aboutsummaryrefslogtreecommitdiff
path: root/test
diff options
context:
space:
mode:
Diffstat (limited to 'test')
-rw-r--r--test/s3/iam/README-Docker.md2
-rw-r--r--test/s3/iam/README.md2
-rw-r--r--test/s3/iam/STS_DISTRIBUTED.md2
-rw-r--r--test/s3/iam/iam_config.github.json40
-rw-r--r--test/s3/iam/iam_config.json40
-rw-r--r--test/s3/iam/iam_config.local.json40
-rw-r--r--test/s3/iam/iam_config_distributed.json14
-rw-r--r--test/s3/iam/iam_config_docker.json14
-rw-r--r--test/s3/iam/s3_iam_framework.go4
-rw-r--r--test/s3/iam/s3_iam_integration_test.go45
-rwxr-xr-xtest/s3/iam/setup_keycloak_docker.sh34
-rw-r--r--test/s3/iam/test_config.json28
12 files changed, 144 insertions, 121 deletions
diff --git a/test/s3/iam/README-Docker.md b/test/s3/iam/README-Docker.md
index 3759d7fae..0f8d4108f 100644
--- a/test/s3/iam/README-Docker.md
+++ b/test/s3/iam/README-Docker.md
@@ -170,7 +170,7 @@ The `setup_keycloak_docker.sh` script automatically generates `iam_config.json`
{
"claim": "roles",
"value": "s3-admin",
- "role": "arn:seaweed:iam::role/KeycloakAdminRole"
+ "role": "arn:aws:iam::role/KeycloakAdminRole"
}
```
diff --git a/test/s3/iam/README.md b/test/s3/iam/README.md
index ba871600c..b28d0d262 100644
--- a/test/s3/iam/README.md
+++ b/test/s3/iam/README.md
@@ -257,7 +257,7 @@ Add policies to `test_config.json`:
{
"Effect": "Allow",
"Action": ["s3:GetObject"],
- "Resource": ["arn:seaweed:s3:::specific-bucket/*"],
+ "Resource": ["arn:aws:s3:::specific-bucket/*"],
"Condition": {
"StringEquals": {
"s3:prefix": ["allowed-prefix/"]
diff --git a/test/s3/iam/STS_DISTRIBUTED.md b/test/s3/iam/STS_DISTRIBUTED.md
index b18ec4fdb..4d3edaf32 100644
--- a/test/s3/iam/STS_DISTRIBUTED.md
+++ b/test/s3/iam/STS_DISTRIBUTED.md
@@ -248,7 +248,7 @@ services:
3. User calls SeaweedFS STS AssumeRoleWithWebIdentity
POST /sts/assume-role-with-web-identity
{
- "RoleArn": "arn:seaweed:iam::role/S3AdminRole",
+ "RoleArn": "arn:aws:iam::role/S3AdminRole",
"WebIdentityToken": "eyJ0eXAiOiJKV1QiLCJhbGc...",
"RoleSessionName": "user-session"
}
diff --git a/test/s3/iam/iam_config.github.json b/test/s3/iam/iam_config.github.json
index b9a2fface..7a903b047 100644
--- a/test/s3/iam/iam_config.github.json
+++ b/test/s3/iam/iam_config.github.json
@@ -35,25 +35,25 @@
{
"claim": "roles",
"value": "s3-admin",
- "role": "arn:seaweed:iam::role/KeycloakAdminRole"
+ "role": "arn:aws:iam::role/KeycloakAdminRole"
},
{
"claim": "roles",
"value": "s3-read-only",
- "role": "arn:seaweed:iam::role/KeycloakReadOnlyRole"
+ "role": "arn:aws:iam::role/KeycloakReadOnlyRole"
},
{
"claim": "roles",
"value": "s3-write-only",
- "role": "arn:seaweed:iam::role/KeycloakWriteOnlyRole"
+ "role": "arn:aws:iam::role/KeycloakWriteOnlyRole"
},
{
"claim": "roles",
"value": "s3-read-write",
