S3: Implement IAM defaults and STS signing key fallback (#8348)

* S3: Implement IAM defaults and STS signing key fallback logic * S3: Refactor startup order to init SSE-S3 key manager before IAM * S3: Derive STS signing key from KEK using HKDF for security isolation * S3: Document STS signing key fallback in security.toml * fix(s3api): refine anonymous access logic and secure-by-default behavior - Initialize anonymous identity by default in `NewIdentityAccessManagement` to prevent nil pointer exceptions. - Ensure `ReplaceS3ApiConfiguration` preserves the anonymous identity if not present in the new configuration. - Update `NewIdentityAccessManagement` signature to accept `filerClient`. - In legacy mode (no policy engine), anonymous defaults to Deny (no actions), preserving secure-by-default behavior. - Use specific `LookupAnonymous` method instead of generic map lookup. - Update tests to accommodate signature changes and verify improved anonymous handling. * feat(s3api): make IAM configuration optional - Start S3 API server without a configuration file if `EnableIam` option is set. - Default to `Allow` effect for policy engine when no configuration is provided (Zero-Config mode). - Handle empty configuration path gracefully in `loadIAMManagerFromConfig`. - Add integration test `iam_optional_test.go` to verify empty config behavior. * fix(iamapi): fix signature mismatch in NewIdentityAccessManagementWithStore * fix(iamapi): properly initialize FilerClient instead of passing nil * fix(iamapi): properly initialize filer client for IAM management - Instead of passing `nil`, construct a `wdclient.FilerClient` using the provided `Filers` addresses. - Ensure `NewIdentityAccessManagementWithStore` receives a valid `filerClient` to avoid potential nil pointer dereferences or limited functionality. * clean: remove dead code in s3api_server.go * refactor(s3api): improve IAM initialization, safety and anonymous access security * fix(s3api): ensure IAM config loads from filer after client init * fix(s3): resolve test failures in integration, CORS, and tagging tests - Fix CORS tests by providing explicit anonymous permissions config - Fix S3 integration tests by setting admin credentials in init - Align tagging test credentials in CI with IAM defaults - Added goroutine to retry IAM config load in iamapi server * fix(s3): allow anonymous access to health targets and S3 Tables when identities are present * fix(ci): use /healthz for Caddy health check in awscli tests * iam, s3api: expose DefaultAllow from IAM and Policy Engine This allows checking the global "Open by Default" configuration from other components like S3 Tables. * s3api/s3tables: support DefaultAllow in permission logic and handler Updated CheckPermissionWithContext to respect the DefaultAllow flag in PolicyContext. This enables "Open by Default" behavior for unauthenticated access in zero-config environments. Added a targeted unit test to verify the logic. * s3api/s3tables: propagate DefaultAllow through handlers Propagated the DefaultAllow flag to individual handlers for namespaces, buckets, tables, policies, and tagging. This ensures consistent "Open by Default" behavior across all S3 Tables API endpoints. * s3api: wire up DefaultAllow for S3 Tables API initialization Updated registerS3TablesRoutes to query the global IAM configuration and set the DefaultAllow flag on the S3 Tables API server. This completes the end-to-end propagation required for anonymous access in zero-config environments. Added a SetDefaultAllow method to S3TablesApiServer to facilitate this. * s3api: fix tests by adding DefaultAllow to mock IAM integrations The IAMIntegration interface was updated to include DefaultAllow(), breaking several mock implementations in tests. This commit fixes the build errors by adding the missing method to the mocks. * env * ensure ports * env * env * fix default allow * add one more test using non-anonymous user * debug * add more debug * less logs
2026-02-16 13:59:13 -08:00
parent cc58272219
commit 0d8588e3ae
46 changed files with 1084 additions and 109 deletions
--- a/weed/s3api/auth_credentials.go
+++ b/weed/s3api/auth_credentials.go
@@ -22,6 +22,7 @@ import (
 	"github.com/seaweedfs/seaweedfs/weed/s3api/policy_engine"
 	"github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
 	"github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
+	"github.com/seaweedfs/seaweedfs/weed/wdclient"

 	// Import KMS providers to register them
 	_ "github.com/seaweedfs/seaweedfs/weed/kms/aws"
@@ -54,7 +55,7 @@ type IdentityAccessManagement struct {
 	domain            string
 	isAuthEnabled     bool
 	credentialManager *credential.CredentialManager
-	filerClient       filer_pb.SeaweedFilerClient
+	filerClient       *wdclient.FilerClient
 	grpcDialOption    grpc.DialOption

 	// IAM Integration for advanced features
@@ -132,15 +133,37 @@ func (c *Credential) isCredentialExpired() bool {
 	return c.Expiration > 0 && c.Expiration < time.Now().Unix()
 }

-func NewIdentityAccessManagement(option *S3ApiServerOption) *IdentityAccessManagement {
-	return NewIdentityAccessManagementWithStore(option, "")
+// NewIdentityAccessManagement creates a new IAM manager
+// SetFilerClient updates the filer client and its associated credential store
+func (iam *IdentityAccessManagement) SetFilerClient(filerClient *wdclient.FilerClient) {
+	iam.m.Lock()
+	iam.filerClient = filerClient
+	iam.m.Unlock()
+
+	if iam.credentialManager == nil || filerClient == nil {
+		return
+	}
+
+	// Update credential store to use FilerClient's current filer for HA
+	if store := iam.credentialManager.GetStore(); store != nil {
+		if filerFuncSetter, ok := store.(interface {
+			SetFilerAddressFunc(func() pb.ServerAddress, grpc.DialOption)
+		}); ok {
+			filerFuncSetter.SetFilerAddressFunc(filerClient.GetCurrentFiler, iam.grpcDialOption)
+		}
+	}
 }

-func NewIdentityAccessManagementWithStore(option *S3ApiServerOption, explicitStore string) *IdentityAccessManagement {
+func NewIdentityAccessManagement(option *S3ApiServerOption, filerClient *wdclient.FilerClient) *IdentityAccessManagement {
+	return NewIdentityAccessManagementWithStore(option, filerClient, "")
+}
+
+func NewIdentityAccessManagementWithStore(option *S3ApiServerOption, filerClient *wdclient.FilerClient, explicitStore string) *IdentityAccessManagement {
 	iam := &IdentityAccessManagement{
 		domain:       option.DomainName,
 		hashes:       make(map[string]*sync.Pool),
 		hashCounters: make(map[string]*int32),
+		filerClient:  filerClient,
 	}

 	// Always initialize credential manager with fallback to defaults
@@ -172,6 +195,25 @@ func NewIdentityAccessManagementWithStore(option *S3ApiServerOption, explicitSto

 	iam.credentialManager = credentialManager
 	iam.stopChan = make(chan struct{})
+	iam.grpcDialOption = option.GrpcDialOption
+
+	// Initialize default anonymous identity
+	// This ensures consistent behavior for anonymous access:
+	// 1. In simple auth mode (no IAM integration):
+	//    - lookupAnonymous returns this identity
+	//    - VerifyActionPermission checks actions (which are empty) -> Denies access
+	//    - This preserves the secure-by-default behavior for simple auth
+	// 2. In advanced IAM mode (with Policy Engine):
+	//    - lookupAnonymous returns this identity
+	//    - VerifyActionPermission proceeds to Policy Engine
+	//    - Policy Engine evaluates against policies (DefaultEffect=Allow if no config)
+	//    - This enables the flexible "Open by Default" for zero-config startup
+	iam.identityAnonymous = &Identity{
+		Name:     "anonymous",
+		Account:  &AccountAnonymous,
+		Actions:  []Action{},
+		IsStatic: true,
+	}

 	// First, try to load configurations from file or filer
 	startConfigFile := option.Config
@@ -552,6 +594,16 @@ func (iam *IdentityAccessManagement) ReplaceS3ApiConfiguration(config *iam_pb.S3
 		}
 	}

+	// Ensure anonymous identity exists
+	if identityAnonymous == nil {
+		identityAnonymous = &Identity{
+			Name:     "anonymous",
+			Account:  accounts[AccountAnonymous.Id],
+			Actions:  []Action{},
+			IsStatic: true,
+		}
+	}
+
 	// atomically switch
 	iam.identities = identities
 	iam.identityAnonymous = identityAnonymous
@@ -572,6 +624,9 @@ func (iam *IdentityAccessManagement) ReplaceS3ApiConfiguration(config *iam_pb.S3
 			}
 		}
 		if !exists {
+			if len(envIdent.Credentials) == 0 {
+				continue
+			}
 			iam.identities = append(iam.identities, envIdent)
 			iam.accessKeyIdent[envIdent.Credentials[0].AccessKey] = envIdent
 			iam.nameToIdentity[envIdent.Name] = envIdent
@@ -992,7 +1047,8 @@ func (iam *IdentityAccessManagement) LookupByAccessKey(accessKey string) (identi
 	return iam.lookupByAccessKey(accessKey)
 }

