From b1260d974311a75b0fb34d24862d471865cb2c89 Mon Sep 17 00:00:00 2001 From: chrislu Date: Sun, 24 Aug 2025 20:57:59 -0700 Subject: [PATCH] fix: add sts:ValidateSession to JWT authentication test policies MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The TestJWTAuthenticationFlow was failing because the IAM policies for S3ReadOnlyRole and S3AdminRole were missing the 'sts:ValidateSession' action. ### Problem: - JWT authentication was working correctly (tokens parsed successfully) - But IsActionAllowed returned false for sts:ValidateSession action - This caused all JWT auth tests to fail with errCode=1 ### Solution: - Added sts:ValidateSession action to S3ReadOnlyPolicy - Added sts:ValidateSession action to S3AdminPolicy - Both policies now include the required STS session validation permission ### Test Results: ✅ TestJWTAuthenticationFlow now passes 100% (6/6 test cases) ✅ Read-Only JWT Authentication: All operations work correctly ✅ Admin JWT Authentication: All operations work correctly ✅ JWT token parsing and validation: Fully functional This ensures consistent policy definitions across all S3 API JWT tests, matching the policies used in s3_end_to_end_test.go. --- weed/s3api/s3_jwt_auth_test.go | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/weed/s3api/s3_jwt_auth_test.go b/weed/s3api/s3_jwt_auth_test.go index 47a7a2a8e..0e9606241 100644 --- a/weed/s3api/s3_jwt_auth_test.go +++ b/weed/s3api/s3_jwt_auth_test.go @@ -345,6 +345,12 @@ func setupTestReadOnlyRole(ctx context.Context, manager *integration.IAMManager) "arn:seaweed:s3:::*/*", }, }, + { + Sid: "AllowSTSSessionValidation", + Effect: "Allow", + Action: []string{"sts:ValidateSession"}, + Resource: []string{"*"}, + }, }, } @@ -401,6 +407,12 @@ func setupTestAdminRole(ctx context.Context, manager *integration.IAMManager) { "arn:seaweed:s3:::*/*", }, }, + { + Sid: "AllowSTSSessionValidation", + Effect: "Allow", + Action: []string{"sts:ValidateSession"}, + Resource: []string{"*"}, + }, }, }