gsh-digital-services/seaweedFS
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix: Populate Claims from STS session RequestContext for policy variable substitution (#8082)

Browse Source 
* Fix: Populate Claims from STS session RequestContext for policy variable substitution

When using STS temporary credentials (from AssumeRoleWithWebIdentity) with
AWS Signature V4 authentication, JWT claims like preferred_username were
not available for bucket policy variable substitution (e.g., ${jwt:preferred_username}).

Root Cause:
- STS session tokens store user claims in the req_ctx field (added in PR #8079)
- validateSTSSessionToken() created Identity but didn't populate Claims field
- authorizeWithIAM() created IAMIdentity but didn't copy Claims
- Policy engine couldn't resolve ${jwt:*} variables without claims

Changes:
1. auth_signature_v4.go: Extract claims from sessionInfo.RequestContext
   and populate Identity.Claims in validateSTSSessionToken()
2. auth_credentials.go: Copy Claims when creating IAMIdentity in
   authorizeWithIAM()
3. auth_sts_identity_test.go: Add TestSTSIdentityClaimsPopulation to
   verify claims are properly populated from RequestContext

This enables bucket policies with JWT claim variables to work correctly
with STS temporary credentials obtained via AssumeRoleWithWebIdentity.

Fixes #8037

* Refactor: Idiomatic map population for STS claims
This commit is contained in:
Chris Lu
2026-01-21 18:36:24 -08:00
committed by GitHub
parent 51735e667c
commit 5472061231
3 changed files with 75 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
weed/s3api/auth_signature_v4.go
View File

@@ -382,6 +382,14 @@ func (iam *IdentityAccessManagement) validateSTSSessionToken(r *http.Request, se
Expiration: sessionInfo.ExpiresAt.Unix(),
}
// Create claims map from request context
// The request context contains user information from the original OIDC token
// that was used in AssumeRoleWithWebIdentity (e.g., preferred_username, email, etc.)
claims := make(map[string]interface{}, len(sessionInfo.RequestContext))
for k, v := range sessionInfo.RequestContext {
claims[k] = v
}
// Create an identity for the STS session
// The identity represents the assumed role user
identity := &Identity{
@@ -390,6 +398,7 @@ func (iam *IdentityAccessManagement) validateSTSSessionToken(r *http.Request, se
Credentials: []*Credential{cred},
PrincipalArn: sessionInfo.Principal,
PolicyNames: sessionInfo.Policies, // Populate PolicyNames for IAM authorization
Claims: claims, // Populate Claims for policy variable substitution
}
glog.V(2).Infof("Successfully validated STS session token for principal: %s, assumed role user: %s",