iam: add configurable default role for AssumeRole

4 weeks ago · b7fe5f132d
2 changed files with 14 additions and 1 deletions
--- a/weed/iam/sts/sts_service.go
+++ b/weed/iam/sts/sts_service.go
@ -105,6 +105,10 @@ type STSConfig struct {
 	// Defaults to "111122223333" if not specified
 	AccountId string `json:"accountId,omitempty"`

+	// DefaultRole is the default role ARN to assume if RoleArn is missing
+	// Defaults to "root" role if not specified
+	DefaultRole string `json:"defaultRole,omitempty"`
+
 	// Providers configuration - enables automatic provider loading
 	Providers []*ProviderConfig `json:"providers,omitempty"`
 }
--- a/weed/s3api/s3api_sts.go
+++ b/weed/s3api/s3api_sts.go
@ -498,13 +498,22 @@ func (h *STSHandlers) prepareSTSCredentials(roleArn, roleSessionName string,

 	expiration := time.Now().Add(duration)

+	// Extract role name from ARN for proper response formatting
 	// Extract role name from ARN for proper response formatting
 	roleName := utils.ExtractRoleNameFromArn(roleArn)
 	if roleName == "" {
 		if roleArn != "" {
 			roleName = roleArn // Fallback to full ARN if extraction fails
 		} else {
-			roleName = "root"
+			// Check if a default role is configured
+			if h.stsService != nil && h.stsService.Config != nil && h.stsService.Config.DefaultRole != "" {
+				roleName = utils.ExtractRoleNameFromArn(h.stsService.Config.DefaultRole)
+				if roleName == "" {
+					roleName = "root" // Fallback if configured default role ARN is invalid
+				}
+			} else {
+				roleName = "root"
+			}
 		}
 	}