From 89abe98b8a6f3be7cb36aaff8bfb8985f8a6d34f Mon Sep 17 00:00:00 2001
From: Chris Lu <chris.lu@gmail.com>
Date: Thu, 19 Feb 2026 16:36:32 -0800
Subject: [PATCH]  Reused the precomputed principal when setting
 tableBucketMetadata.OwnerAccountID, avoiding the redundant getAccountID call.

---
 weed/s3api/s3tables/handler_bucket_create.go | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/weed/s3api/s3tables/handler_bucket_create.go b/weed/s3api/s3tables/handler_bucket_create.go
index 77e5fe6ef..098e5dfbb 100644
--- a/weed/s3api/s3tables/handler_bucket_create.go
+++ b/weed/s3api/s3tables/handler_bucket_create.go
@@ -30,11 +30,8 @@ func (h *S3TablesHandler) handleCreateTableBucket(w http.ResponseWriter, r *http
 	identityActions := getIdentityActions(r)
 	identityPolicyNames := getIdentityPolicyNames(r)
 	if h.shouldUseIAM(r, identityActions, identityPolicyNames) {
-		ownerAccountID := principal
-		tableBucketARN := h.generateTableBucketARN(ownerAccountID, req.Name)
-		s3BucketARN := fmt.Sprintf("arn:aws:s3:::%s", req.Name)
-		allowed, err := h.authorizeIAMAction(r, identityPolicyNames, "s3tables:CreateTableBucket", tableBucketARN, s3BucketARN)
-		if err != nil || !allowed {
+		sessionToken := extractSessionToken(r)
+		if !h.authorizeIAMAction(r, identityPolicyNames, "CreateTableBucket", h.generateTableBucketARN(principal, req.Name), fmt.Sprintf("arn:aws:s3:::%s", req.Name)) {
 			h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to create table buckets")
 			return NewAuthError("CreateTableBucket", principal, "not authorized to create table buckets")
 		}