] fix: use credentialManager.GetPolicy for AttachGroupPolicy
 validation

Policies created via CreatePolicy through credentialManager are stored
in the credential store, not in s3cfg.Policies (which only has static
config policies). Change AttachGroupPolicy to use credentialManager.GetPolicy()
for policy existence validation.
---
 weed/s3api/s3api_embedded_iam.go | 18 +++++++-----------
 1 file changed, 7 insertions(+), 11 deletions(-)

diff --git a/weed/s3api/s3api_embedded_iam.go b/weed/s3api/s3api_embedded_iam.go
index e89b6c39b..c1c1033b9 100644
--- a/weed/s3api/s3api_embedded_iam.go
+++ b/weed/s3api/s3api_embedded_iam.go
@@ -1583,7 +1583,7 @@ func (e *EmbeddedIamApi) RemoveUserFromGroup(s3cfg *iam_pb.S3ApiConfiguration, v
 	return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("group %s does not exist", groupName)}
 }
 
-func (e *EmbeddedIamApi) AttachGroupPolicy(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (*iamAttachGroupPolicyResponse, *iamError) {
+func (e *EmbeddedIamApi) AttachGroupPolicy(ctx context.Context, s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (*iamAttachGroupPolicyResponse, *iamError) {
 	resp := &iamAttachGroupPolicyResponse{}
 	groupName := values.Get("GroupName")
 	policyArn := values.Get("PolicyArn")
@@ -1594,17 +1594,13 @@ func (e *EmbeddedIamApi) AttachGroupPolicy(s3cfg *iam_pb.S3ApiConfiguration, val
 	if err != nil {
 		return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: err}
 	}
-	// Verify policy exists
-	policyFound := false
-	for _, p := range s3cfg.Policies {
-		if p.Name == policyName {
-			policyFound = true
-			break
+	// Verify policy exists via credential manager
+	if e.credentialManager != nil {
+		policy, pErr := e.credentialManager.GetPolicy(ctx, policyName)
+		if pErr != nil || policy == nil {
+			return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("policy %s not found", policyName)}
 		}
 	}
-	if !policyFound {
-		return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("policy %s not found", policyName)}
-	}
 	for _, g := range s3cfg.Groups {
 		if g.Name == groupName {
 			// Check if already attached (idempotent)
@@ -2073,7 +2069,7 @@ func (e *EmbeddedIamApi) ExecuteAction(ctx context.Context, values url.Values, s
 		}
 	case "AttachGroupPolicy":
 		var iamErr *iamError
-		response, iamErr = e.AttachGroupPolicy(s3cfg, values)
+		response, iamErr = e.AttachGroupPolicy(ctx, s3cfg, values)
 		if iamErr != nil {
 			return nil, iamErr
 		}