-func (iam *IdentityAccessManagement) lookupAnonymous() (identity *Identity, found bool) {
+// LookupAnonymous returns the anonymous identity if it exists
+func (iam *IdentityAccessManagement) LookupAnonymous() (identity *Identity, found bool) {
 	iam.m.RLock()
 	defer iam.m.RUnlock()
 	if iam.identityAnonymous != nil {
@@ -1112,6 +1168,9 @@ func (iam *IdentityAccessManagement) handleAuthResult(w http.ResponseWriter, r *
 // Wrapper to maintain backward compatibility
 func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action) (*Identity, s3err.ErrorCode) {
 	identity, err, _ := iam.authRequestWithAuthType(r, action)
+	if err != s3err.ErrNone {
+		return nil, err
+	}
 	return identity, err
 }

@@ -1173,7 +1232,7 @@ func (iam *IdentityAccessManagement) authenticateRequestInternal(r *http.Request
 		}
 	case authTypeAnonymous:
 		amzAuthType = "Anonymous"
-		if identity, found = iam.lookupAnonymous(); !found {
+		if identity, found = iam.LookupAnonymous(); !found {
 			r.Header.Set(s3_constants.AmzAuthType, amzAuthType)
 			return identity, s3err.ErrAccessDenied, reqAuthType
 		}
@@ -1212,8 +1271,8 @@ func (iam *IdentityAccessManagement) authRequestWithAuthType(r *http.Request, ac
 	// through buckets and checking permissions for each. Skip the global check here.
 	policyAllows := false

-	if action == s3_constants.ACTION_LIST && bucket == "" {
-		// ListBuckets operation - authorization handled per-bucket in the handler
+	if action == s3_constants.ACTION_LIST && bucket == "" && identity.Name != s3_constants.AccountAnonymousId {
+		// ListBuckets operation for authenticated users - authorization handled per-bucket in the handler
 	} else {
 		// First check bucket policy if one exists
 		// Bucket policies can grant or deny access to specific users/principals
@@ -1307,8 +1366,8 @@ func (iam *IdentityAccessManagement) AuthSignatureOnly(r *http.Request) (*Identi
 			return identity, s3err.ErrNotImplemented
 		}
 	case authTypeAnonymous:
-		// Anonymous users cannot use IAM API
-		return identity, s3err.ErrAccessDenied
+		// Anonymous users can be authenticated, but authorization is handled separately
+		return iam.identityAnonymous, s3err.ErrNone
 	default:
 		return identity, s3err.ErrNotImplemented
 	}
--- a/weed/s3api/auth_credentials_test.go
+++ b/weed/s3api/auth_credentials_test.go
@@ -450,7 +450,7 @@ func TestNewIdentityAccessManagementWithStoreEnvVars(t *testing.T) {
 			option := &S3ApiServerOption{
 				Config: "", // No config file - this should trigger environment variable fallback
 			}
-			iam := NewIdentityAccessManagementWithStore(option, string(credential.StoreTypeMemory))
+			iam := NewIdentityAccessManagementWithStore(option, nil, string(credential.StoreTypeMemory))

 			if tt.expectEnvIdentity {
 				// Should have exactly one identity from environment variables
@@ -510,7 +510,7 @@ func TestConfigFileWithNoIdentitiesAllowsEnvVars(t *testing.T) {
 	option := &S3ApiServerOption{
 		Config: tmpFile.Name(),
 	}
-	iam := NewIdentityAccessManagementWithStore(option, string(credential.StoreTypeMemory))
+	iam := NewIdentityAccessManagementWithStore(option, nil, string(credential.StoreTypeMemory))

 	// Should have exactly one identity from environment variables
 	assert.Len(t, iam.identities, 1, "Should have exactly one identity from environment variables even when config file exists with no identities")
@@ -762,7 +762,7 @@ func TestSignatureVerificationDoesNotCheckPermissions(t *testing.T) {
 }

 func TestStaticIdentityProtection(t *testing.T) {
-	iam := NewIdentityAccessManagement(&S3ApiServerOption{})
+	iam := NewIdentityAccessManagement(&S3ApiServerOption{}, nil)

 	// Add a static identity
 	staticIdent := &Identity{
--- a/weed/s3api/auth_security_test.go
+++ b/weed/s3api/auth_security_test.go
@@ -66,7 +66,7 @@ func TestReproIssue7912(t *testing.T) {
 	option := &S3ApiServerOption{
 		Config: tmpFile.Name(),
 	}
-	iam := NewIdentityAccessManagementWithStore(option, "memory")
+	iam := NewIdentityAccessManagementWithStore(option, nil, "memory")

 	assert.True(t, iam.isEnabled(), "Auth should be enabled")

--- a/weed/s3api/auth_signature_v4_sts_test.go
+++ b/weed/s3api/auth_signature_v4_sts_test.go
@@ -44,6 +44,10 @@ func (m *MockIAMIntegration) ValidateTrustPolicyForPrincipal(ctx context.Context
 	return nil
 }

+func (m *MockIAMIntegration) DefaultAllow() bool {
+	return true
+}
+
 // TestVerifyV4SignatureWithSTSIdentity tests that verifyV4Signature properly handles STS identities
 // by falling back to IAM authorization when shouldCheckPermissions is true
 func TestVerifyV4SignatureWithSTSIdentity(t *testing.T) {
--- a/weed/s3api/auth_sts_identity_test.go
+++ b/weed/s3api/auth_sts_identity_test.go
@@ -22,7 +22,7 @@ func TestSTSIdentityPolicyNamesPopulation(t *testing.T) {
 	stsService, config := setupTestSTSService(t)

 	// Create IAM with STS integration
-	iam := NewIdentityAccessManagementWithStore(&S3ApiServerOption{}, "memory")
+	iam := NewIdentityAccessManagementWithStore(&S3ApiServerOption{}, nil, "memory")
 	s3iam := &S3IAMIntegration{
 		stsService: stsService,
 	}
@@ -264,7 +264,7 @@ func TestValidateSTSSessionTokenIntegration(t *testing.T) {
 	stsService, config := setupTestSTSService(t)

 	// Create IAM with STS integration
-	iam := NewIdentityAccessManagementWithStore(&S3ApiServerOption{}, "memory")
+	iam := NewIdentityAccessManagementWithStore(&S3ApiServerOption{}, nil, "memory")
 	s3iam := &S3IAMIntegration{
 		stsService: stsService,
 	}
@@ -311,7 +311,7 @@ func TestSTSIdentityClaimsPopulation(t *testing.T) {
 	stsService, config := setupTestSTSService(t)

