From 8dd79e8fa4c97baea9245d11fdba950e496b72a8 Mon Sep 17 00:00:00 2001
From: Chris Lu <chris.lu@gmail.com>
Date: Sun, 8 Mar 2026 20:52:23 -0700
Subject: [PATCH] fix: use admin S3 client for bucket cleanup in enforcement
 test

The user S3 client may lack permissions by cleanup time since the
user is removed from the group in an earlier subtest. Use the admin
S3 client to ensure bucket and object cleanup always succeeds.
---
 test/s3/iam/s3_iam_group_test.go | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/test/s3/iam/s3_iam_group_test.go b/test/s3/iam/s3_iam_group_test.go
index c6147fc10..26070b3f2 100644
--- a/test/s3/iam/s3_iam_group_test.go
+++ b/test/s3/iam/s3_iam_group_test.go
@@ -324,13 +324,16 @@ func TestIAMGroupPolicyEnforcement(t *testing.T) {
 		iamClient.DeletePolicy(&iam.DeletePolicyInput{PolicyArn: policyArn})
 	})
 
-	// Register bucket cleanup on parent test so it runs after all subtests
+	// Register bucket cleanup on parent test with admin credentials
+	// (userS3Client may lack permissions by cleanup time)
+	adminS3, err := framework.CreateS3ClientWithJWT("admin-user", "TestAdminRole")
+	require.NoError(t, err)
 	t.Cleanup(func() {
-		userS3Client.DeleteObject(&s3.DeleteObjectInput{
+		adminS3.DeleteObject(&s3.DeleteObjectInput{
 			Bucket: aws.String(bucketName),
 			Key:    aws.String("test-key"),
 		})
-		userS3Client.DeleteBucket(&s3.DeleteBucketInput{Bucket: aws.String(bucketName)})
+		adminS3.DeleteBucket(&s3.DeleteBucketInput{Bucket: aws.String(bucketName)})
 	})
 
 	t.Run("user_without_group_denied", func(t *testing.T) {