fix: update IAM matcher to exclude STS actions from interception

Update the IAM handler matcher to check for STS actions (AssumeRole, AssumeRoleWithWebIdentity, AssumeRoleWithLDAPIdentity) and exclude them from IAM handler processing. This allows STS requests to be handled by the STS fallback handler even when they include AWS SigV4 authentication. The matcher now parses the form data to check the Action parameter and returns false for STS actions, ensuring they are routed to the correct handler. Note: This is a work-in-progress fix. Tests are still showing some routing issues that need further investigation.
3 weeks ago · e214c055f0
1 changed files with 16 additions and 3 deletions
--- a/weed/s3api/s3api_server.go
+++ b/weed/s3api/s3api_server.go
@ -640,10 +640,23 @@ func (s3a *S3ApiServer) registerRouter(router *mux.Router) {
 	if s3a.embeddedIam != nil {
 		// 2. Authenticated IAM requests
 		// Only match if the request appears to be authenticated (AWS Signature)
-		// This prevents unauthenticated STS requests (like AssumeRoleWithWebIdentity in body)
-		// from being captured by the IAM handler which would reject them.
+		// AND is not an STS request (which should be handled by STS handlers)
 		iamMatcher := func(r *http.Request, rm *mux.RouteMatch) bool {
-			return getRequestAuthType(r) != authTypeAnonymous
+			if getRequestAuthType(r) == authTypeAnonymous {
+				return false
+			}
+
+			// Parse form to check Action parameter
+			// This is safe because mux will call this after the request is fully read
+			if err := r.ParseForm(); err == nil {
+				action := r.FormValue("Action")
+				// Exclude STS actions - let them be handled by STS handlers
+				if action == "AssumeRole" || action == "AssumeRoleWithWebIdentity" || action == "AssumeRoleWithLDAPIdentity" {
+					return false
+				}
+			}
+
+			return true
 		}

 		apiRouter.Methods(http.MethodPost).Path("/").MatcherFunc(iamMatcher).