Explicit IAM gRPC APIs for S3 Server (#8126)

* Update IAM and S3 protobuf definitions for explicit IAM gRPC APIs

* Refactor s3api: Extract generic ExecuteAction method for IAM operations

* Implement explicit IAM gRPC APIs in S3 server

* iam: remove deprecated GetConfiguration and PutConfiguration RPCs

* iamapi: refactor handlers to use CredentialManager directly

* s3api: refactor embedded IAM to use CredentialManager directly

* server: remove deprecated configuration gRPC handlers

* credential/grpc: refactor configuration calls to return error

* shell: update s3.configure to list users instead of full config

* s3api: fix CreateServiceAccount gRPC handler to map required fields

* s3api: fix UpdateServiceAccount gRPC handler to map fields and safe status

* s3api: enforce UserName in embedded IAM ListAccessKeys

* test: fix test_config.json structure to match proto definition

* Revert "credential/grpc: refactor configuration calls to return error"

This reverts commit cde707dd8b88c7d1bd730271518542eceb5ed069.

* Revert "server: remove deprecated configuration gRPC handlers"

This reverts commit 7307e205a083c8315cf84ddc2614b3e50eda2e33.

* Revert "s3api: enforce UserName in embedded IAM ListAccessKeys"

This reverts commit adf727ba52b4f3ffb911f0d0df85db858412ff83.

* Revert "s3api: fix UpdateServiceAccount gRPC handler to map fields and safe status"

This reverts commit 6a4be3314d43b6c8fda8d5e0558e83e87a19df3f.

* Revert "s3api: fix CreateServiceAccount gRPC handler to map required fields"

This reverts commit 9bb4425f07fbad38fb68d33e5c0aa573d8912a37.

* Revert "shell: update s3.configure to list users instead of full config"

This reverts commit f3304ead537b3e6be03d46df4cb55983ab931726.

* Revert "s3api: refactor embedded IAM to use CredentialManager directly"

This reverts commit 9012f27af82d11f0e824877712a5ae2505a65f86.

* Revert "iamapi: refactor handlers to use CredentialManager directly"

This reverts commit 3a148212236576b0a3aa4d991c2abb014fb46091.

* Revert "iam: remove deprecated GetConfiguration and PutConfiguration RPCs"

This reverts commit e16e08aa0099699338d3155bc7428e1051ce0a6a.

* s3api: address IAM code review comments (error handling, logging, gRPC response mapping)

* s3api: add robustness to startup by retrying KEK and IAM config loading from Filer

* s3api: address IAM gRPC code review comments (safety, validation, status logic)

* fix return

test/s3/iam/test_config.json

@@ -37,274 +37,6 @@
       ]
     }
   ],
-  "iam": {
-    "enabled": true,
-    "sts": {
-      "tokenDuration": "15m",
-      "issuer": "seaweedfs-sts",
-      "signingKey": "dGVzdC1zaWduaW5nLWtleS0zMi1jaGFyYWN0ZXJzLWxvbmc="
-    },
-    "policy": {
-      "defaultEffect": "Deny"
-    },
-    "providers": {
-      "oidc": {
-        "test-oidc": {
-          "issuer": "http://localhost:8080/.well-known/openid_configuration",
-          "clientId": "test-client-id",
-          "jwksUri": "http://localhost:8080/jwks",
-          "userInfoUri": "http://localhost:8080/userinfo",
-          "roleMapping": {
-            "rules": [
-              {
-                "claim": "groups",
-                "claimValue": "admins",
-                "roleName": "S3AdminRole"
-              },
-              {
-                "claim": "groups",
-                "claimValue": "users",
-                "roleName": "S3ReadOnlyRole"
-              },
-              {
-                "claim": "groups",
-                "claimValue": "writers",
-                "roleName": "S3WriteOnlyRole"
-              }
-            ]
-          },
-          "claimsMapping": {
-            "email": "email",
-            "displayName": "name",
-            "groups": "groups"
-          }
-        }
-      },
-      "ldap": {
-        "test-ldap": {
-          "server": "ldap://localhost:389",
-          "baseDN": "dc=example,dc=com",
-          "bindDN": "cn=admin,dc=example,dc=com",
-          "bindPassword": "admin-password",
-          "userFilter": "(uid=%s)",
-          "groupFilter": "(memberUid=%s)",
-          "attributes": {
-            "email": "mail",
-            "displayName": "cn",
-            "groups": "memberOf"
-          },
-          "roleMapping": {
-            "rules": [
-              {
-                "claim": "groups",
-                "claimValue": "cn=admins,ou=groups,dc=example,dc=com",
-                "roleName": "S3AdminRole"
-              },
-              {
-                "claim": "groups",
-                "claimValue": "cn=users,ou=groups,dc=example,dc=com",
-                "roleName": "S3ReadOnlyRole"
-              }
-            ]
-          }
-        }
-      }
-    },
-    "policyStore": {}
-  },
-  "roles": {
-    "S3AdminRole": {
-      "trustPolicy": {
-        "Version": "2012-10-17",
-        "Statement": [
-          {
-            "Effect": "Allow",
-            "Principal": {
-              "Federated": [
-                "test-oidc",
-                "test-ldap"
-              ]
-            },
-            "Action": "sts:AssumeRoleWithWebIdentity"
-          }
-        ]
-      },
-      "attachedPolicies": [
-        "S3AdminPolicy"
-      ],
-      "description": "Full administrative access to S3 resources"
-    },
-    "S3ReadOnlyRole": {
-      "trustPolicy": {
-        "Version": "2012-10-17",
-        "Statement": [
-          {
-            "Effect": "Allow",
-            "Principal": {
-              "Federated": [
-                "test-oidc",
-                "test-ldap"
-              ]
-            },
-            "Action": "sts:AssumeRoleWithWebIdentity"
-          }
-        ]
-      },
-      "attachedPolicies": [
-        "S3ReadOnlyPolicy"
-      ],
-      "description": "Read-only access to S3 resources"
-    },
-    "S3WriteOnlyRole": {
-      "trustPolicy": {
-        "Version": "2012-10-17",
-        "Statement": [
-          {
-            "Effect": "Allow",
-            "Principal": {
-              "Federated": [
-                "test-oidc",
-                "test-ldap"
-              ]
-            },
-            "Action": "sts:AssumeRoleWithWebIdentity"
-          }
-        ]
-      },
-      "attachedPolicies": [
-        "S3WriteOnlyPolicy"
-      ],
-      "description": "Write-only access to S3 resources"
-    }
-  },
-  "policies": {
-    "S3AdminPolicy": {
-      "Version": "2012-10-17",
-      "Statement": [
-        {
-          "Effect": "Allow",
-          "Action": [
-            "s3:*",
-            "iam:*"
-          ],
-          "Resource": [
-            "arn:aws:s3:::*",
-            "arn:aws:s3:::*/*",
-            "arn:aws:iam:::*"
-          ]
-        }
-      ]
-    },
-    "S3ReadOnlyPolicy": {
-      "Version": "2012-10-17",
-      "Statement": [
-        {
-          "Effect": "Allow",
-          "Action": [
-            "s3:GetObject",
-            "s3:GetObjectVersion",
-            "s3:ListBucket",
-            "s3:ListBucketVersions",
-            "s3:GetBucketLocation",
-            "s3:GetBucketVersioning"
-          ],
-          "Resource": [
-            "arn:aws:s3:::*",
-            "arn:aws:s3:::*/*"
-          ]
-        }
-      ]
-    },
-    "S3WriteOnlyPolicy": {
-      "Version": "2012-10-17",
-      "Statement": [
-        {
-          "Effect": "Allow",
-          "Action": [
-            "s3:PutObject",
-            "s3:PutObjectAcl",
-            "s3:DeleteObject",
-            "s3:DeleteObjectVersion",
-            "s3:InitiateMultipartUpload",
-            "s3:UploadPart",
-            "s3:CompleteMultipartUpload",
-            "s3:AbortMultipartUpload",
-            "s3:ListMultipartUploadParts"
-          ],
-          "Resource": [
-            "arn:aws:s3:::*/*"
-          ]
-        }
-      ]
-    },
-    "S3BucketManagementPolicy": {
-      "Version": "2012-10-17",
-      "Statement": [
-        {
-          "Effect": "Allow",
-          "Action": [
-            "s3:CreateBucket",
-            "s3:DeleteBucket",
-            "s3:GetBucketPolicy",
-            "s3:PutBucketPolicy",
-            "s3:DeleteBucketPolicy",
-            "s3:GetBucketVersioning",
-            "s3:PutBucketVersioning"
-          ],
-          "Resource": [
-            "arn:aws:s3:::*"
-          ]
-        }
-      ]
-    },
-    "S3IPRestrictedPolicy": {
-      "Version": "2012-10-17",
-      "Statement": [
-        {
-          "Effect": "Allow",
-          "Action": [
-            "s3:*"
-          ],
-          "Resource": [
-            "arn:aws:s3:::*",
-            "arn:aws:s3:::*/*"
-          ],
-          "Condition": {
-            "IpAddress": {
-              "aws:SourceIp": [
-                "192.168.1.0/24",
-                "10.0.0.0/8"
-              ]
-            }
-          }
-        }
-      ]
-    },
-    "S3TimeBasedPolicy": {
-      "Version": "2012-10-17",
-      "Statement": [
-        {
-          "Effect": "Allow",
-          "Action": [
-            "s3:GetObject",
-            "s3:ListBucket"
-          ],
-          "Resource": [
-            "arn:aws:s3:::*",
-            "arn:aws:s3:::*/*"
-          ],
-          "Condition": {
-            "DateGreaterThan": {
-              "aws:CurrentTime": "2023-01-01T00:00:00Z"
-            },
-            "DateLessThan": {
-              "aws:CurrentTime": "2025-12-31T23:59:59Z"
-            }
-          }
-        }
-      ]
-    }
-  },
   "bucketPolicyExamples": {
     "PublicReadPolicy": {
       "Version": "2012-10-17",

weed/pb/iam.proto

@@ -124,6 +124,43 @@ message GetUserByAccessKeyResponse {
     Identity identity = 1;
 }
 
+message ListAccessKeysRequest {
+    string username = 1;
+}
+
+message ListAccessKeysResponse {
+    repeated Credential access_keys = 1;
+}
+
+// User Policy Management Messages
+message PutUserPolicyRequest {
+    string username = 1;
+    string policy_name = 2;
+    string policy_document = 3;
+}
+
+message PutUserPolicyResponse {
+}
+
+message GetUserPolicyRequest {
+    string username = 1;
+    string policy_name = 2;
+}
+
+message GetUserPolicyResponse {
+    string username = 1;
+    string policy_name = 2;
+    string policy_document = 3;
+}
+
+message DeleteUserPolicyRequest {
+    string username = 1;
+    string policy_name = 2;
+}
+
+message DeleteUserPolicyResponse {
+}
+
 //////////////////////////////////////////////////
 
 message S3ApiConfiguration {
@@ -252,3 +289,4 @@ message GetServiceAccountByAccessKeyRequest {
 message GetServiceAccountByAccessKeyResponse {
     ServiceAccount service_account = 1;
 }
+

weed/pb/s3.proto

@@ -8,22 +8,35 @@ option java_outer_classname = "S3Proto";
 
 //////////////////////////////////////////////////
 
+import "iam.proto";
+
 service SeaweedS3 {
 
-    rpc Configure (S3ConfigureRequest) returns (S3ConfigureResponse) {
-    }
+    // Explicit IAM APIs mirroring SeaweedIdentityAccessManagement
+    rpc ListUsers (iam_pb.ListUsersRequest) returns (iam_pb.ListUsersResponse) {}
+    rpc CreateUser (iam_pb.CreateUserRequest) returns (iam_pb.CreateUserResponse) {}
+    rpc GetUser (iam_pb.GetUserRequest) returns (iam_pb.GetUserResponse) {}
+    rpc UpdateUser (iam_pb.UpdateUserRequest) returns (iam_pb.UpdateUserResponse) {}
+    rpc DeleteUser (iam_pb.DeleteUserRequest) returns (iam_pb.DeleteUserResponse) {}
+    
+    rpc ListAccessKeys (iam_pb.ListAccessKeysRequest) returns (iam_pb.ListAccessKeysResponse) {}
+    rpc CreateAccessKey (iam_pb.CreateAccessKeyRequest) returns (iam_pb.CreateAccessKeyResponse) {}
+    rpc DeleteAccessKey (iam_pb.DeleteAccessKeyRequest) returns (iam_pb.DeleteAccessKeyResponse) {}
+    
+    rpc PutUserPolicy (iam_pb.PutUserPolicyRequest) returns (iam_pb.PutUserPolicyResponse) {}
+    rpc GetUserPolicy (iam_pb.GetUserPolicyRequest) returns (iam_pb.GetUserPolicyResponse) {}
+    rpc DeleteUserPolicy (iam_pb.DeleteUserPolicyRequest) returns (iam_pb.DeleteUserPolicyResponse) {}
+    
+    rpc ListServiceAccounts (iam_pb.ListServiceAccountsRequest) returns (iam_pb.ListServiceAccountsResponse) {}
+    rpc CreateServiceAccount (iam_pb.CreateServiceAccountRequest) returns (iam_pb.CreateServiceAccountResponse) {}
+    rpc UpdateServiceAccount (iam_pb.UpdateServiceAccountRequest) returns (iam_pb.UpdateServiceAccountResponse) {}
+    rpc DeleteServiceAccount (iam_pb.DeleteServiceAccountRequest) returns (iam_pb.DeleteServiceAccountResponse) {}
+    rpc GetServiceAccount (iam_pb.GetServiceAccountRequest) returns (iam_pb.GetServiceAccountResponse) {}
 