 	// Create IAM with STS integration
-	iam := NewIdentityAccessManagementWithStore(&S3ApiServerOption{}, "memory")
+	iam := NewIdentityAccessManagementWithStore(&S3ApiServerOption{}, nil, "memory")
 	s3iam := &S3IAMIntegration{
 		stsService: stsService,
 	}
--- a/weed/s3api/iam_defaults_test.go
+++ b/weed/s3api/iam_defaults_test.go
@@ -0,0 +1,156 @@
+package s3api
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestLoadIAMManagerFromConfig_Defaults(t *testing.T) {
+	// Create a temporary config file with minimal content (just policy)
+	tmpDir := t.TempDir()
+	configPath := filepath.Join(tmpDir, "iam_config.json")
+
+	configContent := `{
+		"sts": {
+			"providers": []
+		},
+		"policy": {
+			"storeType": "memory",
+			"defaultEffect": "Allow"
+		}
+	}`
+
+	err := os.WriteFile(configPath, []byte(configContent), 0644)
+	assert.NoError(t, err)
+
+	// dummy filer address provider
+	filerProvider := func() string { return "localhost:8888" }
+	defaultSigningKeyProvider := func() string { return "default-secure-signing-key" }
+
+	// Load the manager
+	manager, err := loadIAMManagerFromConfig(configPath, filerProvider, defaultSigningKeyProvider)
+	assert.NoError(t, err)
+	assert.NotNil(t, manager)
+}
+
+func TestLoadIAMManagerFromConfig_Overrides(t *testing.T) {
+	// Create a temporary config file with EXPLICIT values
+	tmpDir := t.TempDir()
+	configPath := filepath.Join(tmpDir, "iam_config_explicit.json")
+
+	configContent := `{
+		"sts": {
+			"tokenDuration": "2h",
+			"maxSessionLength": "24h",
+			"issuer": "custom-issuer",
+			"signingKey": "ZXhwbGljaXQtc2lnbmluZy1rZXktMTIzNDU=" 
+		},
+		"policy": {
+			"storeType": "memory",
+			"defaultEffect": "Allow"
+		}
+	}`
+	// Base64 encoded "explicit-signing-key-12345" is "ZXhwbGljaXQtc2lnbmluZy1rZXktMTIzNDU="
+
+	err := os.WriteFile(configPath, []byte(configContent), 0644)
+	assert.NoError(t, err)
+
+	filerProvider := func() string { return "localhost:8888" }
+	defaultSigningKeyProvider := func() string { return "default-secure-signing-key" }
+
+	// Load
+	manager, err := loadIAMManagerFromConfig(configPath, filerProvider, defaultSigningKeyProvider)
+	assert.NoError(t, err)
+	assert.NotNil(t, manager)
+}
+
+func TestLoadIAMManagerFromConfig_PartialDefaults(t *testing.T) {
+	// Test that partial configs (e.g. providing SigningKey but not Duration) work
+	tmpDir := t.TempDir()
+	configPath := filepath.Join(tmpDir, "iam_config_partial.json")
+
+	// Signing key provided in JSON, others missing
+	configContent := `{
+		"sts": {
+			"signingKey": "anNvbi1wcm92aWRlZC1rZXktMTIzNDU="
+		},
+		"policy": {
+			"storeType": "memory",
+			"defaultEffect": "Allow"
+		}
+	}`
+
+	err := os.WriteFile(configPath, []byte(configContent), 0644)
+	assert.NoError(t, err)
+
+	filerProvider := func() string { return "localhost:8888" }
+	// Default signing key provided but should be IGNORED because JSON has one
+	defaultSigningKeyProvider := func() string { return "server-default-key-should-be-ignored" }
+
+	manager, err := loadIAMManagerFromConfig(configPath, filerProvider, defaultSigningKeyProvider)
+	assert.NoError(t, err)
+	assert.NotNil(t, manager)
+}
+
+func TestLoadIAMManagerFromConfig_ExplicitEmptyKey(t *testing.T) {
+	// Test that if JSON has empty signing key string, it still falls back
+	tmpDir := t.TempDir()
+	configPath := filepath.Join(tmpDir, "iam_config_empty_key.json")
+
+	// Signing key explicitly empty
+	configContent := `{
+		"sts": {
+			"signingKey": ""
+		},
+		"policy": {
+			"storeType": "memory",
+			"defaultEffect": "Allow"
+		}
+	}`
+
+	err := os.WriteFile(configPath, []byte(configContent), 0644)
+	assert.NoError(t, err)
+
+	filerProvider := func() string { return "localhost:8888" }
+	defaultSigningKeyProvider := func() string { return "fallback-key-should-be-used" }
+
+	manager, err := loadIAMManagerFromConfig(configPath, filerProvider, defaultSigningKeyProvider)
+	assert.NoError(t, err)
+	assert.NotNil(t, manager)
+}
+
+func TestLoadIAMManagerFromConfig_MissingKeyError(t *testing.T) {
+	// Test that if BOTH keys are empty, it fails with a clear error
+	tmpDir := t.TempDir()
+	configPath := filepath.Join(tmpDir, "iam_config_all_empty.json")
+
+	// Signing key explicitly empty in JSON
+	configContent := `{
+		"sts": {
+			"signingKey": ""
+		},
+		"policy": {
+			"storeType": "memory",
+			"defaultEffect": "Allow"
+		}
+	}`
+
+	err := os.WriteFile(configPath, []byte(configContent), 0644)
+	assert.NoError(t, err)
+
+	filerProvider := func() string { return "localhost:8888" }
+	defaultSigningKeyProvider := func() string { return "" } // Empty default too
+
+	// Ensure no SSE-S3 key interferes (global state in tests is tricky, but let's assume clean state or no mock)
+	// Ideally we would mock GetSSES3KeyManager().GetMasterKey() but it's a global singleton.
+	// For this unit test, if the global key manager has no key, it should fail.
+
+	_, err = loadIAMManagerFromConfig(configPath, filerProvider, defaultSigningKeyProvider)
+
+	// Should return a clear error
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "no signing key found for STS service")
+}
--- a/weed/s3api/iam_optional_test.go
+++ b/weed/s3api/iam_optional_test.go
@@ -0,0 +1,50 @@
+package s3api
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestLoadIAMManagerFromConfig_OptionalConfig(t *testing.T) {
+	// Mock dependencies
+	filerAddressProvider := func() string { return "localhost:8888" }
+	getFilerSigningKey := func() string { return "test-signing-key" }
+
+	// Test Case 1: Empty config path should load defaults
+	iamManager, err := loadIAMManagerFromConfig("", filerAddressProvider, getFilerSigningKey)
+	require.NoError(t, err)
+	require.NotNil(t, iamManager)
+
+	// Verify STS Service is initialized with defaults
+	stsService := iamManager.GetSTSService()
+	assert.NotNil(t, stsService)
+
+	// Verify defaults are applied
+	// Since we can't easily access the internal config of stsService,
+	// we rely on the fact that initialization succeeded without error.
+	// We can also verify that the policy engine uses memory store by default.
+
+	// Verify Policy Engine is initialized with defaults (Memory store, Deny effect)
+	// Again, internal state might be hard to access directly, but successful init implies defaults worked.
+}
+
+func TestLoadIAMManagerFromConfig_EmptyConfigWithFallbackKey(t *testing.T) {
+	// Mock dependencies where getFilerSigningKey returns empty, forcing fallback logic
+	// Initialize IAM with empty config (should trigger defaults)
+	// We pass empty string for config file path
+	option := &S3ApiServerOption{
+		Config:    "",
+		IamConfig: "",
+		EnableIam: true,
+	}
+	iamManager := NewIdentityAccessManagementWithStore(option, nil, "memory")
+
+	// Verify identityAnonymous is initialized
+	// This confirms the fix for anonymous access in zero-config mode
+	anonIdentity, found := iamManager.LookupAnonymous()
+	assert.True(t, found, "Anonymous identity should be found by default")
+	assert.NotNil(t, anonIdentity, "Anonymous identity should not be nil")
+	assert.Equal(t, "anonymous", anonIdentity.Name)
+}
--- a/weed/s3api/iceberg/server.go
+++ b/weed/s3api/iceberg/server.go
@@ -18,6 +18,7 @@ type FilerClient interface {

 type S3Authenticator interface {
 	AuthenticateRequest(r *http.Request) (string, interface{}, s3err.ErrorCode)
+	DefaultAllow() bool
 }

 // Server implements the Iceberg REST Catalog API.
@@ -128,20 +129,25 @@ func (s *Server) Auth(handler http.HandlerFunc) http.HandlerFunc {

 		identityName, identity, errCode := s.authenticator.AuthenticateRequest(r)
 		if errCode != s3err.ErrNone {
-			apiErr := s3err.GetAPIError(errCode)
-			errorType := "RESTException"
-			switch apiErr.HTTPStatusCode {
-			case http.StatusForbidden:
-				errorType = "ForbiddenException"
-			case http.StatusUnauthorized:
-				errorType = "NotAuthorizedException"
-			case http.StatusBadRequest:
-				errorType = "BadRequestException"
-			case http.StatusInternalServerError:
-				errorType = "InternalServerError"
+			// If authentication failed but DefaultAllow is enabled, proceed without identity
+			if s.authenticator.DefaultAllow() {
+				glog.V(2).Infof("Iceberg: AuthenticateRequest failed (%v), but DefaultAllow is true, proceeding", errCode)
+			} else {
+				apiErr := s3err.GetAPIError(errCode)
+				errorType := "RESTException"
+				switch apiErr.HTTPStatusCode {
+				case http.StatusForbidden:
+					errorType = "ForbiddenException"
+				case http.StatusUnauthorized:
+					errorType = "NotAuthorizedException"
+				case http.StatusBadRequest:
+					errorType = "BadRequestException"
+				case http.StatusInternalServerError:
+					errorType = "InternalServerError"
+				}
+				writeError(w, apiErr.HTTPStatusCode, errorType, apiErr.Description)
+				return
 			}
-			writeError(w, apiErr.HTTPStatusCode, errorType, apiErr.Description)
-			return
 		}

 		if identityName != "" || identity != nil {
--- a/weed/s3api/s3_iam_middleware.go
+++ b/weed/s3api/s3_iam_middleware.go
@@ -44,6 +44,7 @@ type IAMIntegration interface {
 	AuthorizeAction(ctx context.Context, identity *IAMIdentity, action Action, bucket string, objectKey string, r *http.Request) s3err.ErrorCode
 	ValidateSessionToken(ctx context.Context, token string) (*sts.SessionInfo, error)
 	ValidateTrustPolicyForPrincipal(ctx context.Context, roleArn, principalArn string) error
+	DefaultAllow() bool
 }

