diff --git a/weed/s3api/auth_credentials.go b/weed/s3api/auth_credentials.go index e3e7c0bbb..a5c52513a 100644 --- a/weed/s3api/auth_credentials.go +++ b/weed/s3api/auth_credentials.go @@ -153,10 +153,12 @@ func NewIdentityAccessManagementWithStore(option *S3ApiServerOption, explicitSto if err := iam.loadS3ApiConfigurationFromFile(option.Config); err != nil { glog.Fatalf("fail to load config file %s: %v", option.Config, err) } - // Mark as loaded since an explicit config file was provided - // This prevents fallback to environment variables even if no identities were loaded - // (e.g., config file contains only KMS settings) - configLoaded = true + // Check if any identities were actually loaded from the config file + iam.m.RLock() + if len(iam.identities) > 0 { + configLoaded = true + } + iam.m.RUnlock() } else { glog.V(3).Infof("no static config file specified... loading config from credential manager") if err := iam.loadS3ApiConfigurationFromFiler(option); err != nil { diff --git a/weed/s3api/auth_credentials_test.go b/weed/s3api/auth_credentials_test.go index c7521ad76..dc258a5be 100644 --- a/weed/s3api/auth_credentials_test.go +++ b/weed/s3api/auth_credentials_test.go @@ -362,6 +362,70 @@ func TestNewIdentityAccessManagementWithStoreEnvVars(t *testing.T) { } } +// TestConfigFileWithNoIdentitiesAllowsEnvVars tests that when a config file exists +// but contains no identities (e.g., only KMS settings), environment variables should still work. +// This test validates the fix for issue #7311. +func TestConfigFileWithNoIdentitiesAllowsEnvVars(t *testing.T) { + // Save original environment + originalAccessKeyId := os.Getenv("AWS_ACCESS_KEY_ID") + originalSecretAccessKey := os.Getenv("AWS_SECRET_ACCESS_KEY") + + // Clean up after test + defer func() { + if originalAccessKeyId != "" { + os.Setenv("AWS_ACCESS_KEY_ID", originalAccessKeyId) + } else { + os.Unsetenv("AWS_ACCESS_KEY_ID") + } + if originalSecretAccessKey != "" { + os.Setenv("AWS_SECRET_ACCESS_KEY", originalSecretAccessKey) + } else { + os.Unsetenv("AWS_SECRET_ACCESS_KEY") + } + }() + + // Set environment variables + testAccessKey := "AKIATEST1234567890AB" + testSecretKey := "testSecret1234567890123456789012345678901234" + os.Setenv("AWS_ACCESS_KEY_ID", testAccessKey) + os.Setenv("AWS_SECRET_ACCESS_KEY", testSecretKey) + + // Create a temporary config file with only KMS settings (no identities) + configContent := `{ + "kms": { + "default": { + "provider": "local", + "config": { + "keyPath": "/tmp/test-key" + } + } + } +}` + tmpFile, err := os.CreateTemp("", "s3-config-*.json") + assert.NoError(t, err, "Should create temp config file") + defer os.Remove(tmpFile.Name()) + + _, err = tmpFile.Write([]byte(configContent)) + assert.NoError(t, err, "Should write config content") + tmpFile.Close() + + // Create IAM instance with config file that has no identities + option := &S3ApiServerOption{ + Config: tmpFile.Name(), + } + iam := NewIdentityAccessManagementWithStore(option, string(credential.StoreTypeMemory)) + + // Should have exactly one identity from environment variables + assert.Len(t, iam.identities, 1, "Should have exactly one identity from environment variables even when config file exists with no identities") + + identity := iam.identities[0] + assert.Equal(t, "admin-AKIATEST", identity.Name, "Identity name should be based on access key") + assert.Len(t, identity.Credentials, 1, "Should have one credential") + assert.Equal(t, testAccessKey, identity.Credentials[0].AccessKey, "Access key should match environment variable") + assert.Equal(t, testSecretKey, identity.Credentials[0].SecretKey, "Secret key should match environment variable") + assert.Contains(t, identity.Actions, Action(ACTION_ADMIN), "Should have admin action") +} + // TestBucketLevelListPermissions tests that bucket-level List permissions work correctly // This test validates the fix for issue #7066 func TestBucketLevelListPermissions(t *testing.T) {