 }
 
 //////////////////////////////////////////////////
 
-message S3ConfigureRequest {
-    bytes s3_configuration_file_content = 1;
-}
-
-message S3ConfigureResponse {
-}
-
 message S3CircuitBreakerConfig {
     S3CircuitBreakerOptions global=1;
     map<string, S3CircuitBreakerOptions> buckets= 2;

weed/pb/s3_pb/s3.pb.go

@@ -7,6 +7,7 @@
 package s3_pb
 
 import (
+	iam_pb "github.com/seaweedfs/seaweedfs/weed/pb/iam_pb"
 	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
@@ -21,86 +22,6 @@ const (
 	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
 )
 
-type S3ConfigureRequest struct {
-	state                      protoimpl.MessageState `protogen:"open.v1"`
-	S3ConfigurationFileContent []byte                 `protobuf:"bytes,1,opt,name=s3_configuration_file_content,json=s3ConfigurationFileContent,proto3" json:"s3_configuration_file_content,omitempty"`
-	unknownFields              protoimpl.UnknownFields
-	sizeCache                  protoimpl.SizeCache
-}
-
-func (x *S3ConfigureRequest) Reset() {
-	*x = S3ConfigureRequest{}
-	mi := &file_s3_proto_msgTypes[0]
-	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-	ms.StoreMessageInfo(mi)
-}
-
-func (x *S3ConfigureRequest) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*S3ConfigureRequest) ProtoMessage() {}
-
-func (x *S3ConfigureRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_s3_proto_msgTypes[0]
-	if x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use S3ConfigureRequest.ProtoReflect.Descriptor instead.
-func (*S3ConfigureRequest) Descriptor() ([]byte, []int) {
-	return file_s3_proto_rawDescGZIP(), []int{0}
-}
-
-func (x *S3ConfigureRequest) GetS3ConfigurationFileContent() []byte {
-	if x != nil {
-		return x.S3ConfigurationFileContent
-	}
-	return nil
-}
-
-type S3ConfigureResponse struct {
-	state         protoimpl.MessageState `protogen:"open.v1"`
-	unknownFields protoimpl.UnknownFields
-	sizeCache     protoimpl.SizeCache
-}
-
-func (x *S3ConfigureResponse) Reset() {
-	*x = S3ConfigureResponse{}
-	mi := &file_s3_proto_msgTypes[1]
-	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-	ms.StoreMessageInfo(mi)
-}
-
-func (x *S3ConfigureResponse) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*S3ConfigureResponse) ProtoMessage() {}
-
-func (x *S3ConfigureResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_s3_proto_msgTypes[1]
-	if x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use S3ConfigureResponse.ProtoReflect.Descriptor instead.
-func (*S3ConfigureResponse) Descriptor() ([]byte, []int) {
-	return file_s3_proto_rawDescGZIP(), []int{1}
-}
-
 type S3CircuitBreakerConfig struct {
 	state         protoimpl.MessageState              `protogen:"open.v1"`
 	Global        *S3CircuitBreakerOptions            `protobuf:"bytes,1,opt,name=global,proto3" json:"global,omitempty"`
@@ -111,7 +32,7 @@ type S3CircuitBreakerConfig struct {
 
 func (x *S3CircuitBreakerConfig) Reset() {
 	*x = S3CircuitBreakerConfig{}
-	mi := &file_s3_proto_msgTypes[2]
+	mi := &file_s3_proto_msgTypes[0]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -123,7 +44,7 @@ func (x *S3CircuitBreakerConfig) String() string {
 func (*S3CircuitBreakerConfig) ProtoMessage() {}
 
 func (x *S3CircuitBreakerConfig) ProtoReflect() protoreflect.Message {
-	mi := &file_s3_proto_msgTypes[2]
+	mi := &file_s3_proto_msgTypes[0]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -136,7 +57,7 @@ func (x *S3CircuitBreakerConfig) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use S3CircuitBreakerConfig.ProtoReflect.Descriptor instead.
 func (*S3CircuitBreakerConfig) Descriptor() ([]byte, []int) {
-	return file_s3_proto_rawDescGZIP(), []int{2}
+	return file_s3_proto_rawDescGZIP(), []int{0}
 }
 
 func (x *S3CircuitBreakerConfig) GetGlobal() *S3CircuitBreakerOptions {
@@ -163,7 +84,7 @@ type S3CircuitBreakerOptions struct {
 
 func (x *S3CircuitBreakerOptions) Reset() {
 	*x = S3CircuitBreakerOptions{}
-	mi := &file_s3_proto_msgTypes[3]
+	mi := &file_s3_proto_msgTypes[1]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -175,7 +96,7 @@ func (x *S3CircuitBreakerOptions) String() string {
 func (*S3CircuitBreakerOptions) ProtoMessage() {}
 
 func (x *S3CircuitBreakerOptions) ProtoReflect() protoreflect.Message {
-	mi := &file_s3_proto_msgTypes[3]
+	mi := &file_s3_proto_msgTypes[1]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -188,7 +109,7 @@ func (x *S3CircuitBreakerOptions) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use S3CircuitBreakerOptions.ProtoReflect.Descriptor instead.
 func (*S3CircuitBreakerOptions) Descriptor() ([]byte, []int) {
-	return file_s3_proto_rawDescGZIP(), []int{3}
+	return file_s3_proto_rawDescGZIP(), []int{1}
 }
 
 func (x *S3CircuitBreakerOptions) GetEnabled() bool {
@@ -219,7 +140,7 @@ type CORSRule struct {
 
 func (x *CORSRule) Reset() {
 	*x = CORSRule{}
-	mi := &file_s3_proto_msgTypes[4]
+	mi := &file_s3_proto_msgTypes[2]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -231,7 +152,7 @@ func (x *CORSRule) String() string {
 func (*CORSRule) ProtoMessage() {}
 
 func (x *CORSRule) ProtoReflect() protoreflect.Message {
-	mi := &file_s3_proto_msgTypes[4]
+	mi := &file_s3_proto_msgTypes[2]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -244,7 +165,7 @@ func (x *CORSRule) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use CORSRule.ProtoReflect.Descriptor instead.
 func (*CORSRule) Descriptor() ([]byte, []int) {
-	return file_s3_proto_rawDescGZIP(), []int{4}
+	return file_s3_proto_rawDescGZIP(), []int{2}
 }
 
 func (x *CORSRule) GetAllowedHeaders() []string {
@@ -298,7 +219,7 @@ type CORSConfiguration struct {
 
 func (x *CORSConfiguration) Reset() {
 	*x = CORSConfiguration{}
-	mi := &file_s3_proto_msgTypes[5]
+	mi := &file_s3_proto_msgTypes[3]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -310,7 +231,7 @@ func (x *CORSConfiguration) String() string {
 func (*CORSConfiguration) ProtoMessage() {}
 
 func (x *CORSConfiguration) ProtoReflect() protoreflect.Message {
-	mi := &file_s3_proto_msgTypes[5]
+	mi := &file_s3_proto_msgTypes[3]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -323,7 +244,7 @@ func (x *CORSConfiguration) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use CORSConfiguration.ProtoReflect.Descriptor instead.
 func (*CORSConfiguration) Descriptor() ([]byte, []int) {
-	return file_s3_proto_rawDescGZIP(), []int{5}
+	return file_s3_proto_rawDescGZIP(), []int{3}
 }
 
 func (x *CORSConfiguration) GetCorsRules() []*CORSRule {
@@ -344,7 +265,7 @@ type BucketMetadata struct {
 
 func (x *BucketMetadata) Reset() {
 	*x = BucketMetadata{}
-	mi := &file_s3_proto_msgTypes[6]
+	mi := &file_s3_proto_msgTypes[4]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -356,7 +277,7 @@ func (x *BucketMetadata) String() string {
 func (*BucketMetadata) ProtoMessage() {}
 
 func (x *BucketMetadata) ProtoReflect() protoreflect.Message {
-	mi := &file_s3_proto_msgTypes[6]
+	mi := &file_s3_proto_msgTypes[4]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -369,7 +290,7 @@ func (x *BucketMetadata) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use BucketMetadata.ProtoReflect.Descriptor instead.
 func (*BucketMetadata) Descriptor() ([]byte, []int) {
-	return file_s3_proto_rawDescGZIP(), []int{6}
+	return file_s3_proto_rawDescGZIP(), []int{4}
 }
 
 func (x *BucketMetadata) GetTags() map[string]string {
@@ -404,7 +325,7 @@ type EncryptionConfiguration struct {
 
 func (x *EncryptionConfiguration) Reset() {
 	*x = EncryptionConfiguration{}
-	mi := &file_s3_proto_msgTypes[7]
+	mi := &file_s3_proto_msgTypes[5]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -416,7 +337,7 @@ func (x *EncryptionConfiguration) String() string {
 func (*EncryptionConfiguration) ProtoMessage() {}
 
 func (x *EncryptionConfiguration) ProtoReflect() protoreflect.Message {
-	mi := &file_s3_proto_msgTypes[7]
+	mi := &file_s3_proto_msgTypes[5]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -429,7 +350,7 @@ func (x *EncryptionConfiguration) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use EncryptionConfiguration.ProtoReflect.Descriptor instead.
 func (*EncryptionConfiguration) Descriptor() ([]byte, []int) {
-	return file_s3_proto_rawDescGZIP(), []int{7}
+	return file_s3_proto_rawDescGZIP(), []int{5}
 }
 
 func (x *EncryptionConfiguration) GetSseAlgorithm() string {
@@ -457,10 +378,7 @@ var File_s3_proto protoreflect.FileDescriptor
 
