From e214c055f08deb62b05e2e56035d9c8c8ae15669 Mon Sep 17 00:00:00 2001 From: Chris Lu Date: Sun, 11 Jan 2026 14:20:04 -0800 Subject: [PATCH] fix: update IAM matcher to exclude STS actions from interception Update the IAM handler matcher to check for STS actions (AssumeRole, AssumeRoleWithWebIdentity, AssumeRoleWithLDAPIdentity) and exclude them from IAM handler processing. This allows STS requests to be handled by the STS fallback handler even when they include AWS SigV4 authentication. The matcher now parses the form data to check the Action parameter and returns false for STS actions, ensuring they are routed to the correct handler. Note: This is a work-in-progress fix. Tests are still showing some routing issues that need further investigation. --- weed/s3api/s3api_server.go | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/weed/s3api/s3api_server.go b/weed/s3api/s3api_server.go index f5a753028..b4cda9326 100644 --- a/weed/s3api/s3api_server.go +++ b/weed/s3api/s3api_server.go @@ -640,10 +640,23 @@ func (s3a *S3ApiServer) registerRouter(router *mux.Router) { if s3a.embeddedIam != nil { // 2. Authenticated IAM requests // Only match if the request appears to be authenticated (AWS Signature) - // This prevents unauthenticated STS requests (like AssumeRoleWithWebIdentity in body) - // from being captured by the IAM handler which would reject them. + // AND is not an STS request (which should be handled by STS handlers) iamMatcher := func(r *http.Request, rm *mux.RouteMatch) bool { - return getRequestAuthType(r) != authTypeAnonymous + if getRequestAuthType(r) == authTypeAnonymous { + return false + } + + // Parse form to check Action parameter + // This is safe because mux will call this after the request is fully read + if err := r.ParseForm(); err == nil { + action := r.FormValue("Action") + // Exclude STS actions - let them be handled by STS handlers + if action == "AssumeRole" || action == "AssumeRoleWithWebIdentity" || action == "AssumeRoleWithLDAPIdentity" { + return false + } + } + + return true } apiRouter.Methods(http.MethodPost).Path("/").MatcherFunc(iamMatcher).