Browse Source

fix: add sts:ValidateSession to JWT authentication test policies

The TestJWTAuthenticationFlow was failing because the IAM policies for
S3ReadOnlyRole and S3AdminRole were missing the 'sts:ValidateSession' action.

### Problem:
- JWT authentication was working correctly (tokens parsed successfully)
- But IsActionAllowed returned false for sts:ValidateSession action
- This caused all JWT auth tests to fail with errCode=1

### Solution:
- Added sts:ValidateSession action to S3ReadOnlyPolicy
- Added sts:ValidateSession action to S3AdminPolicy
- Both policies now include the required STS session validation permission

### Test Results:
 TestJWTAuthenticationFlow now passes 100% (6/6 test cases)
 Read-Only JWT Authentication: All operations work correctly
 Admin JWT Authentication: All operations work correctly
 JWT token parsing and validation: Fully functional

This ensures consistent policy definitions across all S3 API JWT tests,
matching the policies used in s3_end_to_end_test.go.
pull/7160/head
chrislu 1 month ago
parent
commit
b1260d9743
  1. 12
      weed/s3api/s3_jwt_auth_test.go

12
weed/s3api/s3_jwt_auth_test.go

@ -345,6 +345,12 @@ func setupTestReadOnlyRole(ctx context.Context, manager *integration.IAMManager)
"arn:seaweed:s3:::*/*",
},
},
{
Sid: "AllowSTSSessionValidation",
Effect: "Allow",
Action: []string{"sts:ValidateSession"},
Resource: []string{"*"},
},
},
}
@ -401,6 +407,12 @@ func setupTestAdminRole(ctx context.Context, manager *integration.IAMManager) {
"arn:seaweed:s3:::*/*",
},
},
{
Sid: "AllowSTSSessionValidation",
Effect: "Allow",
Action: []string{"sts:ValidateSession"},
Resource: []string{"*"},
},
},
}

Loading…
Cancel
Save