 const file_s3_proto_rawDesc = "" +
 	"\n" +
-	"\bs3.proto\x12\fmessaging_pb\"W\n" +
-	"\x12S3ConfigureRequest\x12A\n" +
-	"\x1ds3_configuration_file_content\x18\x01 \x01(\fR\x1as3ConfigurationFileContent\"\x15\n" +
-	"\x13S3ConfigureResponse\"\x87\x02\n" +
+	"\bs3.proto\x12\fmessaging_pb\x1a\tiam.proto\"\x87\x02\n" +
 	"\x16S3CircuitBreakerConfig\x12=\n" +
 	"\x06global\x18\x01 \x01(\v2%.messaging_pb.S3CircuitBreakerOptionsR\x06global\x12K\n" +
 	"\abuckets\x18\x02 \x03(\v21.messaging_pb.S3CircuitBreakerConfig.BucketsEntryR\abuckets\x1aa\n" +
@@ -496,9 +414,28 @@ const file_s3_proto_rawDesc = "" +
 	"\rsse_algorithm\x18\x01 \x01(\tR\fsseAlgorithm\x12\x1c\n" +
 	"\n" +
 	"kms_key_id\x18\x02 \x01(\tR\bkmsKeyId\x12,\n" +
-	"\x12bucket_key_enabled\x18\x03 \x01(\bR\x10bucketKeyEnabled2_\n" +
-	"\tSeaweedS3\x12R\n" +
-	"\tConfigure\x12 .messaging_pb.S3ConfigureRequest\x1a!.messaging_pb.S3ConfigureResponse\"\x00BI\n" +
+	"\x12bucket_key_enabled\x18\x03 \x01(\bR\x10bucketKeyEnabled2\xc7\n" +
+	"\n" +
+	"\tSeaweedS3\x12B\n" +
+	"\tListUsers\x12\x18.iam_pb.ListUsersRequest\x1a\x19.iam_pb.ListUsersResponse\"\x00\x12E\n" +
+	"\n" +
+	"CreateUser\x12\x19.iam_pb.CreateUserRequest\x1a\x1a.iam_pb.CreateUserResponse\"\x00\x12<\n" +
+	"\aGetUser\x12\x16.iam_pb.GetUserRequest\x1a\x17.iam_pb.GetUserResponse\"\x00\x12E\n" +
+	"\n" +
+	"UpdateUser\x12\x19.iam_pb.UpdateUserRequest\x1a\x1a.iam_pb.UpdateUserResponse\"\x00\x12E\n" +
+	"\n" +
+	"DeleteUser\x12\x19.iam_pb.DeleteUserRequest\x1a\x1a.iam_pb.DeleteUserResponse\"\x00\x12Q\n" +
+	"\x0eListAccessKeys\x12\x1d.iam_pb.ListAccessKeysRequest\x1a\x1e.iam_pb.ListAccessKeysResponse\"\x00\x12T\n" +
+	"\x0fCreateAccessKey\x12\x1e.iam_pb.CreateAccessKeyRequest\x1a\x1f.iam_pb.CreateAccessKeyResponse\"\x00\x12T\n" +
+	"\x0fDeleteAccessKey\x12\x1e.iam_pb.DeleteAccessKeyRequest\x1a\x1f.iam_pb.DeleteAccessKeyResponse\"\x00\x12N\n" +
+	"\rPutUserPolicy\x12\x1c.iam_pb.PutUserPolicyRequest\x1a\x1d.iam_pb.PutUserPolicyResponse\"\x00\x12N\n" +
+	"\rGetUserPolicy\x12\x1c.iam_pb.GetUserPolicyRequest\x1a\x1d.iam_pb.GetUserPolicyResponse\"\x00\x12W\n" +
+	"\x10DeleteUserPolicy\x12\x1f.iam_pb.DeleteUserPolicyRequest\x1a .iam_pb.DeleteUserPolicyResponse\"\x00\x12`\n" +
+	"\x13ListServiceAccounts\x12\".iam_pb.ListServiceAccountsRequest\x1a#.iam_pb.ListServiceAccountsResponse\"\x00\x12c\n" +
+	"\x14CreateServiceAccount\x12#.iam_pb.CreateServiceAccountRequest\x1a$.iam_pb.CreateServiceAccountResponse\"\x00\x12c\n" +
+	"\x14UpdateServiceAccount\x12#.iam_pb.UpdateServiceAccountRequest\x1a$.iam_pb.UpdateServiceAccountResponse\"\x00\x12c\n" +
+	"\x14DeleteServiceAccount\x12#.iam_pb.DeleteServiceAccountRequest\x1a$.iam_pb.DeleteServiceAccountResponse\"\x00\x12Z\n" +
+	"\x11GetServiceAccount\x12 .iam_pb.GetServiceAccountRequest\x1a!.iam_pb.GetServiceAccountResponse\"\x00BI\n" +
 	"\x10seaweedfs.clientB\aS3ProtoZ,github.com/seaweedfs/seaweedfs/weed/pb/s3_pbb\x06proto3"
 
 var (
@@ -513,33 +450,93 @@ func file_s3_proto_rawDescGZIP() []byte {
 	return file_s3_proto_rawDescData
 }
 
-var file_s3_proto_msgTypes = make([]protoimpl.MessageInfo, 11)
+var file_s3_proto_msgTypes = make([]protoimpl.MessageInfo, 9)
 var file_s3_proto_goTypes = []any{
-	(*S3ConfigureRequest)(nil),      // 0: messaging_pb.S3ConfigureRequest
-	(*S3ConfigureResponse)(nil),     // 1: messaging_pb.S3ConfigureResponse
-	(*S3CircuitBreakerConfig)(nil),  // 2: messaging_pb.S3CircuitBreakerConfig
-	(*S3CircuitBreakerOptions)(nil), // 3: messaging_pb.S3CircuitBreakerOptions
-	(*CORSRule)(nil),                // 4: messaging_pb.CORSRule
-	(*CORSConfiguration)(nil),       // 5: messaging_pb.CORSConfiguration
-	(*BucketMetadata)(nil),          // 6: messaging_pb.BucketMetadata
-	(*EncryptionConfiguration)(nil), // 7: messaging_pb.EncryptionConfiguration
-	nil,                             // 8: messaging_pb.S3CircuitBreakerConfig.BucketsEntry
-	nil,                             // 9: messaging_pb.S3CircuitBreakerOptions.ActionsEntry
-	nil,                             // 10: messaging_pb.BucketMetadata.TagsEntry
+	(*S3CircuitBreakerConfig)(nil),              // 0: messaging_pb.S3CircuitBreakerConfig
+	(*S3CircuitBreakerOptions)(nil),             // 1: messaging_pb.S3CircuitBreakerOptions
+	(*CORSRule)(nil),                            // 2: messaging_pb.CORSRule
+	(*CORSConfiguration)(nil),                   // 3: messaging_pb.CORSConfiguration
+	(*BucketMetadata)(nil),                      // 4: messaging_pb.BucketMetadata
+	(*EncryptionConfiguration)(nil),             // 5: messaging_pb.EncryptionConfiguration
+	nil,                                         // 6: messaging_pb.S3CircuitBreakerConfig.BucketsEntry
+	nil,                                         // 7: messaging_pb.S3CircuitBreakerOptions.ActionsEntry
+	nil,                                         // 8: messaging_pb.BucketMetadata.TagsEntry
+	(*iam_pb.ListUsersRequest)(nil),             // 9: iam_pb.ListUsersRequest
+	(*iam_pb.CreateUserRequest)(nil),            // 10: iam_pb.CreateUserRequest
+	(*iam_pb.GetUserRequest)(nil),               // 11: iam_pb.GetUserRequest
+	(*iam_pb.UpdateUserRequest)(nil),            // 12: iam_pb.UpdateUserRequest
+	(*iam_pb.DeleteUserRequest)(nil),            // 13: iam_pb.DeleteUserRequest
+	(*iam_pb.ListAccessKeysRequest)(nil),        // 14: iam_pb.ListAccessKeysRequest
+	(*iam_pb.CreateAccessKeyRequest)(nil),       // 15: iam_pb.CreateAccessKeyRequest
+	(*iam_pb.DeleteAccessKeyRequest)(nil),       // 16: iam_pb.DeleteAccessKeyRequest
+	(*iam_pb.PutUserPolicyRequest)(nil),         // 17: iam_pb.PutUserPolicyRequest
+	(*iam_pb.GetUserPolicyRequest)(nil),         // 18: iam_pb.GetUserPolicyRequest
+	(*iam_pb.DeleteUserPolicyRequest)(nil),      // 19: iam_pb.DeleteUserPolicyRequest
+	(*iam_pb.ListServiceAccountsRequest)(nil),   // 20: iam_pb.ListServiceAccountsRequest
+	(*iam_pb.CreateServiceAccountRequest)(nil),  // 21: iam_pb.CreateServiceAccountRequest
+	(*iam_pb.UpdateServiceAccountRequest)(nil),  // 22: iam_pb.UpdateServiceAccountRequest
+	(*iam_pb.DeleteServiceAccountRequest)(nil),  // 23: iam_pb.DeleteServiceAccountRequest
+	(*iam_pb.GetServiceAccountRequest)(nil),     // 24: iam_pb.GetServiceAccountRequest
+	(*iam_pb.ListUsersResponse)(nil),            // 25: iam_pb.ListUsersResponse
+	(*iam_pb.CreateUserResponse)(nil),           // 26: iam_pb.CreateUserResponse
+	(*iam_pb.GetUserResponse)(nil),              // 27: iam_pb.GetUserResponse
+	(*iam_pb.UpdateUserResponse)(nil),           // 28: iam_pb.UpdateUserResponse
+	(*iam_pb.DeleteUserResponse)(nil),           // 29: iam_pb.DeleteUserResponse
+	(*iam_pb.ListAccessKeysResponse)(nil),       // 30: iam_pb.ListAccessKeysResponse
+	(*iam_pb.CreateAccessKeyResponse)(nil),      // 31: iam_pb.CreateAccessKeyResponse
+	(*iam_pb.DeleteAccessKeyResponse)(nil),      // 32: iam_pb.DeleteAccessKeyResponse
+	(*iam_pb.PutUserPolicyResponse)(nil),        // 33: iam_pb.PutUserPolicyResponse
+	(*iam_pb.GetUserPolicyResponse)(nil),        // 34: iam_pb.GetUserPolicyResponse
+	(*iam_pb.DeleteUserPolicyResponse)(nil),     // 35: iam_pb.DeleteUserPolicyResponse
+	(*iam_pb.ListServiceAccountsResponse)(nil),  // 36: iam_pb.ListServiceAccountsResponse
+	(*iam_pb.CreateServiceAccountResponse)(nil), // 37: iam_pb.CreateServiceAccountResponse
+	(*iam_pb.UpdateServiceAccountResponse)(nil), // 38: iam_pb.UpdateServiceAccountResponse
+	(*iam_pb.DeleteServiceAccountResponse)(nil), // 39: iam_pb.DeleteServiceAccountResponse
+	(*iam_pb.GetServiceAccountResponse)(nil),    // 40: iam_pb.GetServiceAccountResponse
 }
 var file_s3_proto_depIdxs = []int32{
-	3,  // 0: messaging_pb.S3CircuitBreakerConfig.global:type_name -> messaging_pb.S3CircuitBreakerOptions
-	8,  // 1: messaging_pb.S3CircuitBreakerConfig.buckets:type_name -> messaging_pb.S3CircuitBreakerConfig.BucketsEntry
-	9,  // 2: messaging_pb.S3CircuitBreakerOptions.actions:type_name -> messaging_pb.S3CircuitBreakerOptions.ActionsEntry
-	4,  // 3: messaging_pb.CORSConfiguration.cors_rules:type_name -> messaging_pb.CORSRule
-	10, // 4: messaging_pb.BucketMetadata.tags:type_name -> messaging_pb.BucketMetadata.TagsEntry
-	5,  // 5: messaging_pb.BucketMetadata.cors:type_name -> messaging_pb.CORSConfiguration
-	7,  // 6: messaging_pb.BucketMetadata.encryption:type_name -> messaging_pb.EncryptionConfiguration
-	3,  // 7: messaging_pb.S3CircuitBreakerConfig.BucketsEntry.value:type_name -> messaging_pb.S3CircuitBreakerOptions
-	0,  // 8: messaging_pb.SeaweedS3.Configure:input_type -> messaging_pb.S3ConfigureRequest
-	1,  // 9: messaging_pb.SeaweedS3.Configure:output_type -> messaging_pb.S3ConfigureResponse
-	9,  // [9:10] is the sub-list for method output_type
-	8,  // [8:9] is the sub-list for method input_type
+	1,  // 0: messaging_pb.S3CircuitBreakerConfig.global:type_name -> messaging_pb.S3CircuitBreakerOptions
+	6,  // 1: messaging_pb.S3CircuitBreakerConfig.buckets:type_name -> messaging_pb.S3CircuitBreakerConfig.BucketsEntry
+	7,  // 2: messaging_pb.S3CircuitBreakerOptions.actions:type_name -> messaging_pb.S3CircuitBreakerOptions.ActionsEntry
+	2,  // 3: messaging_pb.CORSConfiguration.cors_rules:type_name -> messaging_pb.CORSRule
+	8,  // 4: messaging_pb.BucketMetadata.tags:type_name -> messaging_pb.BucketMetadata.TagsEntry
+	3,  // 5: messaging_pb.BucketMetadata.cors:type_name -> messaging_pb.CORSConfiguration
+	5,  // 6: messaging_pb.BucketMetadata.encryption:type_name -> messaging_pb.EncryptionConfiguration
+	1,  // 7: messaging_pb.S3CircuitBreakerConfig.BucketsEntry.value:type_name -> messaging_pb.S3CircuitBreakerOptions
+	9,  // 8: messaging_pb.SeaweedS3.ListUsers:input_type -> iam_pb.ListUsersRequest
+	10, // 9: messaging_pb.SeaweedS3.CreateUser:input_type -> iam_pb.CreateUserRequest
+	11, // 10: messaging_pb.SeaweedS3.GetUser:input_type -> iam_pb.GetUserRequest
+	12, // 11: messaging_pb.SeaweedS3.UpdateUser:input_type -> iam_pb.UpdateUserRequest
+	13, // 12: messaging_pb.SeaweedS3.DeleteUser:input_type -> iam_pb.DeleteUserRequest
+	14, // 13: messaging_pb.SeaweedS3.ListAccessKeys:input_type -> iam_pb.ListAccessKeysRequest
+	15, // 14: messaging_pb.SeaweedS3.CreateAccessKey:input_type -> iam_pb.CreateAccessKeyRequest
+	16, // 15: messaging_pb.SeaweedS3.DeleteAccessKey:input_type -> iam_pb.DeleteAccessKeyRequest
+	17, // 16: messaging_pb.SeaweedS3.PutUserPolicy:input_type -> iam_pb.PutUserPolicyRequest
+	18, // 17: messaging_pb.SeaweedS3.GetUserPolicy:input_type -> iam_pb.GetUserPolicyRequest
+	19, // 18: messaging_pb.SeaweedS3.DeleteUserPolicy:input_type -> iam_pb.DeleteUserPolicyRequest
+	20, // 19: messaging_pb.SeaweedS3.ListServiceAccounts:input_type -> iam_pb.ListServiceAccountsRequest
+	21, // 20: messaging_pb.SeaweedS3.CreateServiceAccount:input_type -> iam_pb.CreateServiceAccountRequest
+	22, // 21: messaging_pb.SeaweedS3.UpdateServiceAccount:input_type -> iam_pb.UpdateServiceAccountRequest
+	23, // 22: messaging_pb.SeaweedS3.DeleteServiceAccount:input_type -> iam_pb.DeleteServiceAccountRequest
+	24, // 23: messaging_pb.SeaweedS3.GetServiceAccount:input_type -> iam_pb.GetServiceAccountRequest
+	25, // 24: messaging_pb.SeaweedS3.ListUsers:output_type -> iam_pb.ListUsersResponse
+	26, // 25: messaging_pb.SeaweedS3.CreateUser:output_type -> iam_pb.CreateUserResponse
+	27, // 26: messaging_pb.SeaweedS3.GetUser:output_type -> iam_pb.GetUserResponse
+	28, // 27: messaging_pb.SeaweedS3.UpdateUser:output_type -> iam_pb.UpdateUserResponse
+	29, // 28: messaging_pb.SeaweedS3.DeleteUser:output_type -> iam_pb.DeleteUserResponse
+	30, // 29: messaging_pb.SeaweedS3.ListAccessKeys:output_type -> iam_pb.ListAccessKeysResponse
+	31, // 30: messaging_pb.SeaweedS3.CreateAccessKey:output_type -> iam_pb.CreateAccessKeyResponse
+	32, // 31: messaging_pb.SeaweedS3.DeleteAccessKey:output_type -> iam_pb.DeleteAccessKeyResponse
+	33, // 32: messaging_pb.SeaweedS3.PutUserPolicy:output_type -> iam_pb.PutUserPolicyResponse
+	34, // 33: messaging_pb.SeaweedS3.GetUserPolicy:output_type -> iam_pb.GetUserPolicyResponse
+	35, // 34: messaging_pb.SeaweedS3.DeleteUserPolicy:output_type -> iam_pb.DeleteUserPolicyResponse
+	36, // 35: messaging_pb.SeaweedS3.ListServiceAccounts:output_type -> iam_pb.ListServiceAccountsResponse
+	37, // 36: messaging_pb.SeaweedS3.CreateServiceAccount:output_type -> iam_pb.CreateServiceAccountResponse
+	38, // 37: messaging_pb.SeaweedS3.UpdateServiceAccount:output_type -> iam_pb.UpdateServiceAccountResponse
+	39, // 38: messaging_pb.SeaweedS3.DeleteServiceAccount:output_type -> iam_pb.DeleteServiceAccountResponse
+	40, // 39: messaging_pb.SeaweedS3.GetServiceAccount:output_type -> iam_pb.GetServiceAccountResponse
+	24, // [24:40] is the sub-list for method output_type
+	8,  // [8:24] is the sub-list for method input_type
 	8,  // [8:8] is the sub-list for extension type_name
 	8,  // [8:8] is the sub-list for extension extendee
 	0,  // [0:8] is the sub-list for field type_name
@@ -556,7 +553,7 @@ func file_s3_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: unsafe.Slice(unsafe.StringData(file_s3_proto_rawDesc), len(file_s3_proto_rawDesc)),
 			NumEnums:      0,
-			NumMessages:   11,
+			NumMessages:   9,
 			NumExtensions: 0,
 			NumServices:   1,
 		},