 // S3IAMIntegration provides IAM integration for S3 API
@@ -310,6 +311,14 @@ func (s3iam *S3IAMIntegration) ValidateTrustPolicyForPrincipal(ctx context.Conte
 	return s3iam.iamManager.ValidateTrustPolicyForPrincipal(ctx, roleArn, principalArn)
 }

+// DefaultAllow returns whether access is allowed by default when no policy is found
+func (s3iam *S3IAMIntegration) DefaultAllow() bool {
+	if s3iam.iamManager == nil {
+		return true // Default to true if IAM is not enabled
+	}
+	return s3iam.iamManager.DefaultAllow()
+}
+
 // IAMIdentity represents an authenticated identity with session information
 type IAMIdentity struct {
 	Name         string
--- a/weed/s3api/s3_sse_s3.go
+++ b/weed/s3api/s3_sse_s3.go
@@ -5,6 +5,7 @@ import (
 	"crypto/aes"
 	"crypto/cipher"
 	"crypto/rand"
+	"crypto/sha256"
 	"encoding/base64"
 	"encoding/hex"
 	"encoding/json"
@@ -19,9 +20,13 @@ import (
 	"time"

 	"github.com/seaweedfs/seaweedfs/weed/glog"
+	"github.com/seaweedfs/seaweedfs/weed/pb"
 	"github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
 	"github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
 	"github.com/seaweedfs/seaweedfs/weed/util"
+	"github.com/seaweedfs/seaweedfs/weed/wdclient"
+	"golang.org/x/crypto/hkdf"
+	"google.golang.org/grpc"
 )

 // SSE-S3 uses AES-256 encryption with server-managed keys
@@ -452,6 +457,27 @@ func (km *SSES3KeyManager) GetKey(keyID string) (*SSES3Key, bool) {
 	return nil, false
 }

+// GetMasterKey returns a derived key from the master KEK for STS signing
+// This uses HKDF to isolate the STS security domain from the SSE-S3 domain
+func (km *SSES3KeyManager) GetMasterKey() []byte {
+	km.mu.RLock()
+	defer km.mu.RUnlock()
+
+	if len(km.superKey) == 0 {
+		return nil
+	}
+
+	// Derive a separate key for STS to isolate security domains
+	// We use the KEK as the secret, and "seaweedfs-sts-signing-key" as the info
+	hkdfReader := hkdf.New(sha256.New, km.superKey, nil, []byte("seaweedfs-sts-signing-key"))
+	derived := make([]byte, 32) // 256-bit derived key
+	if _, err := io.ReadFull(hkdfReader, derived); err != nil {
+		glog.Errorf("Failed to derive STS key: %v", err)
+		return nil
+	}
+	return derived
+}
+
 // Global SSE-S3 key manager instance
 var globalSSES3KeyManager = NewSSES3KeyManager()

@@ -460,9 +486,31 @@ func GetSSES3KeyManager() *SSES3KeyManager {
 	return globalSSES3KeyManager
 }

+// KeyManagerFilerClient wraps wdclient.FilerClient to satisfy filer_pb.FilerClient interface
+type KeyManagerFilerClient struct {
+	*wdclient.FilerClient
+	grpcDialOption grpc.DialOption
+}
+
+func (k *KeyManagerFilerClient) AdjustedUrl(location *filer_pb.Location) string {
+	return location.Url
+}
+
+func (k *KeyManagerFilerClient) WithFilerClient(streamingMode bool, fn func(filer_pb.SeaweedFilerClient) error) error {
+	filerAddress := k.GetCurrentFiler()
+	if filerAddress == "" {
+		return fmt.Errorf("no filer available")
+	}
+	return pb.WithGrpcFilerClient(streamingMode, 0, filerAddress, k.grpcDialOption, fn)
+}
+
 // InitializeGlobalSSES3KeyManager initializes the global key manager with filer access
-func InitializeGlobalSSES3KeyManager(s3ApiServer *S3ApiServer) error {
-	return globalSSES3KeyManager.InitializeWithFiler(s3ApiServer)
+func InitializeGlobalSSES3KeyManager(filerClient *wdclient.FilerClient, grpcDialOption grpc.DialOption) error {
+	wrapper := &KeyManagerFilerClient{
+		FilerClient:    filerClient,
+		grpcDialOption: grpcDialOption,
+	}
+	return globalSSES3KeyManager.InitializeWithFiler(wrapper)
 }

 // ProcessSSES3Request processes an SSE-S3 request and returns encryption metadata
--- a/weed/s3api/s3api_put_object_helper_test.go
+++ b/weed/s3api/s3api_put_object_helper_test.go
@@ -13,7 +13,7 @@ import (
 func TestGetRequestDataReader_ChunkedEncodingWithoutIAM(t *testing.T) {
 	// Create an S3ApiServer with IAM disabled
 	s3a := &S3ApiServer{
-		iam: NewIdentityAccessManagementWithStore(&S3ApiServerOption{}, string(credential.StoreTypeMemory)),
+		iam: NewIdentityAccessManagementWithStore(&S3ApiServerOption{}, nil, string(credential.StoreTypeMemory)),
 	}
 	// Ensure IAM is disabled for this test
 	s3a.iam.isAuthEnabled = false
@@ -87,7 +87,7 @@ func TestGetRequestDataReader_ChunkedEncodingWithoutIAM(t *testing.T) {
 func TestGetRequestDataReader_AuthTypeDetection(t *testing.T) {
 	// Create an S3ApiServer with IAM disabled
 	s3a := &S3ApiServer{
-		iam: NewIdentityAccessManagementWithStore(&S3ApiServerOption{}, string(credential.StoreTypeMemory)),
+		iam: NewIdentityAccessManagementWithStore(&S3ApiServerOption{}, nil, string(credential.StoreTypeMemory)),
 	}
 	s3a.iam.isAuthEnabled = false

@@ -122,7 +122,7 @@ func TestGetRequestDataReader_AuthTypeDetection(t *testing.T) {
 func TestGetRequestDataReader_IAMEnabled(t *testing.T) {
 	// Create an S3ApiServer with IAM enabled
 	s3a := &S3ApiServer{
-		iam: NewIdentityAccessManagementWithStore(&S3ApiServerOption{}, string(credential.StoreTypeMemory)),
+		iam: NewIdentityAccessManagementWithStore(&S3ApiServerOption{}, nil, string(credential.StoreTypeMemory)),
 	}
 	s3a.iam.isAuthEnabled = true

--- a/weed/s3api/s3api_server.go
+++ b/weed/s3api/s3api_server.go
@@ -110,7 +110,8 @@ func NewS3ApiServerWithStore(router *mux.Router, option *S3ApiServerOption, expl
 		option.AllowedOrigins = domains
 	}

-	iam := NewIdentityAccessManagementWithStore(option, explicitStore)
+	// Initialize basic/legacy IAM - filerClient not available yet, passed as nil
+	iam := NewIdentityAccessManagementWithStore(option, nil, explicitStore)

 	// Initialize bucket policy engine first
 	policyEngine := NewBucketPolicyEngine()
@@ -146,17 +147,25 @@ func NewS3ApiServerWithStore(router *mux.Router, option *S3ApiServerOption, expl
 		glog.V(1).Infof("S3 API initialized FilerClient with %d filer(s) (no discovery)", len(option.Filers))
 	}

