diff --git a/weed/iam/sts/sts_service.go b/weed/iam/sts/sts_service.go
index f3df00fd2..a9f019cbb 100644
--- a/weed/iam/sts/sts_service.go
+++ b/weed/iam/sts/sts_service.go
@@ -105,6 +105,10 @@ type STSConfig struct {
 	// Defaults to "111122223333" if not specified
 	AccountId string `json:"accountId,omitempty"`
 
+	// DefaultRole is the default role ARN to assume if RoleArn is missing
+	// Defaults to "root" role if not specified
+	DefaultRole string `json:"defaultRole,omitempty"`
+
 	// Providers configuration - enables automatic provider loading
 	Providers []*ProviderConfig `json:"providers,omitempty"`
 }
diff --git a/weed/s3api/s3api_sts.go b/weed/s3api/s3api_sts.go
index c462944fb..a79b71106 100644
--- a/weed/s3api/s3api_sts.go
+++ b/weed/s3api/s3api_sts.go
@@ -498,13 +498,22 @@ func (h *STSHandlers) prepareSTSCredentials(roleArn, roleSessionName string,
 
 	expiration := time.Now().Add(duration)
 
+	// Extract role name from ARN for proper response formatting
 	// Extract role name from ARN for proper response formatting
 	roleName := utils.ExtractRoleNameFromArn(roleArn)
 	if roleName == "" {
 		if roleArn != "" {
 			roleName = roleArn // Fallback to full ARN if extraction fails
 		} else {
-			roleName = "root"
+			// Check if a default role is configured
+			if h.stsService != nil && h.stsService.Config != nil && h.stsService.Config.DefaultRole != "" {
+				roleName = utils.ExtractRoleNameFromArn(h.stsService.Config.DefaultRole)
+				if roleName == "" {
+					roleName = "root" // Fallback if configured default role ARN is invalid
+				}
+			} else {
+				roleName = "root"
+			}
 		}
 	}