From 6ef8a3f5653435d598fc0c7fe683271056d13d1f Mon Sep 17 00:00:00 2001
From: Chris Lu <chris.lu@gmail.com>
Date: Sun, 8 Mar 2026 23:50:31 -0700
Subject: [PATCH] fix: update service account parent refs on user rename in
 embedded IAM

The embedded IAM UpdateUser handler updated group membership but
not service account ParentUser fields, unlike the standalone handler.
---
 weed/s3api/s3api_embedded_iam.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/weed/s3api/s3api_embedded_iam.go b/weed/s3api/s3api_embedded_iam.go
index 6a0e9c2ab..671de5853 100644
--- a/weed/s3api/s3api_embedded_iam.go
+++ b/weed/s3api/s3api_embedded_iam.go
@@ -361,6 +361,12 @@ func (e *EmbeddedIamApi) UpdateUser(s3cfg *iam_pb.S3ApiConfiguration, values url
 						}
 					}
 				}
+				// Update service account parent references
+				for _, sa := range s3cfg.ServiceAccounts {
+					if sa.ParentUser == userName {
+						sa.ParentUser = newUserName
+					}
+				}
 				return resp, nil
 			}
 		}