-	// Update credential store to use FilerClient's current filer for HA
-	if store := iam.credentialManager.GetStore(); store != nil {
-		if filerFuncSetter, ok := store.(interface {
-			SetFilerAddressFunc(func() pb.ServerAddress, grpc.DialOption)
-		}); ok {
-			// Use FilerClient's GetCurrentFiler for true HA
-			filerFuncSetter.SetFilerAddressFunc(filerClient.GetCurrentFiler, option.GrpcDialOption)
-			glog.V(1).Infof("Updated credential store to use FilerClient's current active filer (HA-aware)")
-		}
+	// Initialize Global SSE-S3 Key Manager early so it's available for IAM fallback
+	// This ensures we can access the KEK for STS signing key if needed
+	if err := InitializeGlobalSSES3KeyManager(filerClient, option.GrpcDialOption); err != nil {
+		glog.Errorf("Failed to initialize SSE-S3 Key Manager: %v", err)
+		// We continue, as this might be a transient failure or non-critical for some setups,
+		// but IAM fallback to KEK will fail if this didn't succeed.
 	}

+	// Update credential store to use FilerClient's current filer for HA
+	iam.SetFilerClient(filerClient)
+
+	// Keep attempting to load configuration from filer now that we have a client
+	// The initial load in NewIdentityAccessManagementWithStore might have failed if client was nil
+	go func() {
+		if err := iam.loadS3ApiConfigurationFromFiler(option); err != nil {
+			glog.Warningf("Failed to load IAM config from filer after client update: %v", err)
+		}
+	}()
+
 	s3ApiServer = &S3ApiServer{
 		option:                option,
 		iam:                   iam,
@@ -178,19 +187,25 @@ func NewS3ApiServerWithStore(router *mux.Router, option *S3ApiServerOption, expl
 	// This avoids circular dependency by not passing the entire S3ApiServer
 	iam.policyEngine = policyEngine

-	// Initialize advanced IAM system if config is provided
-	if option.IamConfig != "" {
-		glog.V(1).Infof("Loading advanced IAM configuration from: %s", option.IamConfig)
+	// Initialize advanced IAM system if config is provided or explicitly enabled
+	if option.IamConfig != "" || option.EnableIam {
+		configSource := "defaults"
+		if option.IamConfig != "" {
+			configSource = option.IamConfig
+		}
+		glog.V(1).Infof("Loading advanced IAM configuration from: %s", configSource)

 		// Use FilerClient's GetCurrentFiler for HA-aware filer selection
 		iamManager, err := loadIAMManagerFromConfig(option.IamConfig, func() string {
 			return string(filerClient.GetCurrentFiler())
+		}, func() string {
+			return signingKey
 		})
 		if err != nil {
 			glog.Errorf("Failed to load IAM configuration: %v", err)
 		} else {
-			if iam.credentialManager != nil {
-				iamManager.SetUserStore(iam.credentialManager)
+			if s3ApiServer.iam.credentialManager != nil {
+				iamManager.SetUserStore(s3ApiServer.iam.credentialManager)
 			}
 			glog.V(1).Infof("IAM Manager loaded, creating integration")
 			// Create S3 IAM integration with the loaded IAM manager
@@ -233,6 +248,10 @@ func NewS3ApiServerWithStore(router *mux.Router, option *S3ApiServerOption, expl
 		})
 	}
 	s3ApiServer.bucketRegistry = NewBucketRegistry(s3ApiServer)
+
+	// Update IAM with the final filer client (already handled by SetFilerClient above,
+	// but this reinforces it if we ever change the flow)
+	s3ApiServer.iam.SetFilerClient(s3ApiServer.filerClient)
 	if option.LocalFilerSocket == "" {
 		if s3ApiServer.client, err = util_http.NewGlobalHttpClient(); err != nil {
 			return nil, err
@@ -249,11 +268,6 @@ func NewS3ApiServerWithStore(router *mux.Router, option *S3ApiServerOption, expl

 	s3ApiServer.registerRouter(router)

-	// Initialize the global SSE-S3 key manager with filer access
-	if err := InitializeGlobalSSES3KeyManager(s3ApiServer); err != nil {
-		return nil, fmt.Errorf("failed to initialize SSE-S3 key manager: %w", err)
-	}
-
 	go s3ApiServer.subscribeMetaEvents("s3", startTsNs, filer.DirectoryEtcRoot, []string{
 		option.BucketsPath,
 		filer.IamConfigDirectory,
@@ -830,14 +844,7 @@ func (s3a *S3ApiServer) registerRouter(router *mux.Router) {
 }

 // loadIAMManagerFromConfig loads the advanced IAM manager from configuration file
-func loadIAMManagerFromConfig(configPath string, filerAddressProvider func() string) (*integration.IAMManager, error) {
-	// Read configuration file
-	configData, err := os.ReadFile(configPath)
-	if err != nil {
-		return nil, fmt.Errorf("failed to read config file: %w", err)
-	}
-
-	// Parse configuration structure
+func loadIAMManagerFromConfig(configPath string, filerAddressProvider func() string, getFilerSigningKey func() string) (*integration.IAMManager, error) {
 	var configRoot struct {
 		STS       *sts.STSConfig                `json:"sts"`
 		Policy    *policy.PolicyEngineConfig    `json:"policy"`
@@ -849,24 +856,43 @@ func loadIAMManagerFromConfig(configPath string, filerAddressProvider func() str
 		} `json:"policies"`
 	}

-	if err := json.Unmarshal(configData, &configRoot); err != nil {
-		return nil, fmt.Errorf("failed to parse config: %w", err)
+	if configPath != "" {
+		// Read configuration file
+		configData, err := os.ReadFile(configPath)
+		if err != nil {
+			return nil, fmt.Errorf("failed to read config file: %w", err)
+		}
+
+		if err := json.Unmarshal(configData, &configRoot); err != nil {
+			return nil, fmt.Errorf("failed to parse config: %w", err)
+		}
+	} else {
+		glog.V(1).Infof("No IAM config file provided; using defaults")
+		// Initialize with empty config which will trigger defaults below
+	}
+
+	// Ensure STS config exists so we can apply defaults later
+	if configRoot.STS == nil {
+		configRoot.STS = &sts.STSConfig{}
 	}

 	// Ensure a valid policy engine config exists
 	if configRoot.Policy == nil {
-		// Provide a secure default if not specified in the config file
-		// Default to Deny with in-memory store so that JSON-defined policies work without filer
-		glog.V(1).Infof("No policy engine config provided; using defaults (DefaultEffect=%s, StoreType=%s)", sts.EffectDeny, sts.StoreTypeMemory)
-		configRoot.Policy = &policy.PolicyEngineConfig{
-			DefaultEffect: sts.EffectDeny,
-			StoreType:     sts.StoreTypeMemory,
-		}
-	} else if configRoot.Policy.StoreType == "" {
-		// If policy config exists but storeType is not specified, use memory store
-		// This ensures JSON-defined policies are stored in memory and work correctly
+		configRoot.Policy = &policy.PolicyEngineConfig{}
+	}
+	if configRoot.Policy.StoreType == "" {
 		configRoot.Policy.StoreType = sts.StoreTypeMemory
-		glog.V(1).Infof("Policy storeType not specified; using memory store for JSON config-based setup")
+	}
+	if configRoot.Policy.DefaultEffect == "" {
+		// Default to Allow (open) with in-memory store so that
+		// users can start using STS without locking themselves out immediately.
+		// For other stores (e.g. filer), default to Deny (closed) for security.
+		if configRoot.Policy.StoreType == sts.StoreTypeMemory {
+			configRoot.Policy.DefaultEffect = sts.EffectAllow
+		} else {
+			configRoot.Policy.DefaultEffect = sts.EffectDeny
+		}
+		glog.V(1).Infof("Using policy defaults: DefaultEffect=%s, StoreType=%s", configRoot.Policy.DefaultEffect, configRoot.Policy.StoreType)
 	}

 	// Create IAM configuration
@@ -878,6 +904,26 @@ func loadIAMManagerFromConfig(configPath string, filerAddressProvider func() str
 		},
 	}

