From b14d0012743ae8d45264ec1f949c2ab46a9ce677 Mon Sep 17 00:00:00 2001
From: Nial <48334675+nmcc1212@users.noreply.github.com>
Date: Sat, 11 Oct 2025 14:39:11 +0100
Subject: [PATCH] IAM: add support for advanced IAM config file to server
 command

---
 weed/command/server.go     |  8 ++++++++
 weed/s3api/s3api_server.go | 11 +++++++++++
 2 files changed, 19 insertions(+)

diff --git a/weed/command/server.go b/weed/command/server.go
index 0ad126dbb..68f400173 100644
--- a/weed/command/server.go
+++ b/weed/command/server.go
@@ -63,6 +63,7 @@ var (
 	serverRack                = cmdServer.Flag.String("rack", "", "current volume server's rack name")
 	serverWhiteListOption     = cmdServer.Flag.String("whiteList", "", "comma separated Ip addresses having write permission. No limit if empty.")
 	serverDisableHttp         = cmdServer.Flag.Bool("disableHttp", false, "disable http requests, only gRPC operations are allowed.")
+	serverIamConfig           = cmdServer.Flag.String("iam.config", "", "path to the advanced IAM config file for S3")
 	volumeDataFolders         = cmdServer.Flag.String("dir", os.TempDir(), "directories to store data files. dir[,dir]...")
 	volumeMaxDataVolumeCounts = cmdServer.Flag.String("volume.max", "8", "maximum numbers of volumes, count[,count]... If set to zero, the limit will be auto configured as free disk space divided by volume size.")
 	volumeMinFreeSpacePercent = cmdServer.Flag.String("volume.minFreeSpacePercent", "1", "minimum free disk space (default to 1%). Low disk space will mark all volumes as ReadOnly (deprecated, use minFreeSpace instead).")
@@ -320,6 +321,13 @@ func runServer(cmd *Command, args []string) bool {
 	}
 
 	if *isStartingS3 {
+		if serverIamConfig != nil && *serverIamConfig != "" {
+			if s3Options.iamConfig == nil || *s3Options.iamConfig == "" {
+				s3Options.iamConfig = serverIamConfig
+			} else if *s3Options.iamConfig != *serverIamConfig {
+				glog.V(0).Infof("both -s3.iam.config(%s) and -iam.config(%s) provided; using -s3.iam.config", *s3Options.iamConfig, *serverIamConfig)
+			}
+		}
 		go func() {
 			time.Sleep(2 * time.Second)
 			s3Options.localFilerSocket = filerOptions.localSocket
diff --git a/weed/s3api/s3api_server.go b/weed/s3api/s3api_server.go
index 7f5b88566..c1d8c3887 100644
--- a/weed/s3api/s3api_server.go
+++ b/weed/s3api/s3api_server.go
@@ -437,6 +437,17 @@ func loadIAMManagerFromConfig(configPath string, filerAddressProvider func() str
 		return nil, fmt.Errorf("failed to parse config: %w", err)
 	}
 
+	// Ensure a valid policy engine config exists
+	if configRoot.Policy == nil {
+		// Provide a secure default if not specified in the config file
+		// Default to Deny with in-memory store so that JSON-defined policies work without filer
+		glog.V(0).Infof("No policy engine config provided; using defaults (DefaultEffect=Deny, StoreType=memory)")
+		configRoot.Policy = &policy.PolicyEngineConfig{
+			DefaultEffect: "Deny",
+			StoreType:     "memory",
+		}
+	}
+
 	// Create IAM configuration
 	iamConfig := &integration.IAMConfig{
 		STS:    configRoot.STS,