feat: Add IAM config flag to S3 command

- Add -iam.config flag to support advanced IAM configuration
- Enable S3 server to start with IAM integration when config is provided
- Allows JWT Bearer token authentication for S3 operations

weed/command/s3.go

@@ -40,6 +40,7 @@ type S3Options struct {
 	portHttps                 *int
 	portGrpc                  *int
 	config                    *string
+	iamConfig                 *string
 	domainName                *string
 	allowedOrigins            *string
 	tlsPrivateKey             *string
@@ -69,6 +70,7 @@ func init() {
 	s3StandaloneOptions.allowedOrigins = cmdS3.Flag.String("allowedOrigins", "*", "comma separated list of allowed origins")
 	s3StandaloneOptions.dataCenter = cmdS3.Flag.String("dataCenter", "", "prefer to read and write to volumes in this data center")
 	s3StandaloneOptions.config = cmdS3.Flag.String("config", "", "path to the config file")
+	s3StandaloneOptions.iamConfig = cmdS3.Flag.String("iam.config", "", "path to the advanced IAM config file")
 	s3StandaloneOptions.auditLogConfig = cmdS3.Flag.String("auditLogConfig", "", "path to the audit log config file")
 	s3StandaloneOptions.tlsPrivateKey = cmdS3.Flag.String("key.file", "", "path to the TLS private key file")
 	s3StandaloneOptions.tlsCertificate = cmdS3.Flag.String("cert.file", "", "path to the TLS certificate file")
@@ -237,20 +239,43 @@ func (s3opt *S3Options) startS3Server() bool {
 	if s3opt.localFilerSocket != nil {
 		localFilerSocket = *s3opt.localFilerSocket
 	}
-	s3ApiServer, s3ApiServer_err := s3api.NewS3ApiServer(router, &s3api.S3ApiServerOption{
-		Filer:                     filerAddress,
-		Port:                      *s3opt.port,
-		Config:                    *s3opt.config,
-		DomainName:                *s3opt.domainName,
-		AllowedOrigins:            strings.Split(*s3opt.allowedOrigins, ","),
-		BucketsPath:               filerBucketsPath,
-		GrpcDialOption:            grpcDialOption,
-		AllowEmptyFolder:          *s3opt.allowEmptyFolder,
-		AllowDeleteBucketNotEmpty: *s3opt.allowDeleteBucketNotEmpty,
-		LocalFilerSocket:          localFilerSocket,
-		DataCenter:                *s3opt.dataCenter,
-		FilerGroup:                filerGroup,
-	})
+	var s3ApiServer *s3api.S3ApiServer
+	var s3ApiServer_err error
+
+	// Use enhanced S3 server with IAM if config is provided
+	if *s3opt.iamConfig != "" {
+		glog.V(0).Infof("Starting S3 API Server with advanced IAM integration")
+		s3ApiServer, s3ApiServer_err = s3api.NewS3ApiServerWithIAM(router, &s3api.S3ApiServerOption{
+			Filer:                     filerAddress,
+			Port:                      *s3opt.port,
+			Config:                    *s3opt.config,
+			DomainName:                *s3opt.domainName,
+			AllowedOrigins:            strings.Split(*s3opt.allowedOrigins, ","),
+			BucketsPath:               filerBucketsPath,
+			GrpcDialOption:            grpcDialOption,
+			AllowEmptyFolder:          *s3opt.allowEmptyFolder,
+			AllowDeleteBucketNotEmpty: *s3opt.allowDeleteBucketNotEmpty,
+			LocalFilerSocket:          localFilerSocket,
+			DataCenter:                *s3opt.dataCenter,
+			FilerGroup:                filerGroup,
+		}, *s3opt.iamConfig)
+	} else {
+		// Use standard S3 server
+		s3ApiServer, s3ApiServer_err = s3api.NewS3ApiServer(router, &s3api.S3ApiServerOption{
+			Filer:                     filerAddress,
+			Port:                      *s3opt.port,
+			Config:                    *s3opt.config,
+			DomainName:                *s3opt.domainName,
+			AllowedOrigins:            strings.Split(*s3opt.allowedOrigins, ","),
+			BucketsPath:               filerBucketsPath,
+			GrpcDialOption:            grpcDialOption,
+			AllowEmptyFolder:          *s3opt.allowEmptyFolder,
+			AllowDeleteBucketNotEmpty: *s3opt.allowDeleteBucketNotEmpty,
+			LocalFilerSocket:          localFilerSocket,
+			DataCenter:                *s3opt.dataCenter,
+			FilerGroup:                filerGroup,
+		})
+	}
 	if s3ApiServer_err != nil {
 		glog.Fatalf("S3 API Server startup error: %v", s3ApiServer_err)
 	}