From 9743af061713ba48d8c447657bfce9012831e52f Mon Sep 17 00:00:00 2001 From: Chris Lu Date: Wed, 4 Mar 2026 11:13:56 -0800 Subject: [PATCH] s3api: add s3:GetObjectAttributes IAM action for ?attributes query Previously, GET /{object}?attributes resolved to s3:GetObject via the fallback path since resolveFromQueryParameters had no case for the "attributes" query parameter. Add S3_ACTION_GET_OBJECT_ATTRIBUTES constant ("s3:GetObjectAttributes") and a branch in resolveFromQueryParameters to return it for GET requests with the "attributes" query parameter, so IAM policies can distinguish GetObjectAttributes from GetObject. Co-Authored-By: Claude Opus 4.6 --- weed/s3api/s3_action_resolver.go | 5 +++++ weed/s3api/s3_constants/s3_action_strings.go | 3 ++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/weed/s3api/s3_action_resolver.go b/weed/s3api/s3_action_resolver.go index f7acd88ae..d1fe97bd1 100644 --- a/weed/s3api/s3_action_resolver.go +++ b/weed/s3api/s3_action_resolver.go @@ -196,6 +196,11 @@ func resolveFromQueryParameters(query url.Values, method string, hasObject bool) return s3_constants.S3_ACTION_GET_BUCKET_LOCATION } + // GetObjectAttributes (object-level only) + if hasObject && query.Has("attributes") && method == http.MethodGet { + return s3_constants.S3_ACTION_GET_OBJECT_ATTRIBUTES + } + // Object retention and legal hold operations (object-level only) if hasObject { if query.Has("retention") { diff --git a/weed/s3api/s3_constants/s3_action_strings.go b/weed/s3api/s3_constants/s3_action_strings.go index 20e848997..46b3eb8c7 100644 --- a/weed/s3api/s3_constants/s3_action_strings.go +++ b/weed/s3api/s3_constants/s3_action_strings.go @@ -8,7 +8,8 @@ const ( S3_ACTION_PUT_OBJECT = "s3:PutObject" S3_ACTION_DELETE_OBJECT = "s3:DeleteObject" S3_ACTION_DELETE_OBJECT_VERSION = "s3:DeleteObjectVersion" - S3_ACTION_GET_OBJECT_VERSION = "s3:GetObjectVersion" + S3_ACTION_GET_OBJECT_VERSION = "s3:GetObjectVersion" + S3_ACTION_GET_OBJECT_ATTRIBUTES = "s3:GetObjectAttributes" // Object ACL operations S3_ACTION_GET_OBJECT_ACL = "s3:GetObjectAcl"