diff --git a/.gitignore b/.gitignore index 10bc81f63..f8e614b17 100644 --- a/.gitignore +++ b/.gitignore @@ -137,3 +137,4 @@ test/s3/remote_cache/primary-server.pid # ID and PID files *.id *.pid +test/s3/iam/.test_env diff --git a/weed/s3api/s3api_sts.go b/weed/s3api/s3api_sts.go index eedab3f21..64cee26e4 100644 --- a/weed/s3api/s3api_sts.go +++ b/weed/s3api/s3api_sts.go @@ -318,6 +318,12 @@ func (h *STSHandlers) handleAssumeRole(w http.ResponseWriter, r *http.Request) { return } + // Get account ID from STS config or use default + accountId := "111122223333" // Default account ID + if h.stsService != nil && h.stsService.Config != nil && h.stsService.Config.AccountId != "" { + accountId = h.stsService.Config.AccountId + } + // Build and return response with proper ARN formatting xmlResponse := &AssumeRoleResponse{ Result: AssumeRoleResult{ @@ -329,7 +335,7 @@ func (h *STSHandlers) handleAssumeRole(w http.ResponseWriter, r *http.Request) { }, AssumedRoleUser: &AssumedRoleUser{ AssumedRoleId: fmt.Sprintf("%s:%s", roleName, roleSessionName), - Arn: fmt.Sprintf("arn:aws:sts::assumed-role/%s/%s", roleName, roleSessionName), + Arn: fmt.Sprintf("arn:aws:sts::%s:assumed-role/%s/%s", accountId, roleName, roleSessionName), }, }, } @@ -487,6 +493,8 @@ func (h *STSHandlers) handleAssumeRoleWithLDAPIdentity(w http.ResponseWriter, r } // Build and return response with proper ARN formatting + // accountId is already defined above (line 423-426) + xmlResponse := &AssumeRoleWithLDAPIdentityResponse{ Result: LDAPIdentityResult{ Credentials: STSCredentials{ @@ -497,7 +505,7 @@ func (h *STSHandlers) handleAssumeRoleWithLDAPIdentity(w http.ResponseWriter, r }, AssumedRoleUser: &AssumedRoleUser{ AssumedRoleId: fmt.Sprintf("%s:%s", roleName, roleSessionName), - Arn: fmt.Sprintf("arn:aws:sts::assumed-role/%s/%s", roleName, roleSessionName), + Arn: fmt.Sprintf("arn:aws:sts::%s:assumed-role/%s/%s", accountId, roleName, roleSessionName), }, }, }