weed/pb/s3_pb/s3_grpc.pb.go

@@ -8,6 +8,7 @@ package s3_pb
 
 import (
 	context "context"
+	iam_pb "github.com/seaweedfs/seaweedfs/weed/pb/iam_pb"
 	grpc "google.golang.org/grpc"
 	codes "google.golang.org/grpc/codes"
 	status "google.golang.org/grpc/status"
@@ -19,14 +20,45 @@ import (
 const _ = grpc.SupportPackageIsVersion9
 
 const (
-	SeaweedS3_Configure_FullMethodName = "/messaging_pb.SeaweedS3/Configure"
+	SeaweedS3_ListUsers_FullMethodName            = "/messaging_pb.SeaweedS3/ListUsers"
+	SeaweedS3_CreateUser_FullMethodName           = "/messaging_pb.SeaweedS3/CreateUser"
+	SeaweedS3_GetUser_FullMethodName              = "/messaging_pb.SeaweedS3/GetUser"
+	SeaweedS3_UpdateUser_FullMethodName           = "/messaging_pb.SeaweedS3/UpdateUser"
+	SeaweedS3_DeleteUser_FullMethodName           = "/messaging_pb.SeaweedS3/DeleteUser"
+	SeaweedS3_ListAccessKeys_FullMethodName       = "/messaging_pb.SeaweedS3/ListAccessKeys"
+	SeaweedS3_CreateAccessKey_FullMethodName      = "/messaging_pb.SeaweedS3/CreateAccessKey"
+	SeaweedS3_DeleteAccessKey_FullMethodName      = "/messaging_pb.SeaweedS3/DeleteAccessKey"
+	SeaweedS3_PutUserPolicy_FullMethodName        = "/messaging_pb.SeaweedS3/PutUserPolicy"
+	SeaweedS3_GetUserPolicy_FullMethodName        = "/messaging_pb.SeaweedS3/GetUserPolicy"
+	SeaweedS3_DeleteUserPolicy_FullMethodName     = "/messaging_pb.SeaweedS3/DeleteUserPolicy"
+	SeaweedS3_ListServiceAccounts_FullMethodName  = "/messaging_pb.SeaweedS3/ListServiceAccounts"
+	SeaweedS3_CreateServiceAccount_FullMethodName = "/messaging_pb.SeaweedS3/CreateServiceAccount"
+	SeaweedS3_UpdateServiceAccount_FullMethodName = "/messaging_pb.SeaweedS3/UpdateServiceAccount"
+	SeaweedS3_DeleteServiceAccount_FullMethodName = "/messaging_pb.SeaweedS3/DeleteServiceAccount"
+	SeaweedS3_GetServiceAccount_FullMethodName    = "/messaging_pb.SeaweedS3/GetServiceAccount"
 )
 
 // SeaweedS3Client is the client API for SeaweedS3 service.
 //
 // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
 type SeaweedS3Client interface {
-	Configure(ctx context.Context, in *S3ConfigureRequest, opts ...grpc.CallOption) (*S3ConfigureResponse, error)
+	// Explicit IAM APIs mirroring SeaweedIdentityAccessManagement
+	ListUsers(ctx context.Context, in *iam_pb.ListUsersRequest, opts ...grpc.CallOption) (*iam_pb.ListUsersResponse, error)
+	CreateUser(ctx context.Context, in *iam_pb.CreateUserRequest, opts ...grpc.CallOption) (*iam_pb.CreateUserResponse, error)
+	GetUser(ctx context.Context, in *iam_pb.GetUserRequest, opts ...grpc.CallOption) (*iam_pb.GetUserResponse, error)
+	UpdateUser(ctx context.Context, in *iam_pb.UpdateUserRequest, opts ...grpc.CallOption) (*iam_pb.UpdateUserResponse, error)
+	DeleteUser(ctx context.Context, in *iam_pb.DeleteUserRequest, opts ...grpc.CallOption) (*iam_pb.DeleteUserResponse, error)
+	ListAccessKeys(ctx context.Context, in *iam_pb.ListAccessKeysRequest, opts ...grpc.CallOption) (*iam_pb.ListAccessKeysResponse, error)
+	CreateAccessKey(ctx context.Context, in *iam_pb.CreateAccessKeyRequest, opts ...grpc.CallOption) (*iam_pb.CreateAccessKeyResponse, error)
+	DeleteAccessKey(ctx context.Context, in *iam_pb.DeleteAccessKeyRequest, opts ...grpc.CallOption) (*iam_pb.DeleteAccessKeyResponse, error)
+	PutUserPolicy(ctx context.Context, in *iam_pb.PutUserPolicyRequest, opts ...grpc.CallOption) (*iam_pb.PutUserPolicyResponse, error)
+	GetUserPolicy(ctx context.Context, in *iam_pb.GetUserPolicyRequest, opts ...grpc.CallOption) (*iam_pb.GetUserPolicyResponse, error)
+	DeleteUserPolicy(ctx context.Context, in *iam_pb.DeleteUserPolicyRequest, opts ...grpc.CallOption) (*iam_pb.DeleteUserPolicyResponse, error)
+	ListServiceAccounts(ctx context.Context, in *iam_pb.ListServiceAccountsRequest, opts ...grpc.CallOption) (*iam_pb.ListServiceAccountsResponse, error)
+	CreateServiceAccount(ctx context.Context, in *iam_pb.CreateServiceAccountRequest, opts ...grpc.CallOption) (*iam_pb.CreateServiceAccountResponse, error)
+	UpdateServiceAccount(ctx context.Context, in *iam_pb.UpdateServiceAccountRequest, opts ...grpc.CallOption) (*iam_pb.UpdateServiceAccountResponse, error)
+	DeleteServiceAccount(ctx context.Context, in *iam_pb.DeleteServiceAccountRequest, opts ...grpc.CallOption) (*iam_pb.DeleteServiceAccountResponse, error)
+	GetServiceAccount(ctx context.Context, in *iam_pb.GetServiceAccountRequest, opts ...grpc.CallOption) (*iam_pb.GetServiceAccountResponse, error)
 }
 
 type seaweedS3Client struct {
@@ -37,10 +69,160 @@ func NewSeaweedS3Client(cc grpc.ClientConnInterface) SeaweedS3Client {
 	return &seaweedS3Client{cc}
 }
 