- "role": "arn:seaweed:iam::role/KeycloakReadWriteRole"
+ "role": "arn:aws:iam::role/KeycloakReadWriteRole"
}
],
- "defaultRole": "arn:seaweed:iam::role/KeycloakReadOnlyRole"
+ "defaultRole": "arn:aws:iam::role/KeycloakReadOnlyRole"
}
}
}
@@ -64,7 +64,7 @@
"roles": [
{
"roleName": "TestAdminRole",
- "roleArn": "arn:seaweed:iam::role/TestAdminRole",
+ "roleArn": "arn:aws:iam::role/TestAdminRole",
"trustPolicy": {
"Version": "2012-10-17",
"Statement": [
@@ -82,7 +82,7 @@
},
{
"roleName": "TestReadOnlyRole",
- "roleArn": "arn:seaweed:iam::role/TestReadOnlyRole",
+ "roleArn": "arn:aws:iam::role/TestReadOnlyRole",
"trustPolicy": {
"Version": "2012-10-17",
"Statement": [
@@ -100,7 +100,7 @@
},
{
"roleName": "TestWriteOnlyRole",
- "roleArn": "arn:seaweed:iam::role/TestWriteOnlyRole",
+ "roleArn": "arn:aws:iam::role/TestWriteOnlyRole",
"trustPolicy": {
"Version": "2012-10-17",
"Statement": [
@@ -118,7 +118,7 @@
},
{
"roleName": "KeycloakAdminRole",
- "roleArn": "arn:seaweed:iam::role/KeycloakAdminRole",
+ "roleArn": "arn:aws:iam::role/KeycloakAdminRole",
"trustPolicy": {
"Version": "2012-10-17",
"Statement": [
@@ -136,7 +136,7 @@
},
{
"roleName": "KeycloakReadOnlyRole",
- "roleArn": "arn:seaweed:iam::role/KeycloakReadOnlyRole",
+ "roleArn": "arn:aws:iam::role/KeycloakReadOnlyRole",
"trustPolicy": {
"Version": "2012-10-17",
"Statement": [
@@ -154,7 +154,7 @@
},
{
"roleName": "KeycloakWriteOnlyRole",
- "roleArn": "arn:seaweed:iam::role/KeycloakWriteOnlyRole",
+ "roleArn": "arn:aws:iam::role/KeycloakWriteOnlyRole",
"trustPolicy": {
"Version": "2012-10-17",
"Statement": [
@@ -172,7 +172,7 @@
},
{
"roleName": "KeycloakReadWriteRole",
- "roleArn": "arn:seaweed:iam::role/KeycloakReadWriteRole",
+ "roleArn": "arn:aws:iam::role/KeycloakReadWriteRole",
"trustPolicy": {
"Version": "2012-10-17",
"Statement": [
@@ -220,8 +220,8 @@
"s3:ListBucket"
],
"Resource": [
- "arn:seaweed:s3:::*",
- "arn:seaweed:s3:::*/*"
+ "arn:aws:s3:::*",
+ "arn:aws:s3:::*/*"
]
},
{
@@ -243,8 +243,8 @@
"s3:*"
],
"Resource": [
- "arn:seaweed:s3:::*",
- "arn:seaweed:s3:::*/*"
+ "arn:aws:s3:::*",
+ "arn:aws:s3:::*/*"
]
},
{
@@ -254,8 +254,8 @@
"s3:ListBucket"
],
"Resource": [
- "arn:seaweed:s3:::*",
- "arn:seaweed:s3:::*/*"
+ "arn:aws:s3:::*",
+ "arn:aws:s3:::*/*"
]
},
{
@@ -277,8 +277,8 @@
"s3:*"
],
"Resource": [
- "arn:seaweed:s3:::*",
- "arn:seaweed:s3:::*/*"
+ "arn:aws:s3:::*",
+ "arn:aws:s3:::*/*"
]
},
{
diff --git a/test/s3/iam/iam_config.json b/test/s3/iam/iam_config.json
index b9a2fface..7a903b047 100644
--- a/test/s3/iam/iam_config.json
+++ b/test/s3/iam/iam_config.json
@@ -35,25 +35,25 @@
{
"claim": "roles",
"value": "s3-admin",
- "role": "arn:seaweed:iam::role/KeycloakAdminRole"
+ "role": "arn:aws:iam::role/KeycloakAdminRole"
},
{
