diff --git a/weed/s3api/auth_credentials.go b/weed/s3api/auth_credentials.go
index 5e1744b6a..bae09c012 100644
--- a/weed/s3api/auth_credentials.go
+++ b/weed/s3api/auth_credentials.go
@@ -761,6 +761,10 @@ func (iam *IdentityAccessManagement) MergeS3ApiConfiguration(config *iam_pb.S3Ap
 	for k, v := range iam.staticIdentityNames {
 		staticNames[k] = v
 	}
+	existingGroups := make(map[string]*iam_pb.Group)
+	for k, v := range iam.groups {
+		existingGroups[k] = v
+	}
 	iam.m.RUnlock()
 
 	// Process accounts from dynamic config (can add new accounts)
@@ -925,11 +929,17 @@ func (iam *IdentityAccessManagement) MergeS3ApiConfiguration(config *iam_pb.S3Ap
 		policies[policy.Name] = policy
 	}
 
-	// Process groups from dynamic config
+	// Process groups: seed from existing (static) groups, then overlay dynamic config
 	mergedGroups := make(map[string]*iam_pb.Group)
-	mergedUserGroups := make(map[string][]string)
+	for k, v := range existingGroups {
+		mergedGroups[k] = v
+	}
 	for _, g := range config.Groups {
 		mergedGroups[g.Name] = g
+	}
+	// Build reverse index from final merged groups
+	mergedUserGroups := make(map[string][]string)
+	for _, g := range mergedGroups {
 		if !g.Disabled {
 			for _, member := range g.Members {
 				mergedUserGroups[member] = append(mergedUserGroups[member], g.Name)