-func (c *seaweedS3Client) Configure(ctx context.Context, in *S3ConfigureRequest, opts ...grpc.CallOption) (*S3ConfigureResponse, error) {
+func (c *seaweedS3Client) ListUsers(ctx context.Context, in *iam_pb.ListUsersRequest, opts ...grpc.CallOption) (*iam_pb.ListUsersResponse, error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
-	out := new(S3ConfigureResponse)
-	err := c.cc.Invoke(ctx, SeaweedS3_Configure_FullMethodName, in, out, cOpts...)
+	out := new(iam_pb.ListUsersResponse)
+	err := c.cc.Invoke(ctx, SeaweedS3_ListUsers_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *seaweedS3Client) CreateUser(ctx context.Context, in *iam_pb.CreateUserRequest, opts ...grpc.CallOption) (*iam_pb.CreateUserResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(iam_pb.CreateUserResponse)
+	err := c.cc.Invoke(ctx, SeaweedS3_CreateUser_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *seaweedS3Client) GetUser(ctx context.Context, in *iam_pb.GetUserRequest, opts ...grpc.CallOption) (*iam_pb.GetUserResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(iam_pb.GetUserResponse)
+	err := c.cc.Invoke(ctx, SeaweedS3_GetUser_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *seaweedS3Client) UpdateUser(ctx context.Context, in *iam_pb.UpdateUserRequest, opts ...grpc.CallOption) (*iam_pb.UpdateUserResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(iam_pb.UpdateUserResponse)
+	err := c.cc.Invoke(ctx, SeaweedS3_UpdateUser_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *seaweedS3Client) DeleteUser(ctx context.Context, in *iam_pb.DeleteUserRequest, opts ...grpc.CallOption) (*iam_pb.DeleteUserResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(iam_pb.DeleteUserResponse)
+	err := c.cc.Invoke(ctx, SeaweedS3_DeleteUser_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *seaweedS3Client) ListAccessKeys(ctx context.Context, in *iam_pb.ListAccessKeysRequest, opts ...grpc.CallOption) (*iam_pb.ListAccessKeysResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(iam_pb.ListAccessKeysResponse)
+	err := c.cc.Invoke(ctx, SeaweedS3_ListAccessKeys_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *seaweedS3Client) CreateAccessKey(ctx context.Context, in *iam_pb.CreateAccessKeyRequest, opts ...grpc.CallOption) (*iam_pb.CreateAccessKeyResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(iam_pb.CreateAccessKeyResponse)
+	err := c.cc.Invoke(ctx, SeaweedS3_CreateAccessKey_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *seaweedS3Client) DeleteAccessKey(ctx context.Context, in *iam_pb.DeleteAccessKeyRequest, opts ...grpc.CallOption) (*iam_pb.DeleteAccessKeyResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(iam_pb.DeleteAccessKeyResponse)
+	err := c.cc.Invoke(ctx, SeaweedS3_DeleteAccessKey_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *seaweedS3Client) PutUserPolicy(ctx context.Context, in *iam_pb.PutUserPolicyRequest, opts ...grpc.CallOption) (*iam_pb.PutUserPolicyResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(iam_pb.PutUserPolicyResponse)
+	err := c.cc.Invoke(ctx, SeaweedS3_PutUserPolicy_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *seaweedS3Client) GetUserPolicy(ctx context.Context, in *iam_pb.GetUserPolicyRequest, opts ...grpc.CallOption) (*iam_pb.GetUserPolicyResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(iam_pb.GetUserPolicyResponse)
+	err := c.cc.Invoke(ctx, SeaweedS3_GetUserPolicy_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *seaweedS3Client) DeleteUserPolicy(ctx context.Context, in *iam_pb.DeleteUserPolicyRequest, opts ...grpc.CallOption) (*iam_pb.DeleteUserPolicyResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(iam_pb.DeleteUserPolicyResponse)
+	err := c.cc.Invoke(ctx, SeaweedS3_DeleteUserPolicy_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *seaweedS3Client) ListServiceAccounts(ctx context.Context, in *iam_pb.ListServiceAccountsRequest, opts ...grpc.CallOption) (*iam_pb.ListServiceAccountsResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(iam_pb.ListServiceAccountsResponse)
+	err := c.cc.Invoke(ctx, SeaweedS3_ListServiceAccounts_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *seaweedS3Client) CreateServiceAccount(ctx context.Context, in *iam_pb.CreateServiceAccountRequest, opts ...grpc.CallOption) (*iam_pb.CreateServiceAccountResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(iam_pb.CreateServiceAccountResponse)
+	err := c.cc.Invoke(ctx, SeaweedS3_CreateServiceAccount_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *seaweedS3Client) UpdateServiceAccount(ctx context.Context, in *iam_pb.UpdateServiceAccountRequest, opts ...grpc.CallOption) (*iam_pb.UpdateServiceAccountResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(iam_pb.UpdateServiceAccountResponse)
+	err := c.cc.Invoke(ctx, SeaweedS3_UpdateServiceAccount_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *seaweedS3Client) DeleteServiceAccount(ctx context.Context, in *iam_pb.DeleteServiceAccountRequest, opts ...grpc.CallOption) (*iam_pb.DeleteServiceAccountResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(iam_pb.DeleteServiceAccountResponse)
+	err := c.cc.Invoke(ctx, SeaweedS3_DeleteServiceAccount_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *seaweedS3Client) GetServiceAccount(ctx context.Context, in *iam_pb.GetServiceAccountRequest, opts ...grpc.CallOption) (*iam_pb.GetServiceAccountResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(iam_pb.GetServiceAccountResponse)
+	err := c.cc.Invoke(ctx, SeaweedS3_GetServiceAccount_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
@@ -51,7 +233,23 @@ func (c *seaweedS3Client) Configure(ctx context.Context, in *S3ConfigureRequest,
 // All implementations must embed UnimplementedSeaweedS3Server
 // for forward compatibility.
 type SeaweedS3Server interface {
-	Configure(context.Context, *S3ConfigureRequest) (*S3ConfigureResponse, error)
+	// Explicit IAM APIs mirroring SeaweedIdentityAccessManagement
+	ListUsers(context.Context, *iam_pb.ListUsersRequest) (*iam_pb.ListUsersResponse, error)
+	CreateUser(context.Context, *iam_pb.CreateUserRequest) (*iam_pb.CreateUserResponse, error)
+	GetUser(context.Context, *iam_pb.GetUserRequest) (*iam_pb.GetUserResponse, error)
+	UpdateUser(context.Context, *iam_pb.UpdateUserRequest) (*iam_pb.UpdateUserResponse, error)
+	DeleteUser(context.Context, *iam_pb.DeleteUserRequest) (*iam_pb.DeleteUserResponse, error)
+	ListAccessKeys(context.Context, *iam_pb.ListAccessKeysRequest) (*iam_pb.ListAccessKeysResponse, error)
+	CreateAccessKey(context.Context, *iam_pb.CreateAccessKeyRequest) (*iam_pb.CreateAccessKeyResponse, error)
+	DeleteAccessKey(context.Context, *iam_pb.DeleteAccessKeyRequest) (*iam_pb.DeleteAccessKeyResponse, error)
+	PutUserPolicy(context.Context, *iam_pb.PutUserPolicyRequest) (*iam_pb.PutUserPolicyResponse, error)
+	GetUserPolicy(context.Context, *iam_pb.GetUserPolicyRequest) (*iam_pb.GetUserPolicyResponse, error)
+	DeleteUserPolicy(context.Context, *iam_pb.DeleteUserPolicyRequest) (*iam_pb.DeleteUserPolicyResponse, error)
+	ListServiceAccounts(context.Context, *iam_pb.ListServiceAccountsRequest) (*iam_pb.ListServiceAccountsResponse, error)
+	CreateServiceAccount(context.Context, *iam_pb.CreateServiceAccountRequest) (*iam_pb.CreateServiceAccountResponse, error)
+	UpdateServiceAccount(context.Context, *iam_pb.UpdateServiceAccountRequest) (*iam_pb.UpdateServiceAccountResponse, error)
+	DeleteServiceAccount(context.Context, *iam_pb.DeleteServiceAccountRequest) (*iam_pb.DeleteServiceAccountResponse, error)
+	GetServiceAccount(context.Context, *iam_pb.GetServiceAccountRequest) (*iam_pb.GetServiceAccountResponse, error)
 	mustEmbedUnimplementedSeaweedS3Server()
 }
 
@@ -62,8 +260,53 @@ type SeaweedS3Server interface {
 // pointer dereference when methods are called.
 type UnimplementedSeaweedS3Server struct{}
 
-func (UnimplementedSeaweedS3Server) Configure(context.Context, *S3ConfigureRequest) (*S3ConfigureResponse, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method Configure not implemented")
+func (UnimplementedSeaweedS3Server) ListUsers(context.Context, *iam_pb.ListUsersRequest) (*iam_pb.ListUsersResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method ListUsers not implemented")
+}
+func (UnimplementedSeaweedS3Server) CreateUser(context.Context, *iam_pb.CreateUserRequest) (*iam_pb.CreateUserResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method CreateUser not implemented")
+}
+func (UnimplementedSeaweedS3Server) GetUser(context.Context, *iam_pb.GetUserRequest) (*iam_pb.GetUserResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method GetUser not implemented")
+}
+func (UnimplementedSeaweedS3Server) UpdateUser(context.Context, *iam_pb.UpdateUserRequest) (*iam_pb.UpdateUserResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method UpdateUser not implemented")
+}
+func (UnimplementedSeaweedS3Server) DeleteUser(context.Context, *iam_pb.DeleteUserRequest) (*iam_pb.DeleteUserResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method DeleteUser not implemented")
+}
+func (UnimplementedSeaweedS3Server) ListAccessKeys(context.Context, *iam_pb.ListAccessKeysRequest) (*iam_pb.ListAccessKeysResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method ListAccessKeys not implemented")
+}
+func (UnimplementedSeaweedS3Server) CreateAccessKey(context.Context, *iam_pb.CreateAccessKeyRequest) (*iam_pb.CreateAccessKeyResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method CreateAccessKey not implemented")
+}
+func (UnimplementedSeaweedS3Server) DeleteAccessKey(context.Context, *iam_pb.DeleteAccessKeyRequest) (*iam_pb.DeleteAccessKeyResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method DeleteAccessKey not implemented")
+}
+func (UnimplementedSeaweedS3Server) PutUserPolicy(context.Context, *iam_pb.PutUserPolicyRequest) (*iam_pb.PutUserPolicyResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method PutUserPolicy not implemented")
+}
+func (UnimplementedSeaweedS3Server) GetUserPolicy(context.Context, *iam_pb.GetUserPolicyRequest) (*iam_pb.GetUserPolicyResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method GetUserPolicy not implemented")
+}
+func (UnimplementedSeaweedS3Server) DeleteUserPolicy(context.Context, *iam_pb.DeleteUserPolicyRequest) (*iam_pb.DeleteUserPolicyResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method DeleteUserPolicy not implemented")
+}
+func (UnimplementedSeaweedS3Server) ListServiceAccounts(context.Context, *iam_pb.ListServiceAccountsRequest) (*iam_pb.ListServiceAccountsResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method ListServiceAccounts not implemented")
+}
+func (UnimplementedSeaweedS3Server) CreateServiceAccount(context.Context, *iam_pb.CreateServiceAccountRequest) (*iam_pb.CreateServiceAccountResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method CreateServiceAccount not implemented")
+}
+func (UnimplementedSeaweedS3Server) UpdateServiceAccount(context.Context, *iam_pb.UpdateServiceAccountRequest) (*iam_pb.UpdateServiceAccountResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method UpdateServiceAccount not implemented")
+}
+func (UnimplementedSeaweedS3Server) DeleteServiceAccount(context.Context, *iam_pb.DeleteServiceAccountRequest) (*iam_pb.DeleteServiceAccountResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method DeleteServiceAccount not implemented")
+}
+func (UnimplementedSeaweedS3Server) GetServiceAccount(context.Context, *iam_pb.GetServiceAccountRequest) (*iam_pb.GetServiceAccountResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method GetServiceAccount not implemented")
 }
 func (UnimplementedSeaweedS3Server) mustEmbedUnimplementedSeaweedS3Server() {}
 func (UnimplementedSeaweedS3Server) testEmbeddedByValue()                   {}
@@ -86,20 +329,290 @@ func RegisterSeaweedS3Server(s grpc.ServiceRegistrar, srv SeaweedS3Server) {
 	s.RegisterService(&SeaweedS3_ServiceDesc, srv)
 }
 
