fix: add sts:ValidateSession to JWT authentication test policies

The TestJWTAuthenticationFlow was failing because the IAM policies for S3ReadOnlyRole and S3AdminRole were missing the 'sts:ValidateSession' action. ### Problem: - JWT authentication was working correctly (tokens parsed successfully) - But IsActionAllowed returned false for sts:ValidateSession action - This caused all JWT auth tests to fail with errCode=1 ### Solution: - Added sts:ValidateSession action to S3ReadOnlyPolicy - Added sts:ValidateSession action to S3AdminPolicy - Both policies now include the required STS session validation permission ### Test Results: ✅ TestJWTAuthenticationFlow now passes 100% (6/6 test cases) ✅ Read-Only JWT Authentication: All operations work correctly ✅ Admin JWT Authentication: All operations work correctly ✅ JWT token parsing and validation: Fully functional This ensures consistent policy definitions across all S3 API JWT tests, matching the policies used in s3_end_to_end_test.go.
2 months ago · b1260d9743
1 changed files with 12 additions and 0 deletions
--- a/weed/s3api/s3_jwt_auth_test.go
+++ b/weed/s3api/s3_jwt_auth_test.go
@ -345,6 +345,12 @@ func setupTestReadOnlyRole(ctx context.Context, manager *integration.IAMManager)
 					"arn:seaweed:s3:::*/*",
 				},
 			},
+			{
+				Sid:    "AllowSTSSessionValidation",
+				Effect: "Allow",
+				Action: []string{"sts:ValidateSession"},
+				Resource: []string{"*"},
+			},
 		},
 	}

@ -401,6 +407,12 @@ func setupTestAdminRole(ctx context.Context, manager *integration.IAMManager) {
 					"arn:seaweed:s3:::*/*",
 				},
 			},
+			{
+				Sid:    "AllowSTSSessionValidation",
+				Effect: "Allow",
+				Action: []string{"sts:ValidateSession"},
+				Resource: []string{"*"},
+			},
 		},
 	}