1 files changed, 36 insertions, 0 deletions

diff --git a/weed/iamapi/iamapi_management_handlers.go b/weed/iamapi/iamapi_management_handlers.go
index 94003c46e..fedc837d6 100644
--- a/weed/iamapi/iamapi_management_handlers.go
+++ b/weed/iamapi/iamapi_management_handlers.go
@@ -377,6 +377,39 @@ func (iama *IamApiServer) DeleteAccessKey(s3cfg *iam_pb.S3ApiConfiguration, valu
 	return resp
 }
 
+// handleImplicitUsername adds username who signs the request to values if 'username' is not specified
+// According to https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-access-key.html/
+// "If you do not specify a user name, IAM determines the user name implicitly based on the Amazon Web
+// Services access key ID signing the request."
+func handleImplicitUsername(r *http.Request, values url.Values) {
+	if len(r.Header["Authorization"]) == 0 || values.Get("UserName") != "" {
+		return
+	}
+	// get username who signs the request. For a typical Authorization:
+	// "AWS4-HMAC-SHA256 Credential=197FSAQ7HHTA48X64O3A/20220420/test1/iam/aws4_request, SignedHeaders=content-type;
+	// host;x-amz-date, Signature=6757dc6b3d7534d67e17842760310e99ee695408497f6edc4fdb84770c252dc8",
+	// the "test1" will be extracted as the username
+	glog.V(4).Infof("Authorization field: %v", r.Header["Authorization"][0])
+	s := strings.Split(r.Header["Authorization"][0], "Credential=")
+	if len(s) < 2 {
+		return
+	}
+	glog.V(4).Infof("First strip: %v", s)
+	s = strings.Split(s[1], ",")
+	if len(s) < 2 {
+		return
+	}
+	glog.V(4).Infof("Second strip: %v", s)
+	s = strings.Split(s[0], "/")
+	if len(s) < 5 {
+		return
+	}
+	glog.V(4).Infof("Third strip: %v", s)
+	userName := s[2]
+	glog.V(4).Infof("UserName: %v", userName)
+	values.Set("UserName", userName)
+}
+
 func (iama *IamApiServer) DoActions(w http.ResponseWriter, r *http.Request) {
 	if err := r.ParseForm(); err != nil {
 		s3err.WriteErrorResponse(w, r, s3err.ErrInvalidRequest)
@@ -401,6 +434,7 @@ func (iama *IamApiServer) DoActions(w http.ResponseWriter, r *http.Request) {
 		response = iama.ListUsers(s3cfg, values)
 		changed = false
 	case "ListAccessKeys":
+		handleImplicitUsername(r, values)
 		response = iama.ListAccessKeys(s3cfg, values)
 		changed = false
 	case "CreateUser":
@@ -428,8 +462,10 @@ func (iama *IamApiServer) DoActions(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 	case "CreateAccessKey":
+		handleImplicitUsername(r, values)
 		response = iama.CreateAccessKey(s3cfg, values)
 	case "DeleteAccessKey":
+		handleImplicitUsername(r, values)
 		response = iama.DeleteAccessKey(s3cfg, values)
 	case "CreatePolicy":
 		response, err = iama.CreatePolicy(s3cfg, values)