diff --git a/weed/s3api/auth_credentials.go b/weed/s3api/auth_credentials.go
index 0cbed72a2..83dc6e91c 100644
--- a/weed/s3api/auth_credentials.go
+++ b/weed/s3api/auth_credentials.go
@@ -955,27 +955,44 @@ func (iam *IdentityAccessManagement) authenticateJWTWithIAM(r *http.Request) (*I
 func (iam *IdentityAccessManagement) authorizeWithIAM(r *http.Request, identity *Identity, action Action, bucket string, object string) s3err.ErrorCode {
 	ctx := r.Context()
 
-	// Get session info from request headers (for JWT-based authentication)
+	// Get session info from request headers
+	// First check for JWT-based authentication headers (X-SeaweedFS-Session-Token)
 	sessionToken := r.Header.Get("X-SeaweedFS-Session-Token")
 	principal := r.Header.Get("X-SeaweedFS-Principal")
 
+	// Fallback to AWS Signature V4 STS token if JWT token not present
+	// This handles the case where STS AssumeRoleWithWebIdentity generates temporary credentials
+	// that include an X-Amz-Security-Token header (in addition to the access key and secret)
+	if sessionToken == "" {
+		sessionToken = r.Header.Get("X-Amz-Security-Token")
+		if sessionToken == "" {
+			// Also check query parameters for presigned URLs with STS tokens
+			sessionToken = r.URL.Query().Get("X-Amz-Security-Token")
+		}
+	}
+
 	// Create IAMIdentity for authorization
 	iamIdentity := &IAMIdentity{
 		Name:    identity.Name,
 		Account: identity.Account,
 	}
 
-	// Handle both session-based (JWT) and static-key-based (V4 signature) principals
+	// Handle both session-based (JWT and STS) and static-key-based (V4 signature) principals
 	if sessionToken != "" && principal != "" {
 		// JWT-based authentication - use session token and principal from headers
 		iamIdentity.Principal = principal
 		iamIdentity.SessionToken = sessionToken
 		glog.V(3).Infof("Using JWT-based IAM authorization for principal: %s", principal)
+	} else if sessionToken != "" && identity.PrincipalArn != "" {
+		// STS V4 signature authentication - use session token (from X-Amz-Security-Token) with principal ARN
+		iamIdentity.Principal = identity.PrincipalArn
+		iamIdentity.SessionToken = sessionToken
+		glog.V(3).Infof("Using STS V4 signature IAM authorization for principal: %s with session token", identity.PrincipalArn)
 	} else if identity.PrincipalArn != "" {
-		// V4 signature authentication - use principal ARN from identity
+		// Static V4 signature authentication - use principal ARN without session token
 		iamIdentity.Principal = identity.PrincipalArn
-		iamIdentity.SessionToken = "" // No session token for static credentials
-		glog.V(3).Infof("Using V4 signature IAM authorization for principal: %s", identity.PrincipalArn)
+		iamIdentity.SessionToken = ""
+		glog.V(3).Infof("Using static V4 signature IAM authorization for principal: %s", identity.PrincipalArn)
 	} else {
 		glog.V(3).Info("No valid principal information for IAM authorization")
 		return s3err.ErrAccessDenied