s3api: fix AccessDenied by correctly propagating principal ARN in vended tokens (#8330)

* s3api: fix AccessDenied by correctly propagating principal ARN in vended tokens * s3api: update TestLoadS3ApiConfiguration to match standardized ARN format * s3api: address PR review comments (nil-safety and cleanup) * s3api: address second round of PR review comments (cleanups and naming conventions) * s3api: address third round of PR review comments (unify default account ID and duplicate log) * s3api: address fourth round of PR review comments (define defaultAccountID as constant)
2026-02-12 23:11:41 -08:00
parent 1e4f30c56f
commit c433fee36a
4 changed files with 51 additions and 37 deletions
--- a/weed/s3api/s3api_bucket_policy_arn_test.go
+++ b/weed/s3api/s3api_bucket_policy_arn_test.go
@@ -1,6 +1,7 @@
 package s3api

 import (
+	"fmt"
 	"testing"

 	"github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
@@ -62,6 +63,14 @@ func TestBuildPrincipalARN(t *testing.T) {
 			identity: nil,
 			expected: "*",
 		},
+		{
+			name: "explicit principal ARN",
+			identity: &Identity{
+				Name:         "test-user",
+				PrincipalArn: "arn:aws:iam::123456789012:role/MyRole",
+			},
+			expected: "arn:aws:iam::123456789012:role/MyRole",
+		},
 		{
 			name: "anonymous user by name",
 			identity: &Identity{
@@ -100,7 +109,7 @@ func TestBuildPrincipalARN(t *testing.T) {
 					Id: "",
 				},
 			},
-			expected: "arn:aws:iam::000000000000:user/test-user",
+			expected: fmt.Sprintf("arn:aws:iam::%s:user/test-user", defaultAccountID),
 		},
 		{
 			name: "identity without name",