+	// Apply default signing key if not present in config
+	if iamConfig.STS != nil && len(iamConfig.STS.SigningKey) == 0 {
+		// 1. Try server-configured signing key (security.toml / CLI)
+		if key := getFilerSigningKey(); key != "" {
+			iamConfig.STS.SigningKey = []byte(key)
+			glog.V(1).Infof("Using default filer signing key for STS service")
+		} else {
+			// 2. Try cluster-wide SSE-S3 Master Key (KEK) from Filer
+			// This ensures zero-config consistency across the cluster
+			if kek := GetSSES3KeyManager().GetMasterKey(); len(kek) > 0 {
+				iamConfig.STS.SigningKey = kek
+				glog.V(1).Infof("Using SSE-S3 Master Key (KEK) for STS service")
+			} else {
+				// 3. Fail if no signing key is available
+				// This ensures consistency across multiple S3 servers and secure operation
+				return nil, fmt.Errorf("no signing key found for STS service; please provide 'signingKey' in IAM config, configure 'jwt.filer_signing.key' in security.toml, or ensure SSE-S3 is initialized")
+			}
+		}
+	}
+
 	// Initialize IAM manager
 	iamManager := integration.NewIAMManager()
 	if err := iamManager.Initialize(iamConfig, filerAddressProvider); err != nil {
@@ -960,3 +1006,11 @@ func (s3a *S3ApiServer) AuthenticateRequest(r *http.Request) (string, interface{
 	}
 	return "", nil, err
 }
+
+// DefaultAllow returns whether access is allowed by default when no policy is found
+func (s3a *S3ApiServer) DefaultAllow() bool {
+	if s3a.iam == nil || s3a.iam.iamIntegration == nil {
+		return false
+	}
+	return s3a.iam.iamIntegration.DefaultAllow()
+}
--- a/weed/s3api/s3api_server_routing_test.go
+++ b/weed/s3api/s3api_server_routing_test.go
@@ -16,7 +16,7 @@ import (
 // setupRoutingTestServer creates a minimal S3ApiServer for routing tests
 func setupRoutingTestServer(t *testing.T) *S3ApiServer {
 	opt := &S3ApiServerOption{EnableIam: true}
-	iam := NewIdentityAccessManagementWithStore(opt, "memory")
+	iam := NewIdentityAccessManagementWithStore(opt, nil, "memory")
 	iam.isAuthEnabled = true

 	if iam.credentialManager == nil {
--- a/weed/s3api/s3api_tables.go
+++ b/weed/s3api/s3api_tables.go
@@ -43,6 +43,11 @@ func (st *S3TablesApiServer) SetAccountID(accountID string) {
 	st.handler.SetAccountID(accountID)
 }

+// SetDefaultAllow sets whether to allow access by default
+func (st *S3TablesApiServer) SetDefaultAllow(allow bool) {
+	st.handler.SetDefaultAllow(allow)
+}
+
 // S3TablesHandler handles S3 Tables API requests
 func (st *S3TablesApiServer) S3TablesHandler(w http.ResponseWriter, r *http.Request) {
 	st.handler.HandleRequest(w, r, st)
@@ -57,6 +62,12 @@ func (st *S3TablesApiServer) WithFilerClient(streamingMode bool, fn func(filer_p
 func (s3a *S3ApiServer) registerS3TablesRoutes(router *mux.Router) {
 	// Create S3 Tables handler
 	s3TablesApi := NewS3TablesApiServer(s3a)
+	if s3a.iam != nil && s3a.iam.iamIntegration != nil {
+		s3TablesApi.SetDefaultAllow(s3a.iam.iamIntegration.DefaultAllow())
+	} else {
+		// If IAM is not configured, allow all access by default
+		s3TablesApi.SetDefaultAllow(true)
+	}

 	// Regex for S3 Tables Bucket ARN
 	const tableBucketARNRegex = "arn:aws:s3tables:[^/:]*:[^/:]*:bucket/[^/]+"
@@ -618,9 +629,15 @@ func (s3a *S3ApiServer) authenticateS3Tables(f http.HandlerFunc) http.HandlerFun
 		// Use AuthSignatureOnly to authenticate the request without authorizing specific actions
 		identity, errCode := s3a.iam.AuthSignatureOnly(r)
 		if errCode != s3err.ErrNone {
-			glog.Errorf("S3Tables: AuthSignatureOnly failed: %v", errCode)
-			s3err.WriteErrorResponse(w, r, errCode)
-			return
+			// If IAM is enabled but DefaultAllow is true, we can proceed even if unauthenticated
+			// authorization checks in handlers will then use DefaultAllow logic.
+			if s3a.iam.iamIntegration != nil && s3a.iam.iamIntegration.DefaultAllow() {
+				glog.V(2).Infof("S3Tables: AuthSignatureOnly failed (%v), but DefaultAllow is true, proceeding", errCode)
+			} else {
+				glog.Errorf("S3Tables: AuthSignatureOnly failed: %v", errCode)
+				s3err.WriteErrorResponse(w, r, errCode)
+				return
+			}
 		}

 		// Store the authenticated identity in request context
--- a/weed/s3api/s3tables/handler.go
+++ b/weed/s3api/s3tables/handler.go
@@ -44,15 +44,17 @@ const (

 // S3TablesHandler handles S3 Tables API requests
 type S3TablesHandler struct {
-	region    string
-	accountID string
+	region       string
+	accountID    string
+	defaultAllow bool // Whether to allow access by default (for zero-config IAM)
 }

 // NewS3TablesHandler creates a new S3 Tables handler
 func NewS3TablesHandler() *S3TablesHandler {
 	return &S3TablesHandler{
-		region:    DefaultRegion,
-		accountID: DefaultAccountID,
+		region:       DefaultRegion,
+		accountID:    DefaultAccountID,
+		defaultAllow: false,
 	}
 }

@@ -70,6 +72,11 @@ func (h *S3TablesHandler) SetAccountID(accountID string) {
 	}
 }

