diff --git a/test/s3/iam/iam_config.json b/test/s3/iam/iam_config.json index 1bc0066dd..5557f71e5 100644 --- a/test/s3/iam/iam_config.json +++ b/test/s3/iam/iam_config.json @@ -234,6 +234,17 @@ "arn:seaweed:s3:::*/*" ] }, + { + "Effect": "Deny", + "Action": [ + "s3:GetObject", + "s3:ListBucket" + ], + "Resource": [ + "arn:seaweed:s3:::*", + "arn:seaweed:s3:::*/*" + ] + }, { "Effect": "Allow", "Action": ["sts:ValidateSession"], diff --git a/weed/s3api/auth_credentials.go b/weed/s3api/auth_credentials.go index 2fc279229..fff989c3e 100644 --- a/weed/s3api/auth_credentials.go +++ b/weed/s3api/auth_credentials.go @@ -652,11 +652,6 @@ func (iam *IdentityAccessManagement) authorizeWithIAM(r *http.Request, identity Account: identity.Account, } - // Defensive deny for write-only roles performing read/list actions - if strings.Contains(principal, "WriteOnlyRole") && (action == s3_constants.ACTION_READ || action == s3_constants.ACTION_LIST) { - return s3err.ErrAccessDenied - } - // Use IAM integration for authorization return iam.iamIntegration.AuthorizeAction(ctx, iamIdentity, action, bucket, object, r) } diff --git a/weed/s3api/s3_iam_middleware.go b/weed/s3api/s3_iam_middleware.go index cf904e003..058f5f842 100644 --- a/weed/s3api/s3_iam_middleware.go +++ b/weed/s3api/s3_iam_middleware.go @@ -155,12 +155,6 @@ func (s3iam *S3IAMIntegration) AuthorizeAction(ctx context.Context, identity *IA return s3err.ErrAccessDenied } - // Special handling for write-only roles to enforce read restrictions - // This is a workaround for IAM policy evaluation issues with explicit deny statements - if strings.Contains(identity.Principal, "WriteOnlyRole") && (action == s3_constants.ACTION_READ || action == s3_constants.ACTION_LIST) { - return s3err.ErrAccessDenied - } - // Build resource ARN for the S3 operation resourceArn := buildS3ResourceArn(bucket, objectKey)