"claim": "roles",
"value": "s3-read-only",
- "role": "arn:seaweed:iam::role/KeycloakReadOnlyRole"
+ "role": "arn:aws:iam::role/KeycloakReadOnlyRole"
},
{
"claim": "roles",
"value": "s3-write-only",
- "role": "arn:seaweed:iam::role/KeycloakWriteOnlyRole"
+ "role": "arn:aws:iam::role/KeycloakWriteOnlyRole"
},
{
"claim": "roles",
"value": "s3-read-write",
- "role": "arn:seaweed:iam::role/KeycloakReadWriteRole"
+ "role": "arn:aws:iam::role/KeycloakReadWriteRole"
}
],
- "defaultRole": "arn:seaweed:iam::role/KeycloakReadOnlyRole"
+ "defaultRole": "arn:aws:iam::role/KeycloakReadOnlyRole"
}
}
}
@@ -64,7 +64,7 @@
"roles": [
{
"roleName": "TestAdminRole",
- "roleArn": "arn:seaweed:iam::role/TestAdminRole",
+ "roleArn": "arn:aws:iam::role/TestAdminRole",
"trustPolicy": {
"Version": "2012-10-17",
"Statement": [
@@ -82,7 +82,7 @@
},
{
"roleName": "TestReadOnlyRole",
- "roleArn": "arn:seaweed:iam::role/TestReadOnlyRole",
+ "roleArn": "arn:aws:iam::role/TestReadOnlyRole",
"trustPolicy": {
"Version": "2012-10-17",
"Statement": [
@@ -100,7 +100,7 @@
},
{
"roleName": "TestWriteOnlyRole",
- "roleArn": "arn:seaweed:iam::role/TestWriteOnlyRole",
+ "roleArn": "arn:aws:iam::role/TestWriteOnlyRole",
"trustPolicy": {
"Version": "2012-10-17",
"Statement": [
@@ -118,7 +118,7 @@
},
{
"roleName": "KeycloakAdminRole",
- "roleArn": "arn:seaweed:iam::role/KeycloakAdminRole",
+ "roleArn": "arn:aws:iam::role/KeycloakAdminRole",
"trustPolicy": {
"Version": "2012-10-17",
"Statement": [
@@ -136,7 +136,7 @@
},
{
"roleName": "KeycloakReadOnlyRole",
- "roleArn": "arn:seaweed:iam::role/KeycloakReadOnlyRole",
+ "roleArn": "arn:aws:iam::role/KeycloakReadOnlyRole",
"trustPolicy": {
"Version": "2012-10-17",
"Statement": [
@@ -154,7 +154,7 @@
},
{
"roleName": "KeycloakWriteOnlyRole",
- "roleArn": "arn:seaweed:iam::role/KeycloakWriteOnlyRole",
+ "roleArn": "arn:aws:iam::role/KeycloakWriteOnlyRole",
"trustPolicy": {
"Version": "2012-10-17",
"Statement": [
@@ -172,7 +172,7 @@
},
{
"roleName": "KeycloakReadWriteRole",
- "roleArn": "arn:seaweed:iam::role/KeycloakReadWriteRole",
+ "roleArn": "arn:aws:iam::role/KeycloakReadWriteRole",
"trustPolicy": {
"Version": "2012-10-17",
"Statement": [
@@ -220,8 +220,8 @@
"s3:ListBucket"
],
"Resource": [
- "arn:seaweed:s3:::*",
- "arn:seaweed:s3:::*/*"
+ "arn:aws:s3:::*",
+ "arn:aws:s3:::*/*"
]
},
{
@@ -243,8 +243,8 @@
"s3:*"
],
"Resource": [
- "arn:seaweed:s3:::*",
- "arn:seaweed:s3:::*/*"
+ "arn:aws:s3:::*",
+ "arn:aws:s3:::*/*"
]
},
{
@@ -254,8 +254,8 @@
"s3:ListBucket"
],
"Resource": [
- "arn:seaweed:s3:::*",
- "arn:seaweed:s3:::*/*"
+ "arn:aws:s3:::*",
+ "arn:aws:s3:::*/*"
]
},
{
@@ -277,8 +277,8 @@
"s3:*"
],
"Resource": [
- "arn:seaweed:s3:::*",
- "arn:seaweed:s3:::*/*"
+ "arn:aws:s3:::*",
+ "arn:aws:s3:::*/*"
]