-func _SeaweedS3_Configure_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(S3ConfigureRequest)
+func _SeaweedS3_ListUsers_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(iam_pb.ListUsersRequest)
 	if err := dec(in); err != nil {
 		return nil, err
 	}
 	if interceptor == nil {
-		return srv.(SeaweedS3Server).Configure(ctx, in)
+		return srv.(SeaweedS3Server).ListUsers(ctx, in)
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: SeaweedS3_Configure_FullMethodName,
+		FullMethod: SeaweedS3_ListUsers_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(SeaweedS3Server).Configure(ctx, req.(*S3ConfigureRequest))
+		return srv.(SeaweedS3Server).ListUsers(ctx, req.(*iam_pb.ListUsersRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _SeaweedS3_CreateUser_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(iam_pb.CreateUserRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(SeaweedS3Server).CreateUser(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: SeaweedS3_CreateUser_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(SeaweedS3Server).CreateUser(ctx, req.(*iam_pb.CreateUserRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _SeaweedS3_GetUser_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(iam_pb.GetUserRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(SeaweedS3Server).GetUser(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: SeaweedS3_GetUser_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(SeaweedS3Server).GetUser(ctx, req.(*iam_pb.GetUserRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _SeaweedS3_UpdateUser_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(iam_pb.UpdateUserRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(SeaweedS3Server).UpdateUser(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: SeaweedS3_UpdateUser_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(SeaweedS3Server).UpdateUser(ctx, req.(*iam_pb.UpdateUserRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _SeaweedS3_DeleteUser_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(iam_pb.DeleteUserRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(SeaweedS3Server).DeleteUser(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: SeaweedS3_DeleteUser_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(SeaweedS3Server).DeleteUser(ctx, req.(*iam_pb.DeleteUserRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _SeaweedS3_ListAccessKeys_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(iam_pb.ListAccessKeysRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(SeaweedS3Server).ListAccessKeys(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: SeaweedS3_ListAccessKeys_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(SeaweedS3Server).ListAccessKeys(ctx, req.(*iam_pb.ListAccessKeysRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _SeaweedS3_CreateAccessKey_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(iam_pb.CreateAccessKeyRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(SeaweedS3Server).CreateAccessKey(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: SeaweedS3_CreateAccessKey_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(SeaweedS3Server).CreateAccessKey(ctx, req.(*iam_pb.CreateAccessKeyRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _SeaweedS3_DeleteAccessKey_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(iam_pb.DeleteAccessKeyRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(SeaweedS3Server).DeleteAccessKey(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: SeaweedS3_DeleteAccessKey_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(SeaweedS3Server).DeleteAccessKey(ctx, req.(*iam_pb.DeleteAccessKeyRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _SeaweedS3_PutUserPolicy_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(iam_pb.PutUserPolicyRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(SeaweedS3Server).PutUserPolicy(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: SeaweedS3_PutUserPolicy_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(SeaweedS3Server).PutUserPolicy(ctx, req.(*iam_pb.PutUserPolicyRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _SeaweedS3_GetUserPolicy_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(iam_pb.GetUserPolicyRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(SeaweedS3Server).GetUserPolicy(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: SeaweedS3_GetUserPolicy_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(SeaweedS3Server).GetUserPolicy(ctx, req.(*iam_pb.GetUserPolicyRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _SeaweedS3_DeleteUserPolicy_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(iam_pb.DeleteUserPolicyRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(SeaweedS3Server).DeleteUserPolicy(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: SeaweedS3_DeleteUserPolicy_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(SeaweedS3Server).DeleteUserPolicy(ctx, req.(*iam_pb.DeleteUserPolicyRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _SeaweedS3_ListServiceAccounts_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(iam_pb.ListServiceAccountsRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(SeaweedS3Server).ListServiceAccounts(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: SeaweedS3_ListServiceAccounts_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(SeaweedS3Server).ListServiceAccounts(ctx, req.(*iam_pb.ListServiceAccountsRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _SeaweedS3_CreateServiceAccount_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(iam_pb.CreateServiceAccountRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(SeaweedS3Server).CreateServiceAccount(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: SeaweedS3_CreateServiceAccount_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(SeaweedS3Server).CreateServiceAccount(ctx, req.(*iam_pb.CreateServiceAccountRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _SeaweedS3_UpdateServiceAccount_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(iam_pb.UpdateServiceAccountRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(SeaweedS3Server).UpdateServiceAccount(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: SeaweedS3_UpdateServiceAccount_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(SeaweedS3Server).UpdateServiceAccount(ctx, req.(*iam_pb.UpdateServiceAccountRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _SeaweedS3_DeleteServiceAccount_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(iam_pb.DeleteServiceAccountRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(SeaweedS3Server).DeleteServiceAccount(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: SeaweedS3_DeleteServiceAccount_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(SeaweedS3Server).DeleteServiceAccount(ctx, req.(*iam_pb.DeleteServiceAccountRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _SeaweedS3_GetServiceAccount_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(iam_pb.GetServiceAccountRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(SeaweedS3Server).GetServiceAccount(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: SeaweedS3_GetServiceAccount_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(SeaweedS3Server).GetServiceAccount(ctx, req.(*iam_pb.GetServiceAccountRequest))
 	}
 	return interceptor(ctx, in, info, handler)
 }
@@ -112,8 +625,68 @@ var SeaweedS3_ServiceDesc = grpc.ServiceDesc{
 	HandlerType: (*SeaweedS3Server)(nil),
 	Methods: []grpc.MethodDesc{
 		{
-			MethodName: "Configure",
-			Handler:    _SeaweedS3_Configure_Handler,
+			MethodName: "ListUsers",
+			Handler:    _SeaweedS3_ListUsers_Handler,
+		},
+		{
+			MethodName: "CreateUser",
+			Handler:    _SeaweedS3_CreateUser_Handler,
+		},
+		{
+			MethodName: "GetUser",
+			Handler:    _SeaweedS3_GetUser_Handler,
+		},
+		{
+			MethodName: "UpdateUser",
+			Handler:    _SeaweedS3_UpdateUser_Handler,
+		},
+		{
+			MethodName: "DeleteUser",
+			Handler:    _SeaweedS3_DeleteUser_Handler,
+		},
+		{
+			MethodName: "ListAccessKeys",
+			Handler:    _SeaweedS3_ListAccessKeys_Handler,
+		},
+		{
+			MethodName: "CreateAccessKey",
+			Handler:    _SeaweedS3_CreateAccessKey_Handler,
+		},
+		{
+			MethodName: "DeleteAccessKey",
+			Handler:    _SeaweedS3_DeleteAccessKey_Handler,
+		},
+		{
+			MethodName: "PutUserPolicy",
+			Handler:    _SeaweedS3_PutUserPolicy_Handler,
+		},
+		{
+			MethodName: "GetUserPolicy",
+			Handler:    _SeaweedS3_GetUserPolicy_Handler,
+		},
+		{
+			MethodName: "DeleteUserPolicy",
+			Handler:    _SeaweedS3_DeleteUserPolicy_Handler,
+		},
+		{
+			MethodName: "ListServiceAccounts",
+			Handler:    _SeaweedS3_ListServiceAccounts_Handler,
+		},
+		{
+			MethodName: "CreateServiceAccount",
+			Handler:    _SeaweedS3_CreateServiceAccount_Handler,
+		},
+		{
+			MethodName: "UpdateServiceAccount",
+			Handler:    _SeaweedS3_UpdateServiceAccount_Handler,
+		},
+		{
+			MethodName: "DeleteServiceAccount",
+			Handler:    _SeaweedS3_DeleteServiceAccount_Handler,
+		},
+		{
+			MethodName: "GetServiceAccount",
+			Handler:    _SeaweedS3_GetServiceAccount_Handler,
 		},
 	},
 	Streams:  []grpc.StreamDesc{},

weed/s3api/auth_credentials.go

@@ -3,6 +3,7 @@ package s3api
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"net/http"
 	"os"
@@ -346,7 +347,23 @@ func (iam *IdentityAccessManagement) loadEnvironmentVariableCredentials() {
 	}
 }
 
-func (iam *IdentityAccessManagement) loadS3ApiConfigurationFromFiler(option *S3ApiServerOption) error {
+func (iam *IdentityAccessManagement) loadS3ApiConfigurationFromFiler(option *S3ApiServerOption) (err error) {
+	// Try to load configuration with retries to handle transient connectivity issues during startup
+	for i := 0; i < 10; i++ {
+		err = iam.doLoadS3ApiConfigurationFromFiler(option)
+		if err == nil {
+			return nil
+		}
+		if errors.Is(err, filer_pb.ErrNotFound) {
+			return err
+		}
+		glog.Warningf("fail to load config from filer (attempt %d/10): %v", i+1, err)
+		time.Sleep(2 * time.Second)
+	}
+	return err
+}
+
+func (iam *IdentityAccessManagement) doLoadS3ApiConfigurationFromFiler(option *S3ApiServerOption) error {
 	return iam.LoadS3ApiConfigurationFromCredentialManager()
 }
 

weed/s3api/s3_sse_s3.go

@@ -16,6 +16,7 @@ import (
 	"os"
 	"strings"
 	"sync"
+	"time"
 
 	"github.com/seaweedfs/seaweedfs/weed/glog"
 	"github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
@@ -278,26 +279,27 @@ func (km *SSES3KeyManager) InitializeWithFiler(filerClient filer_pb.FilerClient)
 
 	km.filerClient = filerClient
 
-	// Try to load existing KEK from filer
-	if err := km.loadSuperKeyFromFiler(); err != nil {
-		// Only generate a new key if it does not exist.
-		// For other errors (e.g. connectivity), we should fail fast to prevent creating a new key
-		// and making existing data undecryptable.
+	// Try to load existing KEK from filer with retries to handle transient connectivity issues during startup
+	var err error
+	for i := 0; i < 10; i++ {
+		err = km.loadSuperKeyFromFiler()
+		if err == nil {
+			glog.V(1).Infof("SSE-S3 KeyManager: Loaded KEK from filer %s", km.kekPath)
+			return nil
+		}
 		if errors.Is(err, filer_pb.ErrNotFound) {
 			glog.V(1).Infof("SSE-S3 KeyManager: KEK not found, generating new KEK (load from filer %s: %v)", km.kekPath, err)
 			if genErr := km.generateAndSaveSuperKeyToFiler(); genErr != nil {
 				return fmt.Errorf("failed to generate and save SSE-S3 super key: %w", genErr)
 			}
-		} else {
-			// A different error occurred (e.g., network issue, permission denied).
-			// Return the error to prevent starting with a broken state.
-			return fmt.Errorf("failed to load SSE-S3 super key from %s: %w", km.kekPath, err)
+			return nil
 		}
-	} else {
-		glog.V(1).Infof("SSE-S3 KeyManager: Loaded KEK from filer %s", km.kekPath)
+		glog.Warningf("SSE-S3 KeyManager: failed to load KEK (attempt %d/10): %v", i+1, err)
+		time.Sleep(2 * time.Second)
 	}
 
-	return nil
+	// If we're here, all retries failed
+	return fmt.Errorf("failed to load SSE-S3 super key from %s after 10 attempts: %w", km.kekPath, err)
 }
 
 // loadSuperKeyFromFiler loads the KEK from the filer

weed/s3api/s3api_embedded_iam.go

@@ -34,6 +34,10 @@ type EmbeddedIamApi struct {
 	credentialManager *credential.CredentialManager
 	iam               *IdentityAccessManagement
 	policyLock        sync.RWMutex
+	// Test hook
+	getS3ApiConfigurationFunc func(*iam_pb.S3ApiConfiguration) error
+	putS3ApiConfigurationFunc func(*iam_pb.S3ApiConfiguration) error
+	reloadConfigurationFunc   func() error
 }
 
 // NewEmbeddedIamApi creates a new embedded IAM API handler.
@@ -165,6 +169,9 @@ func (e *EmbeddedIamApi) writeIamErrorResponse(w http.ResponseWriter, r *http.Re
 
 // GetS3ApiConfiguration loads the S3 API configuration from the credential manager.
 func (e *EmbeddedIamApi) GetS3ApiConfiguration(s3cfg *iam_pb.S3ApiConfiguration) error {
+	if e.getS3ApiConfigurationFunc != nil {
+		return e.getS3ApiConfigurationFunc(s3cfg)
+	}
 	config, err := e.credentialManager.LoadConfiguration(context.Background())
 	if err != nil {
 		return fmt.Errorf("failed to load configuration: %w", err)
@@ -175,9 +182,20 @@ func (e *EmbeddedIamApi) GetS3ApiConfiguration(s3cfg *iam_pb.S3ApiConfiguration)
 
 // PutS3ApiConfiguration saves the S3 API configuration to the credential manager.
 func (e *EmbeddedIamApi) PutS3ApiConfiguration(s3cfg *iam_pb.S3ApiConfiguration) error {
+	if e.putS3ApiConfigurationFunc != nil {
+		return e.putS3ApiConfigurationFunc(s3cfg)
+	}
 	return e.credentialManager.SaveConfiguration(context.Background(), s3cfg)
 }
 
+// ReloadConfiguration reloads the IAM configuration from the credential manager.
+func (e *EmbeddedIamApi) ReloadConfiguration() error {
+	if e.reloadConfigurationFunc != nil {
+		return e.reloadConfigurationFunc()
+	}
+	return e.iam.LoadS3ApiConfigurationFromCredentialManager()
+}
+
 // ListUsers lists all IAM users.
 func (e *EmbeddedIamApi) ListUsers(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) iamListUsersResponse {
 	var resp iamListUsersResponse
@@ -1024,79 +1042,66 @@ func (e *EmbeddedIamApi) AuthIam(f http.HandlerFunc, _ Action) http.HandlerFunc
 	}
 }
 
-// DoActions handles IAM API actions.
-func (e *EmbeddedIamApi) DoActions(w http.ResponseWriter, r *http.Request) {
+// ExecuteAction executes an IAM action with the given values.
+func (e *EmbeddedIamApi) ExecuteAction(values url.Values) (interface{}, *iamError) {
 	// Lock to prevent concurrent read-modify-write race conditions
 	e.policyLock.Lock()
 	defer e.policyLock.Unlock()
 
-	if err := r.ParseForm(); err != nil {
-		s3err.WriteErrorResponse(w, r, s3err.ErrInvalidRequest)
-		return
-	}
-	values := r.PostForm
 	s3cfg := &iam_pb.S3ApiConfiguration{}
 	if err := e.GetS3ApiConfiguration(s3cfg); err != nil && !errors.Is(err, filer_pb.ErrNotFound) {
-		s3err.WriteErrorResponse(w, r, s3err.ErrInternalError)
-		return
+		return nil, &iamError{Code: s3err.GetAPIError(s3err.ErrInternalError).Code, Error: fmt.Errorf("failed to get s3 api configuration: %v", err)}
 	}
 
