IAM: add support for advanced IAM config file to server command (#7317)

* IAM: add support for advanced IAM config file to server command

* Add support for advanced IAM config file in S3 options

* Fix S3 IAM config handling to simplify checks for configuration presence

* simplify

* simplify again

* copy the value

* const

---------

Co-authored-by: chrislu <chris.lu@gmail.com>
Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com>

1 files changed, 12 insertions, 1 deletions

diff --git a/weed/s3api/s3api_server.go b/weed/s3api/s3api_server.go
index 5af274970..e21886c57 100644
--- a/weed/s3api/s3api_server.go
+++ b/weed/s3api/s3api_server.go
@@ -473,12 +473,23 @@ func loadIAMManagerFromConfig(configPath string, filerAddressProvider func() str
 		return nil, fmt.Errorf("failed to parse config: %w", err)
 	}
 
+	// Ensure a valid policy engine config exists
+	if configRoot.Policy == nil {
+		// Provide a secure default if not specified in the config file
+		// Default to Deny with in-memory store so that JSON-defined policies work without filer
+		glog.V(0).Infof("No policy engine config provided; using defaults (DefaultEffect=%s, StoreType=%s)", sts.EffectDeny, sts.StoreTypeMemory)
+		configRoot.Policy = &policy.PolicyEngineConfig{
+			DefaultEffect: sts.EffectDeny,
+			StoreType:     sts.StoreTypeMemory,
+		}
+	}
+
 	// Create IAM configuration
 	iamConfig := &integration.IAMConfig{
 		STS:    configRoot.STS,
 		Policy: configRoot.Policy,
 		Roles: &integration.RoleStoreConfig{
-			StoreType: "memory", // Use memory store for JSON config-based setup
+			StoreType: sts.StoreTypeMemory, // Use memory store for JSON config-based setup
 		},
 	}