From 7f1182472a3dafc0f5610a3d78ca2aa063bc6ee9 Mon Sep 17 00:00:00 2001 From: Chris Lu Date: Thu, 8 Jan 2026 20:22:04 -0800 Subject: [PATCH] fix: enable dual loading of static and dynamic IAM configuration Refactored `NewIdentityAccessManagementWithStore` to remove mutual exclusivity between static (file-based) and dynamic (filer-based) configuration loading. Previously, if a static config configuration was present (including the legacy `IamConfig` option used by `weed mini`), it prevented loading users from the filer. Now, the system loads the static configuration first (if present), and then *always* attempts to merge in the dynamic configuration from the filer. This ensures that: 1. Static users (e.g. from `weed mini` env vars or `-s3.config`) are loaded and protected. 2. Dynamic users (e.g. created via Admin UI and stored in Filer) are also loaded and available. --- weed/s3api/auth_credentials.go | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/weed/s3api/auth_credentials.go b/weed/s3api/auth_credentials.go index e6cd71adf..8647d032c 100644 --- a/weed/s3api/auth_credentials.go +++ b/weed/s3api/auth_credentials.go @@ -186,18 +186,21 @@ func NewIdentityAccessManagementWithStore(option *S3ApiServerOption, explicitSto } configLoaded = len(iam.identities) > 0 iam.m.Unlock() - } else { - glog.V(3).Infof("no static config file specified... loading config from credential manager") - if err := iam.loadS3ApiConfigurationFromFiler(option); err != nil { - glog.Warningf("fail to load config: %v", err) - } - // Only consider config loaded if we actually have identities - // Don't block environment variable fallback just because filer call succeeded - iam.m.RLock() - configLoaded = len(iam.identities) > 0 - iam.m.RUnlock() } + // Always try to load/merge config from credential manager (filer) + // This ensures we get both static users (from file) and dynamic users (from filer) + glog.V(3).Infof("loading dynamic config from credential manager") + if err := iam.loadS3ApiConfigurationFromFiler(option); err != nil { + glog.Warningf("fail to load config: %v", err) + } + + // Only consider config loaded if we actually have identities + // Don't block environment variable fallback just because filer call succeeded + iam.m.RLock() + configLoaded = len(iam.identities) > 0 + iam.m.RUnlock() + // Only use environment variables as fallback if no configuration was loaded if !configLoaded { accessKeyId := os.Getenv("AWS_ACCESS_KEY_ID")