-	glog.V(4).Infof("IAM DoActions: %+v", values)
+	glog.V(4).Infof("IAM ExecuteAction: %+v", values)
 	var response interface{}
 	var iamErr *iamError
 	changed := true
-	switch r.Form.Get("Action") {
+	switch values.Get("Action") {
 	case "ListUsers":
 		response = e.ListUsers(s3cfg, values)
 		changed = false
 	case "ListAccessKeys":
-		e.handleImplicitUsername(r, values)
+		// Note: handleImplicitUsername requires request context which we don't have here for gRPC
+		// gRPC callers must provide UserName explicitly
 		response = e.ListAccessKeys(s3cfg, values)
 		changed = false
 	case "CreateUser":
 		response, iamErr = e.CreateUser(s3cfg, values)
 		if iamErr != nil {
-			e.writeIamErrorResponse(w, r, iamErr)
-			return
+			return nil, iamErr
 		}
 	case "GetUser":
 		userName := values.Get("UserName")
 		response, iamErr = e.GetUser(s3cfg, userName)
 		if iamErr != nil {
-			e.writeIamErrorResponse(w, r, iamErr)
-			return
+			return nil, iamErr
 		}
 		changed = false
 	case "UpdateUser":
 		response, iamErr = e.UpdateUser(s3cfg, values)
 		if iamErr != nil {
-			e.writeIamErrorResponse(w, r, iamErr)
-			return
+			return nil, iamErr
 		}
 	case "DeleteUser":
 		userName := values.Get("UserName")
 		response, iamErr = e.DeleteUser(s3cfg, userName)
 		if iamErr != nil {
-			e.writeIamErrorResponse(w, r, iamErr)
-			return
+			return nil, iamErr
 		}
 	case "CreateAccessKey":
-		e.handleImplicitUsername(r, values)
 		response, iamErr = e.CreateAccessKey(s3cfg, values)
 		if iamErr != nil {
 			glog.Errorf("CreateAccessKey: %+v", iamErr.Error)
-			e.writeIamErrorResponse(w, r, iamErr)
-			return
+			return nil, iamErr
 		}
 	case "DeleteAccessKey":
-		e.handleImplicitUsername(r, values)
 		response = e.DeleteAccessKey(s3cfg, values)
 	case "CreatePolicy":
 		response, iamErr = e.CreatePolicy(s3cfg, values)
 		if iamErr != nil {
 			glog.Errorf("CreatePolicy: %+v", iamErr.Error)
-			s3err.WriteErrorResponse(w, r, s3err.ErrInvalidRequest)
-			return
+			return nil, iamErr
 		}
 	case "DeletePolicy":
 		// Managed policies are not stored separately, so deletion is a no-op.
@@ -1107,48 +1112,40 @@ func (e *EmbeddedIamApi) DoActions(w http.ResponseWriter, r *http.Request) {
 		response, iamErr = e.PutUserPolicy(s3cfg, values)
 		if iamErr != nil {
 			glog.Errorf("PutUserPolicy: %+v", iamErr.Error)
-			e.writeIamErrorResponse(w, r, iamErr)
-			return
+			return nil, iamErr
 		}
 	case "GetUserPolicy":
 		response, iamErr = e.GetUserPolicy(s3cfg, values)
 		if iamErr != nil {
-			e.writeIamErrorResponse(w, r, iamErr)
-			return
+			return nil, iamErr
 		}
 		changed = false
 	case "DeleteUserPolicy":
 		response, iamErr = e.DeleteUserPolicy(s3cfg, values)
 		if iamErr != nil {
-			e.writeIamErrorResponse(w, r, iamErr)
-			return
+			return nil, iamErr
 		}
 	case "SetUserStatus":
 		response, iamErr = e.SetUserStatus(s3cfg, values)
 		if iamErr != nil {
-			e.writeIamErrorResponse(w, r, iamErr)
-			return
+			return nil, iamErr
 		}
 	case "UpdateAccessKey":
-		e.handleImplicitUsername(r, values)
 		response, iamErr = e.UpdateAccessKey(s3cfg, values)
 		if iamErr != nil {
-			e.writeIamErrorResponse(w, r, iamErr)
-			return
+			return nil, iamErr
 		}
 	// Service Account actions
 	case "CreateServiceAccount":
-		createdBy := s3_constants.GetIdentityNameFromContext(r)
+		createdBy := values.Get("CreatedBy")
 		response, iamErr = e.CreateServiceAccount(s3cfg, values, createdBy)
 		if iamErr != nil {
-			e.writeIamErrorResponse(w, r, iamErr)
-			return
+			return nil, iamErr
 		}
 	case "DeleteServiceAccount":
 		response, iamErr = e.DeleteServiceAccount(s3cfg, values)
 		if iamErr != nil {
-			e.writeIamErrorResponse(w, r, iamErr)
-			return
+			return nil, iamErr
 		}
 	case "ListServiceAccounts":
 		response = e.ListServiceAccounts(s3cfg, values)
@@ -1156,37 +1153,55 @@ func (e *EmbeddedIamApi) DoActions(w http.ResponseWriter, r *http.Request) {
 	case "GetServiceAccount":
 		response, iamErr = e.GetServiceAccount(s3cfg, values)
 		if iamErr != nil {
-			e.writeIamErrorResponse(w, r, iamErr)
-			return
+			return nil, iamErr
 		}
 		changed = false
 	case "UpdateServiceAccount":
 		response, iamErr = e.UpdateServiceAccount(s3cfg, values)
 		if iamErr != nil {
-			e.writeIamErrorResponse(w, r, iamErr)
-			return
+			return nil, iamErr
 		}
 	default:
-		errNotImplemented := s3err.GetAPIError(s3err.ErrNotImplemented)
-		errorResponse := iamErrorResponse{}
-		errorResponse.Error.Code = &errNotImplemented.Code
-		errorResponse.Error.Message = &errNotImplemented.Description
-		s3err.WriteXMLResponse(w, r, errNotImplemented.HTTPStatusCode, errorResponse)
-		return
+		return nil, &iamError{Code: s3err.GetAPIError(s3err.ErrNotImplemented).Code, Error: errors.New(s3err.GetAPIError(s3err.ErrNotImplemented).Description)}
 	}
 	if changed {
 		if err := e.PutS3ApiConfiguration(s3cfg); err != nil {
 			iamErr = &iamError{Code: iam.ErrCodeServiceFailureException, Error: err}
-			e.writeIamErrorResponse(w, r, iamErr)
-			return
+			return nil, iamErr
 		}
 		// Reload in-memory identity maps so subsequent LookupByAccessKey calls
 		// can see newly created or deleted keys immediately
-		if err := e.iam.LoadS3ApiConfigurationFromCredentialManager(); err != nil {
-			glog.Warningf("Failed to reload IAM configuration after mutation: %v", err)
+		if err := e.ReloadConfiguration(); err != nil {
+			glog.Errorf("Failed to reload IAM configuration after mutation: %v", err)
 			// Don't fail the request since the persistent save succeeded
 		}
 	}
+	return response, nil
+}
+
+// DoActions handles IAM API actions.
+func (e *EmbeddedIamApi) DoActions(w http.ResponseWriter, r *http.Request) {
+	if err := r.ParseForm(); err != nil {
+		s3err.WriteErrorResponse(w, r, s3err.ErrInvalidRequest)
+		return
+	}
+	values := r.PostForm
+
+	// Handle implicit username for HTTP requests
+	switch r.Form.Get("Action") {
+	case "ListAccessKeys", "CreateAccessKey", "DeleteAccessKey", "UpdateAccessKey":
+		e.handleImplicitUsername(r, values)
+	case "CreateServiceAccount":
+		createdBy := s3_constants.GetIdentityNameFromContext(r)
+		values.Set("CreatedBy", createdBy)
+	}
+
+	response, iamErr := e.ExecuteAction(values)
+	if iamErr != nil {
+		e.writeIamErrorResponse(w, r, iamErr)
+		return
+	}
+
 	// Set RequestId for AWS compatibility
 	if r, ok := response.(interface{ SetRequestId() }); ok {
 		r.SetRequestId()

weed/s3api/s3api_embedded_iam_test.go

@@ -36,6 +36,20 @@ func NewEmbeddedIamApiForTest() *EmbeddedIamApiForTest {
 		},
 		mockConfig: &iam_pb.S3ApiConfiguration{},
 	}
+	e.getS3ApiConfigurationFunc = func(s3cfg *iam_pb.S3ApiConfiguration) error {
+		if e.mockConfig != nil {
+			cloned := proto.Clone(e.mockConfig).(*iam_pb.S3ApiConfiguration)
+			proto.Merge(s3cfg, cloned)
+		}
+		return nil
+	}
+	e.putS3ApiConfigurationFunc = func(s3cfg *iam_pb.S3ApiConfiguration) error {
+		e.mockConfig = proto.Clone(s3cfg).(*iam_pb.S3ApiConfiguration)
+		return nil
+	}
+	e.reloadConfigurationFunc = func() error {
+		return nil
+	}
 	return e
 }
 
@@ -1661,3 +1675,31 @@ func TestOldCodeOrderWouldFail(t *testing.T) {
 
 	t.Log("This demonstrates the bug: ParseForm before auth causes SignatureDoesNotMatch")
 }
+
+// TestEmbeddedIamExecuteAction tests calling ExecuteAction directly
+func TestEmbeddedIamExecuteAction(t *testing.T) {
+	api := NewEmbeddedIamApiForTest()
+	api.mockConfig = &iam_pb.S3ApiConfiguration{}
+
+	// Explicitly set hook to debug panic
+	api.EmbeddedIamApi.reloadConfigurationFunc = func() error {
+		return nil
+	}
+
+	// Test case: CreateUser via ExecuteAction
+	vals := url.Values{}
+	vals.Set("Action", "CreateUser")
+	vals.Set("UserName", "ExecuteActionUser")
+
+	resp, iamErr := api.ExecuteAction(vals)
+	assert.Nil(t, iamErr)
+
+	// Verify response type
+	createResp, ok := resp.(iamCreateUserResponse)
+	assert.True(t, ok)
+	assert.Equal(t, "ExecuteActionUser", *createResp.CreateUserResult.User.UserName)
+
+	// Verify persistence
+	assert.Len(t, api.mockConfig.Identities, 1)
+	assert.Equal(t, "ExecuteActionUser", api.mockConfig.Identities[0].Name)
+}

weed/s3api/s3api_server_grpc.go

@@ -3,15 +3,342 @@ package s3api
 import (
 	"context"
 
-	"github.com/seaweedfs/seaweedfs/weed/pb/s3_pb"
+	"fmt"
+	"net/url"
+
+	"github.com/seaweedfs/seaweedfs/weed/pb/iam_pb"
 )
 
-func (s3a *S3ApiServer) Configure(ctx context.Context, request *s3_pb.S3ConfigureRequest) (*s3_pb.S3ConfigureResponse, error) {
+func (s3a *S3ApiServer) executeAction(values url.Values) (interface{}, error) {
+	if s3a.embeddedIam == nil {
+		return nil, fmt.Errorf("embedded iam is disabled")
+	}
+	response, iamErr := s3a.embeddedIam.ExecuteAction(values)
+	if iamErr != nil {
+		return nil, fmt.Errorf("IAM error: %s - %v", iamErr.Code, iamErr.Error)
+	}
+	return response, nil
+}
 
