diff --git a/weed/s3api/auth_credentials.go b/weed/s3api/auth_credentials.go
index 8d05f2a03..9e1cd7f86 100644
--- a/weed/s3api/auth_credentials.go
+++ b/weed/s3api/auth_credentials.go
@@ -24,7 +24,7 @@ type Iam interface {
 }
 
 type IdentityAccessManagement struct {
-	m sync.Mutex
+	m sync.RWMutex
 
 	identities []*Identity
 	domain     string
@@ -135,21 +135,22 @@ func (iam *IdentityAccessManagement) loadS3ApiConfiguration(config *iam_pb.S3Api
 		identities = append(identities, t)
 	}
 	iam.m.Lock()
-	
 	// atomically switch
 	iam.identities = identities
-
 	iam.m.Unlock()
 	return nil
 }
 
 func (iam *IdentityAccessManagement) isEnabled() bool {
-
+	iam.m.RLock()
+	defer iam.m.RUnlock()
 	return len(iam.identities) > 0
 }
 
 func (iam *IdentityAccessManagement) lookupByAccessKey(accessKey string) (identity *Identity, cred *Credential, found bool) {
 
+	iam.m.RLock()
+	defer iam.m.RUnlock()
 	for _, ident := range iam.identities {
 		for _, cred := range ident.Credentials {
 			// println("checking", ident.Name, cred.AccessKey)
@@ -163,7 +164,8 @@ func (iam *IdentityAccessManagement) lookupByAccessKey(accessKey string) (identi
 }
 
 func (iam *IdentityAccessManagement) lookupAnonymous() (identity *Identity, found bool) {
-
+	iam.m.RLock()
+	defer iam.m.RUnlock()
 	for _, ident := range iam.identities {
 		if ident.Name == "anonymous" {
 			return ident, true