+// SetDefaultAllow sets whether to allow access by default
+func (h *S3TablesHandler) SetDefaultAllow(allow bool) {
+	h.defaultAllow = allow
+}
+
 // FilerClient interface for filer operations
 type FilerClient interface {
 	WithFilerClient(streamingMode bool, fn func(client filer_pb.SeaweedFilerClient) error) error
--- a/weed/s3api/s3tables/handler_bucket_create.go
+++ b/weed/s3api/s3tables/handler_bucket_create.go
@@ -16,7 +16,9 @@ import (
 func (h *S3TablesHandler) handleCreateTableBucket(w http.ResponseWriter, r *http.Request, filerClient FilerClient) error {
 	// Check permission
 	principal := h.getAccountID(r)
-	if !CanCreateTableBucket(principal, principal, "") {
+	if !CheckPermissionWithContext("CreateTableBucket", principal, principal, "", "", &PolicyContext{
+		DefaultAllow: h.defaultAllow,
+	}) {
 		h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to create table buckets")
 		return NewAuthError("CreateTableBucket", principal, "not authorized to create table buckets")
 	}
--- a/weed/s3api/s3tables/handler_bucket_get_list_delete.go
+++ b/weed/s3api/s3tables/handler_bucket_get_list_delete.go
@@ -72,6 +72,7 @@ func (h *S3TablesHandler) handleGetTableBucket(w http.ResponseWriter, r *http.Re
 	if !CheckPermissionWithContext("GetTableBucket", principal, metadata.OwnerAccountID, bucketPolicy, bucketARN, &PolicyContext{
 		TableBucketName: bucketName,
 		IdentityActions: identityActions,
+		DefaultAllow:    h.defaultAllow,
 	}) {
 		h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to get table bucket details")
 		return ErrAccessDenied
@@ -101,6 +102,7 @@ func (h *S3TablesHandler) handleListTableBuckets(w http.ResponseWriter, r *http.
 	identityActions := getIdentityActions(r)
 	if !CheckPermissionWithContext("ListTableBuckets", principal, accountID, "", "", &PolicyContext{
 		IdentityActions: identityActions,
+		DefaultAllow:    h.defaultAllow,
 	}) {
 		h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to list table buckets")
 		return NewAuthError("ListTableBuckets", principal, "not authorized to list table buckets")
@@ -198,6 +200,7 @@ func (h *S3TablesHandler) handleListTableBuckets(w http.ResponseWriter, r *http.
 				if !CheckPermissionWithContext("GetTableBucket", accountID, metadata.OwnerAccountID, bucketPolicy, bucketARN, &PolicyContext{
 					TableBucketName: entry.Entry.Name,
 					IdentityActions: identityActions,
+					DefaultAllow:    h.defaultAllow,
 				}) {
 					continue
 				}
@@ -300,6 +303,7 @@ func (h *S3TablesHandler) handleDeleteTableBucket(w http.ResponseWriter, r *http
 		if !CheckPermissionWithContext("DeleteTableBucket", principal, metadata.OwnerAccountID, bucketPolicy, bucketARN, &PolicyContext{
 			TableBucketName: bucketName,
 			IdentityActions: identityActions,
+			DefaultAllow:    h.defaultAllow,
 		}) {
 			return NewAuthError("DeleteTableBucket", principal, fmt.Sprintf("not authorized to delete bucket %s", bucketName))
 		}
--- a/weed/s3api/s3tables/handler_namespace.go
+++ b/weed/s3api/s3tables/handler_namespace.go
@@ -118,6 +118,7 @@ func (h *S3TablesHandler) handleCreateNamespace(w http.ResponseWriter, r *http.R
 		Namespace:       namespaceName,
 		TableBucketTags: bucketTags,
 		IdentityActions: identityActions,
+		DefaultAllow:    h.defaultAllow,
 	}) {
 		glog.Infof("S3Tables: Permission denied for CreateNamespace - principal=%s, owner=%s", principal, bucketMetadata.OwnerAccountID)
 		h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to create namespace in this bucket")
@@ -258,6 +259,7 @@ func (h *S3TablesHandler) handleGetNamespace(w http.ResponseWriter, r *http.Requ
 		Namespace:       namespaceName,
 		TableBucketTags: bucketTags,
 		IdentityActions: identityActions,
+		DefaultAllow:    h.defaultAllow,
 	}) {
 		h.writeError(w, http.StatusNotFound, ErrCodeNoSuchNamespace, "namespace not found")
 		return ErrAccessDenied
@@ -344,6 +346,7 @@ func (h *S3TablesHandler) handleListNamespaces(w http.ResponseWriter, r *http.Re
 		TableBucketName: bucketName,
 		TableBucketTags: bucketTags,
 		IdentityActions: identityActions,
+		DefaultAllow:    h.defaultAllow,
 	}) {
 		h.writeError(w, http.StatusNotFound, ErrCodeNoSuchBucket, fmt.Sprintf("table bucket %s not found", bucketName))
 		return ErrAccessDenied
@@ -528,6 +531,7 @@ func (h *S3TablesHandler) handleDeleteNamespace(w http.ResponseWriter, r *http.R
 		Namespace:       namespaceName,
 		TableBucketTags: bucketTags,
 		IdentityActions: identityActions,
+		DefaultAllow:    h.defaultAllow,
 	}) {
 		h.writeError(w, http.StatusNotFound, ErrCodeNoSuchNamespace, "namespace not found")
 		return ErrAccessDenied
--- a/weed/s3api/s3tables/handler_policy.go
+++ b/weed/s3api/s3tables/handler_policy.go
@@ -94,6 +94,7 @@ func (h *S3TablesHandler) handlePutTableBucketPolicy(w http.ResponseWriter, r *h
 	if !CheckPermissionWithContext("PutTableBucketPolicy", principal, bucketMetadata.OwnerAccountID, "", bucketARN, &PolicyContext{
 		TableBucketName: bucketName,
 		IdentityActions: identityActions,
+		DefaultAllow:    h.defaultAllow,
 	}) {
 		h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to put table bucket policy")
 		return NewAuthError("PutTableBucketPolicy", principal, "not authorized to put table bucket policy")
@@ -171,6 +172,7 @@ func (h *S3TablesHandler) handleGetTableBucketPolicy(w http.ResponseWriter, r *h
 	if !CheckPermissionWithContext("GetTableBucketPolicy", principal, bucketMetadata.OwnerAccountID, string(policy), bucketARN, &PolicyContext{
 		TableBucketName: bucketName,
 		IdentityActions: identityActions,
+		DefaultAllow:    h.defaultAllow,
 	}) {
 		h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to get table bucket policy")
 		return NewAuthError("GetTableBucketPolicy", principal, "not authorized to get table bucket policy")
@@ -246,6 +248,7 @@ func (h *S3TablesHandler) handleDeleteTableBucketPolicy(w http.ResponseWriter, r
 	if !CheckPermissionWithContext("DeleteTableBucketPolicy", principal, bucketMetadata.OwnerAccountID, bucketPolicy, bucketARN, &PolicyContext{
 		TableBucketName: bucketName,
 		IdentityActions: identityActions,
+		DefaultAllow:    h.defaultAllow,
 	}) {
 		h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to delete table bucket policy")
 		return NewAuthError("DeleteTableBucketPolicy", principal, "not authorized to delete table bucket policy")
@@ -346,6 +349,7 @@ func (h *S3TablesHandler) handlePutTablePolicy(w http.ResponseWriter, r *http.Re
 		Namespace:       namespaceName,
 		TableName:       tableName,
 		IdentityActions: identityActions,
+		DefaultAllow:    h.defaultAllow,
 	}) {
 		h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to put table policy")
 		return NewAuthError("PutTablePolicy", principal, "not authorized to put table policy")
@@ -453,6 +457,7 @@ func (h *S3TablesHandler) handleGetTablePolicy(w http.ResponseWriter, r *http.Re
 		Namespace:       namespaceName,
 		TableName:       tableName,
 		IdentityActions: identityActions,
+		DefaultAllow:    h.defaultAllow,
 	}) {
 		h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to get table policy")
 		return NewAuthError("GetTablePolicy", principal, "not authorized to get table policy")
@@ -542,6 +547,7 @@ func (h *S3TablesHandler) handleDeleteTablePolicy(w http.ResponseWriter, r *http
 		Namespace:       namespaceName,
 		TableName:       tableName,
 		IdentityActions: identityActions,
+		DefaultAllow:    h.defaultAllow,
 	}) {
 		h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to delete table policy")
 		return NewAuthError("DeleteTablePolicy", principal, "not authorized to delete table policy")
@@ -640,6 +646,7 @@ func (h *S3TablesHandler) handleTagResource(w http.ResponseWriter, r *http.Reque
 			TagKeys:         requestTagKeys,
 			ResourceTags:    existingTags,
 			IdentityActions: identityActions,
+			DefaultAllow:    h.defaultAllow,
 		}) {
 			return NewAuthError("TagResource", principal, "not authorized to tag resource")
 		}
@@ -757,6 +764,7 @@ func (h *S3TablesHandler) handleListTagsForResource(w http.ResponseWriter, r *ht
 			TableBucketTags: bucketTags,
 			ResourceTags:    tags,
 			IdentityActions: identityActions,
+			DefaultAllow:    h.defaultAllow,
 		}) {
 			return NewAuthError("ListTagsForResource", principal, "not authorized to list tags for resource")
 		}
@@ -864,6 +872,7 @@ func (h *S3TablesHandler) handleUntagResource(w http.ResponseWriter, r *http.Req
 			TagKeys:         req.TagKeys,
 			ResourceTags:    tags,
 			IdentityActions: identityActions,
+			DefaultAllow:    h.defaultAllow,
 		}) {
 			return NewAuthError("UntagResource", principal, "not authorized to untag resource")
 		}
--- a/weed/s3api/s3tables/handler_table.go
+++ b/weed/s3api/s3tables/handler_table.go
@@ -145,6 +145,7 @@ func (h *S3TablesHandler) handleCreateTable(w http.ResponseWriter, r *http.Reque
 		TagKeys:         mapKeys(req.Tags),
 		TableBucketTags: bucketTags,
 		IdentityActions: identityActions,
+		DefaultAllow:    h.defaultAllow,
 	})
 	bucketAllowed := CheckPermissionWithContext("CreateTable", accountID, bucketMetadata.OwnerAccountID, bucketPolicy, bucketARN, &PolicyContext{
 		TableBucketName: bucketName,
@@ -154,6 +155,7 @@ func (h *S3TablesHandler) handleCreateTable(w http.ResponseWriter, r *http.Reque
 		TagKeys:         mapKeys(req.Tags),
 		TableBucketTags: bucketTags,
 		IdentityActions: identityActions,
+		DefaultAllow:    h.defaultAllow,
 	})

 	if !nsAllowed && !bucketAllowed {
@@ -390,6 +392,7 @@ func (h *S3TablesHandler) handleGetTable(w http.ResponseWriter, r *http.Request,
 		TableBucketTags: bucketTags,
 		ResourceTags:    tableTags,
 		IdentityActions: identityActions,
+		DefaultAllow:    h.defaultAllow,
 	})
 	bucketAllowed := CheckPermissionWithContext("GetTable", accountID, bucketMetadata.OwnerAccountID, bucketPolicy, bucketARN, &PolicyContext{
 		TableBucketName: bucketName,
@@ -398,6 +401,7 @@ func (h *S3TablesHandler) handleGetTable(w http.ResponseWriter, r *http.Request,
 		TableBucketTags: bucketTags,
 		ResourceTags:    tableTags,
 		IdentityActions: identityActions,
+		DefaultAllow:    h.defaultAllow,
 	})

