avoid hack

1 month ago · b8d3d8d9fc
3 changed files with 11 additions and 11 deletions
--- a/test/s3/iam/iam_config.json
+++ b/test/s3/iam/iam_config.json
@ -234,6 +234,17 @@
              "arn:seaweed:s3:::*/*"
            ]
          },
+          {
+            "Effect": "Deny",
+            "Action": [
+              "s3:GetObject",
+              "s3:ListBucket"
+            ],
+            "Resource": [
+              "arn:seaweed:s3:::*",
+              "arn:seaweed:s3:::*/*"
+            ]
+          },
          {
            "Effect": "Allow",
            "Action": ["sts:ValidateSession"],
--- a/weed/s3api/auth_credentials.go
+++ b/weed/s3api/auth_credentials.go
@ -652,11 +652,6 @@ func (iam *IdentityAccessManagement) authorizeWithIAM(r *http.Request, identity
 		Account:      identity.Account,
 	}

-	// Defensive deny for write-only roles performing read/list actions
-	if strings.Contains(principal, "WriteOnlyRole") && (action == s3_constants.ACTION_READ || action == s3_constants.ACTION_LIST) {
-		return s3err.ErrAccessDenied
-	}
-
 	// Use IAM integration for authorization
 	return iam.iamIntegration.AuthorizeAction(ctx, iamIdentity, action, bucket, object, r)
 }
--- a/weed/s3api/s3_iam_middleware.go
+++ b/weed/s3api/s3_iam_middleware.go
@ -155,12 +155,6 @@ func (s3iam *S3IAMIntegration) AuthorizeAction(ctx context.Context, identity *IA
 		return s3err.ErrAccessDenied
 	}

-	// Special handling for write-only roles to enforce read restrictions
-	// This is a workaround for IAM policy evaluation issues with explicit deny statements
-	if strings.Contains(identity.Principal, "WriteOnlyRole") && (action == s3_constants.ACTION_READ || action == s3_constants.ACTION_LIST) {
-		return s3err.ErrAccessDenied
-	}
-
 	// Build resource ARN for the S3 operation
 	resourceArn := buildS3ResourceArn(bucket, objectKey)