diff --git a/weed/s3api/policy_conversion.go b/weed/s3api/policy_conversion.go
index 7bda3dda6..2d557f960 100644
--- a/weed/s3api/policy_conversion.go
+++ b/weed/s3api/policy_conversion.go
@@ -105,16 +105,10 @@ func convertPrincipal(principal interface{}) (*policy_engine.StringOrStringSlice
 		// Example: {"AWS": "arn:aws:iam::123456789012:user/Alice"}
 		// Only AWS principals are supported for now. Other types like Service or Federated need special handling.
 		
-		// Check that ONLY the "AWS" key is present
-		if len(p) != 1 {
-			glog.Warningf("unsupported principal map, only single 'AWS' key is supported: %v", p)
-			return nil, fmt.Errorf("unsupported principal map, only single 'AWS' key is supported, got keys: %v", getMapKeys(p))
-		}
-		
 		awsPrincipals, ok := p["AWS"]
-		if !ok {
-			glog.Warningf("unsupported principal map, only 'AWS' key is supported: %v", p)
-			return nil, fmt.Errorf("unsupported principal type, only 'AWS' principals are supported, got keys: %v", getMapKeys(p))
+		if !ok || len(p) != 1 {
+			glog.Warningf("unsupported principal map, only a single 'AWS' key is supported: %v", p)
+			return nil, fmt.Errorf("unsupported principal map, only a single 'AWS' key is supported, got keys: %v", getMapKeys(p))
 		}
 		
 		switch val := awsPrincipals.(type) {
diff --git a/weed/s3api/policy_conversion_test.go b/weed/s3api/policy_conversion_test.go
index 0b6e12749..25b05610e 100644
--- a/weed/s3api/policy_conversion_test.go
+++ b/weed/s3api/policy_conversion_test.go
@@ -320,7 +320,7 @@ func TestConvertPrincipalMapWithNilValues(t *testing.T) {
 
 func TestConvertToStringUnsupportedType(t *testing.T) {
 	// Test that unsupported types (e.g., nested maps/slices) return empty string
-	// This should trigger a warning log but not fail
+	// This should trigger a warning log and return an error
 	
 	type customStruct struct {
 		Field string