From a689c1e05210ee9a0ed074b0840e37181f1701b4 Mon Sep 17 00:00:00 2001
From: Chris Lu <chris.lu@gmail.com>
Date: Wed, 28 Jan 2026 14:04:08 -0800
Subject: [PATCH] s3tables: align getPrincipalFromRequest with account ID for
 IAM compatibility

---
 weed/s3api/s3tables/handler.go | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/weed/s3api/s3tables/handler.go b/weed/s3api/s3tables/handler.go
index 57a2cd16e..428315fee 100644
--- a/weed/s3api/s3tables/handler.go
+++ b/weed/s3api/s3tables/handler.go
@@ -154,17 +154,14 @@ func (h *S3TablesHandler) HandleRequest(w http.ResponseWriter, r *http.Request,
 // Principal/authorization helpers
 
 func (h *S3TablesHandler) getPrincipalFromRequest(r *http.Request) string {
-	// Prioritize identity from context (set by IAM middleware)
-	if identityName := s3_constants.GetIdentityNameFromContext(r); identityName != "" {
-		return identityName
-	}
-
-	// Fallback to the authenticated account ID
+	// Prefer the authenticated account ID from the request header. This is the same
+	// identifier used as the "owner" in permission checks, so keeping them aligned
+	// avoids mismatches (e.g. username vs. account ID) when IAM is enabled.
 	if accountID := r.Header.Get(s3_constants.AmzAccountId); accountID != "" {
 		return accountID
 	}
 
-	// Default to handler's default account ID
+	// Default to handler's configured account ID
 	return h.accountID
 }