 	if !tableAllowed && !bucketAllowed {
@@ -527,12 +531,14 @@ func (h *S3TablesHandler) handleListTables(w http.ResponseWriter, r *http.Reques
 				Namespace:       namespaceName,
 				TableBucketTags: bucketTags,
 				IdentityActions: identityActions,
+				DefaultAllow:    h.defaultAllow,
 			})
 			bucketAllowed := CheckPermissionWithContext("ListTables", accountID, bucketMeta.OwnerAccountID, bucketPolicy, bucketARN, &PolicyContext{
 				TableBucketName: bucketName,
 				Namespace:       namespaceName,
 				TableBucketTags: bucketTags,
 				IdentityActions: identityActions,
+				DefaultAllow:    h.defaultAllow,
 			})
 			if !nsAllowed && !bucketAllowed {
 				return ErrAccessDenied
@@ -574,6 +580,7 @@ func (h *S3TablesHandler) handleListTables(w http.ResponseWriter, r *http.Reques
 				TableBucketName: bucketName,
 				TableBucketTags: bucketTags,
 				IdentityActions: identityActions,
+				DefaultAllow:    h.defaultAllow,
 			}) {
 				return ErrAccessDenied
 			}
@@ -910,6 +917,7 @@ func (h *S3TablesHandler) handleDeleteTable(w http.ResponseWriter, r *http.Reque
 		TableBucketTags: bucketTags,
 		ResourceTags:    tableTags,
 		IdentityActions: identityActions,
+		DefaultAllow:    h.defaultAllow,
 	})
 	bucketAllowed := CheckPermissionWithContext("DeleteTable", principal, bucketMetadata.OwnerAccountID, bucketPolicy, bucketARN, &PolicyContext{
 		TableBucketName: bucketName,
@@ -918,6 +926,7 @@ func (h *S3TablesHandler) handleDeleteTable(w http.ResponseWriter, r *http.Reque
 		TableBucketTags: bucketTags,
 		ResourceTags:    tableTags,
 		IdentityActions: identityActions,
+		DefaultAllow:    h.defaultAllow,
 	})
 	if !tableAllowed && !bucketAllowed {
 		h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to delete table")
@@ -1053,6 +1062,7 @@ func (h *S3TablesHandler) handleUpdateTable(w http.ResponseWriter, r *http.Reque
 		TableBucketTags: bucketTags,
 		ResourceTags:    tableTags,
 		IdentityActions: identityActions,
+		DefaultAllow:    h.defaultAllow,
 	})
 	bucketAllowed := CheckPermissionWithContext("UpdateTable", principal, bucketMetadata.OwnerAccountID, bucketPolicy, bucketARN, &PolicyContext{
 		TableBucketName: bucketName,
@@ -1061,6 +1071,7 @@ func (h *S3TablesHandler) handleUpdateTable(w http.ResponseWriter, r *http.Reque
 		TableBucketTags: bucketTags,
 		ResourceTags:    tableTags,
 		IdentityActions: identityActions,
+		DefaultAllow:    h.defaultAllow,
 	})

 	if !tableAllowed && !bucketAllowed {
--- a/weed/s3api/s3tables/manager.go
+++ b/weed/s3api/s3tables/manager.go
@@ -20,7 +20,10 @@ type Manager struct {

 // NewManager creates a new Manager.
 func NewManager() *Manager {
-	return &Manager{handler: NewS3TablesHandler()}
+	m := &Manager{handler: NewS3TablesHandler()}
+	// Default to allowing access when IAM is not configured
+	m.handler.SetDefaultAllow(true)
+	return m
 }

 // SetRegion sets the AWS region for ARN generation.
@@ -33,6 +36,11 @@ func (m *Manager) SetAccountID(accountID string) {
 	m.handler.SetAccountID(accountID)
 }

+// SetDefaultAllow sets whether to allow access by default.
+func (m *Manager) SetDefaultAllow(allow bool) {
+	m.handler.SetDefaultAllow(allow)
+}
+
 // Execute runs an S3 Tables operation and decodes the response into resp (if provided).
 func (m *Manager) Execute(ctx context.Context, filerClient FilerClient, operation string, req interface{}, resp interface{}, identity string) error {
 	body, err := json.Marshal(req)
--- a/weed/s3api/s3tables/permissions.go
+++ b/weed/s3api/s3tables/permissions.go
@@ -86,6 +86,7 @@ type PolicyContext struct {
 	SSEAlgorithm    string
 	KMSKeyArn       string
 	StorageClass    string
+	DefaultAllow    bool
 }

 // CheckPermissionWithResource checks if a principal has permission to perform an operation on a specific resource
@@ -117,17 +118,30 @@ func CheckPermissionWithContext(operation, principal, owner, resourcePolicy, res
 }

 func checkPermission(operation, principal, owner, resourcePolicy, resourceARN string, ctx *PolicyContext) bool {
+	fmt.Printf("DEBUG: checkPermission op=%s princ=%s owner=%s policyLen=%d defaultAllow=%v\n",
+		operation, principal, owner, len(resourcePolicy), ctx != nil && ctx.DefaultAllow)
+	if resourcePolicy != "" {
+		fmt.Printf("DEBUG: policy content: %s\n", resourcePolicy)
+	}
+
 	// Owner always has permission
 	if principal == owner {
+		fmt.Printf("DEBUG: Allowed by Owner check\n")
 		return true
 	}

 	if hasIdentityPermission(operation, ctx) {
+		fmt.Printf("DEBUG: Allowed by Identity check\n")
 		return true
 	}

-	// If no policy is provided, deny access (default deny)
+	// If no policy is provided, use default allow if enabled
 	if resourcePolicy == "" {
+		if ctx != nil && ctx.DefaultAllow {
+			fmt.Printf("DEBUG: Allowed by DefaultAllow\n")
+			return true
+		}
+		fmt.Printf("DEBUG: Denied by DefaultAllow=false (no policy)\n")
 		return false
 	}

@@ -177,7 +191,16 @@ func checkPermission(operation, principal, owner, resourcePolicy, resourceARN st
 		}
 	}

-	return hasAllow
+	if hasAllow {
+		return true
+	}
+
+	// If no statement matched, use default allow if enabled
+	if ctx != nil && ctx.DefaultAllow {
+		return true
+	}
+
+	return false
 }

 func hasIdentityPermission(operation string, ctx *PolicyContext) bool {
--- a/weed/s3api/s3tables/permissions_test.go
+++ b/weed/s3api/s3tables/permissions_test.go
@@ -206,3 +206,48 @@ func TestEvaluatePolicyWithConditions(t *testing.T) {
 		})
 	}
 }
+func TestCheckPermissionWithDefaultAllow(t *testing.T) {
+	tests := []struct {
+		name         string
+		defaultAllow bool
+		policy       string
+		expected     bool
+	}{
+		{
+			"default deny (no policy, DefaultAllow=false)",
+			false,
+			"",
+			false,
+		},
+		{
+			"default allow (no policy, DefaultAllow=true)",
+			true,
+			"",
+			true,
+		},
+		{
+			"explicit deny overrides DefaultAllow=true",
+			true,
+			`{"Statement":[{"Effect":"Deny","Principal":"*","Action":"s3tables:GetTable"}]}`,
+			false,
+		},
+		{
+			"explicit allow works with DefaultAllow=false",
+			false,
+			`{"Statement":[{"Effect":"Allow","Principal":"*","Action":"s3tables:GetTable"}]}`,
+			true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			ctx := &PolicyContext{
+				DefaultAllow: tt.defaultAllow,
+			}
+			result := CheckPermissionWithContext("s3tables:GetTable", "user123", "owner123", tt.policy, "", ctx)
+			if result != tt.expected {
+				t.Errorf("CheckPermissionWithContext() = %v, want %v (DefaultAllow=%v, Policy=%s)", result, tt.expected, tt.defaultAllow, tt.policy)
+			}
+		})
+	}
+}
--- a/weed/s3api/sts_params_test.go
+++ b/weed/s3api/sts_params_test.go
@@ -41,6 +41,9 @@ func (m *mockIAMIntegration) ValidateTrustPolicyForPrincipal(ctx context.Context
 func (m *mockIAMIntegration) ValidateSessionToken(ctx context.Context, token string) (*sts.SessionInfo, error) {
 	return nil, nil
 }
+func (m *mockIAMIntegration) DefaultAllow() bool {
+	return true
+}

 func TestSTSAssumeRolePostBody(t *testing.T) {
 	// Setup S3ApiServer with IAM enabled