-	if err := s3a.iam.LoadS3ApiConfigurationFromBytes(request.S3ConfigurationFileContent); err != nil {
+func (s3a *S3ApiServer) ListUsers(ctx context.Context, req *iam_pb.ListUsersRequest) (*iam_pb.ListUsersResponse, error) {
+	values := url.Values{}
+	values.Set("Action", "ListUsers")
+	resp, err := s3a.executeAction(values)
+	if err != nil {
 		return nil, err
 	}
-
-	return &s3_pb.S3ConfigureResponse{}, nil
-
+	iamResp, ok := resp.(iamListUsersResponse)
+	if !ok {
+		return nil, fmt.Errorf("unexpected IAM ListUsers response type %T", resp)
+	}
+	var usernames []string
+	for _, user := range iamResp.ListUsersResult.Users {
+		if user != nil && user.UserName != nil {
+			usernames = append(usernames, *user.UserName)
+		}
+	}
+	return &iam_pb.ListUsersResponse{Usernames: usernames}, nil
+}
+
+func (s3a *S3ApiServer) CreateUser(ctx context.Context, req *iam_pb.CreateUserRequest) (*iam_pb.CreateUserResponse, error) {
+	if req.Identity == nil || req.Identity.Name == "" {
+		return nil, fmt.Errorf("username name is required")
+	}
+	values := url.Values{}
+	values.Set("Action", "CreateUser")
+	values.Set("UserName", req.Identity.Name)
+	_, err := s3a.executeAction(values)
+	if err != nil {
+		return nil, err
+	}
+	return &iam_pb.CreateUserResponse{}, nil
+}
+
+func (s3a *S3ApiServer) GetUser(ctx context.Context, req *iam_pb.GetUserRequest) (*iam_pb.GetUserResponse, error) {
+	if req.Username == "" {
+		return nil, fmt.Errorf("username is required")
+	}
+	values := url.Values{}
+	values.Set("Action", "GetUser")
+	values.Set("UserName", req.Username)
+	resp, err := s3a.executeAction(values)
+	if err != nil {
+		return nil, err
+	}
+	iamResp, ok := resp.(iamGetUserResponse)
+	if !ok {
+		return nil, fmt.Errorf("unexpected IAM GetUser response type %T", resp)
+	}
+
+	var username string
+	if iamResp.GetUserResult.User.UserName != nil {
+		username = *iamResp.GetUserResult.User.UserName
+	}
+
+	return &iam_pb.GetUserResponse{
+		Identity: &iam_pb.Identity{
+			Name: username,
+		},
+	}, nil
+}
+
+func (s3a *S3ApiServer) UpdateUser(ctx context.Context, req *iam_pb.UpdateUserRequest) (*iam_pb.UpdateUserResponse, error) {
+	if req.Username == "" {
+		return nil, fmt.Errorf("username is required")
+	}
+	values := url.Values{}
+	values.Set("Action", "UpdateUser")
+	values.Set("UserName", req.Username)
+	// UpdateUser in DoActions expects "NewUserName" if renaming, but CreateUser just takes UserName.
+	// Looking at s3api_embedded_iam.go, UpdateUser uses "NewUserName" to change name.
+	if req.Identity != nil && req.Identity.Name != "" {
+		values.Set("NewUserName", req.Identity.Name)
+	}
+	_, err := s3a.executeAction(values)
+	if err != nil {
+		return nil, err
+	}
+	return &iam_pb.UpdateUserResponse{}, nil
+}
+
+func (s3a *S3ApiServer) DeleteUser(ctx context.Context, req *iam_pb.DeleteUserRequest) (*iam_pb.DeleteUserResponse, error) {
+	if req.Username == "" {
+		return nil, fmt.Errorf("username is required")
+	}
+	values := url.Values{}
+	values.Set("Action", "DeleteUser")
+	values.Set("UserName", req.Username)
+	_, err := s3a.executeAction(values)
+	if err != nil {
+		return nil, err
+	}
+	return &iam_pb.DeleteUserResponse{}, nil
+}
+
+func (s3a *S3ApiServer) ListAccessKeys(ctx context.Context, req *iam_pb.ListAccessKeysRequest) (*iam_pb.ListAccessKeysResponse, error) {
+	if req.Username == "" {
+		return nil, fmt.Errorf("username is required")
+	}
+	values := url.Values{}
+	values.Set("Action", "ListAccessKeys")
+	values.Set("UserName", req.Username)
+	resp, err := s3a.executeAction(values)
+	if err != nil {
+		return nil, err
+	}
+	iamResp, ok := resp.(iamListAccessKeysResponse)
+	if !ok {
+		return nil, fmt.Errorf("unexpected IAM ListAccessKeys response type %T", resp)
+	}
+	var accessKeys []*iam_pb.Credential
+	for _, meta := range iamResp.ListAccessKeysResult.AccessKeyMetadata {
+		if meta != nil && meta.AccessKeyId != nil && meta.Status != nil {
+			accessKeys = append(accessKeys, &iam_pb.Credential{
+				AccessKey: *meta.AccessKeyId,
+				Status:    *meta.Status,
+			})
+		}
+	}
+	return &iam_pb.ListAccessKeysResponse{AccessKeys: accessKeys}, nil
+}
+
+func (s3a *S3ApiServer) CreateAccessKey(ctx context.Context, req *iam_pb.CreateAccessKeyRequest) (*iam_pb.CreateAccessKeyResponse, error) {
+	if req.Username == "" {
+		return nil, fmt.Errorf("username is required")
+	}
+	values := url.Values{}
+	values.Set("Action", "CreateAccessKey")
+	values.Set("UserName", req.Username)
+	_, err := s3a.executeAction(values)
+	if err != nil {
+		return nil, err
+	}
+	return &iam_pb.CreateAccessKeyResponse{}, nil
+}
+
+func (s3a *S3ApiServer) DeleteAccessKey(ctx context.Context, req *iam_pb.DeleteAccessKeyRequest) (*iam_pb.DeleteAccessKeyResponse, error) {
+	if req.Username == "" {
+		return nil, fmt.Errorf("username is required")
+	}
+	if req.AccessKey == "" {
+		return nil, fmt.Errorf("access key is required")
+	}
+	values := url.Values{}
+	values.Set("Action", "DeleteAccessKey")
+	values.Set("UserName", req.Username)
+	values.Set("AccessKeyId", req.AccessKey)
+	_, err := s3a.executeAction(values)
+	if err != nil {
+		return nil, err
+	}
+	return &iam_pb.DeleteAccessKeyResponse{}, nil
+}
+
+func (s3a *S3ApiServer) PutUserPolicy(ctx context.Context, req *iam_pb.PutUserPolicyRequest) (*iam_pb.PutUserPolicyResponse, error) {
+	if req.Username == "" {
+		return nil, fmt.Errorf("username is required")
+	}
+	if req.PolicyName == "" {
+		return nil, fmt.Errorf("policy name is required")
+	}
+	values := url.Values{}
+	values.Set("Action", "PutUserPolicy")
+	values.Set("UserName", req.Username)
+	values.Set("PolicyName", req.PolicyName)
+	values.Set("PolicyDocument", req.PolicyDocument)
+	_, err := s3a.executeAction(values)
+	if err != nil {
+		return nil, err
+	}
+	return &iam_pb.PutUserPolicyResponse{}, nil
+}
+
+func (s3a *S3ApiServer) GetUserPolicy(ctx context.Context, req *iam_pb.GetUserPolicyRequest) (*iam_pb.GetUserPolicyResponse, error) {
+	if req.Username == "" {
+		return nil, fmt.Errorf("username is required")
+	}
+	if req.PolicyName == "" {
+		return nil, fmt.Errorf("policy name is required")
+	}
+	values := url.Values{}
+	values.Set("Action", "GetUserPolicy")
+	values.Set("UserName", req.Username)
+	values.Set("PolicyName", req.PolicyName)
+	resp, err := s3a.executeAction(values)
+	if err != nil {
+		return nil, err
+	}
+	iamResp, ok := resp.(iamGetUserPolicyResponse)
+	if !ok {
+		return nil, fmt.Errorf("unexpected IAM GetUserPolicy response type %T", resp)
+	}
+	return &iam_pb.GetUserPolicyResponse{
+		Username:       iamResp.GetUserPolicyResult.UserName,
+		PolicyName:     iamResp.GetUserPolicyResult.PolicyName,
+		PolicyDocument: iamResp.GetUserPolicyResult.PolicyDocument,
+	}, nil
+}
+
+func (s3a *S3ApiServer) DeleteUserPolicy(ctx context.Context, req *iam_pb.DeleteUserPolicyRequest) (*iam_pb.DeleteUserPolicyResponse, error) {
+	if req.Username == "" {
+		return nil, fmt.Errorf("username is required")
+	}
+	if req.PolicyName == "" {
+		return nil, fmt.Errorf("policy name is required")
+	}
+	values := url.Values{}
+	values.Set("Action", "DeleteUserPolicy")
+	values.Set("UserName", req.Username)
+	values.Set("PolicyName", req.PolicyName)
+	_, err := s3a.executeAction(values)
+	if err != nil {
+		return nil, err
+	}
+	return &iam_pb.DeleteUserPolicyResponse{}, nil
+}
+
+func (s3a *S3ApiServer) ListServiceAccounts(ctx context.Context, req *iam_pb.ListServiceAccountsRequest) (*iam_pb.ListServiceAccountsResponse, error) {
+	values := url.Values{}
+	values.Set("Action", "ListServiceAccounts")
+	resp, err := s3a.executeAction(values)
+	if err != nil {
+		return nil, err
+	}
+	iamResp, ok := resp.(iamListServiceAccountsResponse)
+	if !ok {
+		return nil, fmt.Errorf("unexpected IAM ListServiceAccounts response type %T", resp)
+	}
+	var serviceAccounts []*iam_pb.ServiceAccount
+	for _, sa := range iamResp.ListServiceAccountsResult.ServiceAccounts {
+		if sa != nil {
+			serviceAccounts = append(serviceAccounts, &iam_pb.ServiceAccount{
+				Id:          sa.ServiceAccountId,
+				ParentUser:  sa.ParentUser,
+				Description: sa.Description,
+				Credential: &iam_pb.Credential{
+					AccessKey: sa.AccessKeyId,
+					Status:    sa.Status,
+				},
+			})
+		}
+	}
+	return &iam_pb.ListServiceAccountsResponse{ServiceAccounts: serviceAccounts}, nil
+}
+
+func (s3a *S3ApiServer) CreateServiceAccount(ctx context.Context, req *iam_pb.CreateServiceAccountRequest) (*iam_pb.CreateServiceAccountResponse, error) {
+	if req.ServiceAccount == nil || req.ServiceAccount.CreatedBy == "" {
+		return nil, fmt.Errorf("service account owner is required")
+	}
+	values := url.Values{}
+	values.Set("Action", "CreateServiceAccount")
+	values.Set("CreatedBy", req.ServiceAccount.CreatedBy)
+	_, err := s3a.executeAction(values)
+	if err != nil {
+		return nil, err
+	}
+	return &iam_pb.CreateServiceAccountResponse{}, nil
+}
+
+func (s3a *S3ApiServer) UpdateServiceAccount(ctx context.Context, req *iam_pb.UpdateServiceAccountRequest) (*iam_pb.UpdateServiceAccountResponse, error) {
+	if req.Id == "" {
+		return nil, fmt.Errorf("service account id is required")
+	}
+	values := url.Values{}
+	values.Set("Action", "UpdateServiceAccount")
+	values.Set("ServiceAccountId", req.Id)
+	if req.ServiceAccount != nil && req.ServiceAccount.Disabled {
+		values.Set("Status", "Inactive")
+	}
+	_, err := s3a.executeAction(values)
+	if err != nil {
+		return nil, err
+	}
+	return &iam_pb.UpdateServiceAccountResponse{}, nil
+}
+
+func (s3a *S3ApiServer) DeleteServiceAccount(ctx context.Context, req *iam_pb.DeleteServiceAccountRequest) (*iam_pb.DeleteServiceAccountResponse, error) {
+	if req.Id == "" {
+		return nil, fmt.Errorf("service account id is required")
+	}
+	values := url.Values{}
+	values.Set("Action", "DeleteServiceAccount")
+	values.Set("ServiceAccountId", req.Id)
+	_, err := s3a.executeAction(values)
+	if err != nil {
+		return nil, err
+	}
+	return &iam_pb.DeleteServiceAccountResponse{}, nil
+}
+
+func (s3a *S3ApiServer) GetServiceAccount(ctx context.Context, req *iam_pb.GetServiceAccountRequest) (*iam_pb.GetServiceAccountResponse, error) {
+	if req.Id == "" {
+		return nil, fmt.Errorf("service account id is required")
+	}
+	values := url.Values{}
+	values.Set("Action", "GetServiceAccount")
+	values.Set("ServiceAccountId", req.Id)
+	resp, err := s3a.executeAction(values)
+	if err != nil {
+		return nil, err
+	}
+	iamResp, ok := resp.(iamGetServiceAccountResponse)
+	if !ok {
+		return nil, fmt.Errorf("unexpected IAM GetServiceAccount response type %T", resp)
+	}
+
+	var serviceAccount *iam_pb.ServiceAccount
+	sa := iamResp.GetServiceAccountResult.ServiceAccount
+	serviceAccount = &iam_pb.ServiceAccount{
+		Id:          sa.ServiceAccountId,
+		ParentUser:  sa.ParentUser,
+		Description: sa.Description,
+		Credential: &iam_pb.Credential{
+			AccessKey: sa.AccessKeyId,
+			Status:    sa.Status,
+		},
+	}
+
+	return &iam_pb.GetServiceAccountResponse{
+		ServiceAccount: serviceAccount,
+	}, nil
 }