},
{
diff --git a/test/s3/iam/iam_config.local.json b/test/s3/iam/iam_config.local.json
index b2b2ef4e5..30522771b 100644
--- a/test/s3/iam/iam_config.local.json
+++ b/test/s3/iam/iam_config.local.json
@@ -39,25 +39,25 @@
{
"claim": "roles",
"value": "s3-admin",
- "role": "arn:seaweed:iam::role/KeycloakAdminRole"
+ "role": "arn:aws:iam::role/KeycloakAdminRole"
},
{
"claim": "roles",
"value": "s3-read-only",
- "role": "arn:seaweed:iam::role/KeycloakReadOnlyRole"
+ "role": "arn:aws:iam::role/KeycloakReadOnlyRole"
},
{
"claim": "roles",
"value": "s3-write-only",
- "role": "arn:seaweed:iam::role/KeycloakWriteOnlyRole"
+ "role": "arn:aws:iam::role/KeycloakWriteOnlyRole"
},
{
"claim": "roles",
"value": "s3-read-write",
- "role": "arn:seaweed:iam::role/KeycloakReadWriteRole"
+ "role": "arn:aws:iam::role/KeycloakReadWriteRole"
}
],
- "defaultRole": "arn:seaweed:iam::role/KeycloakReadOnlyRole"
+ "defaultRole": "arn:aws:iam::role/KeycloakReadOnlyRole"
}
}
}
@@ -68,7 +68,7 @@
"roles": [
{
"roleName": "TestAdminRole",
- "roleArn": "arn:seaweed:iam::role/TestAdminRole",
+ "roleArn": "arn:aws:iam::role/TestAdminRole",
"trustPolicy": {
"Version": "2012-10-17",
"Statement": [
@@ -90,7 +90,7 @@
},
{
"roleName": "TestReadOnlyRole",
- "roleArn": "arn:seaweed:iam::role/TestReadOnlyRole",
+ "roleArn": "arn:aws:iam::role/TestReadOnlyRole",
"trustPolicy": {
"Version": "2012-10-17",
"Statement": [
@@ -112,7 +112,7 @@
},
{
"roleName": "TestWriteOnlyRole",
- "roleArn": "arn:seaweed:iam::role/TestWriteOnlyRole",
+ "roleArn": "arn:aws:iam::role/TestWriteOnlyRole",
"trustPolicy": {
"Version": "2012-10-17",
"Statement": [
@@ -134,7 +134,7 @@
},
{
"roleName": "KeycloakAdminRole",
- "roleArn": "arn:seaweed:iam::role/KeycloakAdminRole",
+ "roleArn": "arn:aws:iam::role/KeycloakAdminRole",
"trustPolicy": {
"Version": "2012-10-17",
"Statement": [
@@ -156,7 +156,7 @@
},
{
"roleName": "KeycloakReadOnlyRole",
- "roleArn": "arn:seaweed:iam::role/KeycloakReadOnlyRole",
+ "roleArn": "arn:aws:iam::role/KeycloakReadOnlyRole",
"trustPolicy": {
"Version": "2012-10-17",
"Statement": [
@@ -178,7 +178,7 @@
},
{
"roleName": "KeycloakWriteOnlyRole",
- "roleArn": "arn:seaweed:iam::role/KeycloakWriteOnlyRole",
+ "roleArn": "arn:aws:iam::role/KeycloakWriteOnlyRole",
"trustPolicy": {
"Version": "2012-10-17",
"Statement": [
@@ -200,7 +200,7 @@
},
{
"roleName": "KeycloakReadWriteRole",
- "roleArn": "arn:seaweed:iam::role/KeycloakReadWriteRole",
+ "roleArn": "arn:aws:iam::role/KeycloakReadWriteRole",
"trustPolicy": {
"Version": "2012-10-17",
"Statement": [
@@ -260,8 +260,8 @@
"s3:ListBucket"
],
"Resource": [
- "arn:seaweed:s3:::*",
- "arn:seaweed:s3:::*/*"
+ "arn:aws:s3:::*",
+ "arn:aws:s3:::*/*"
]
},
{
@@ -287,8 +287,8 @@
"s3:*"
],
"Resource": [
- "arn:seaweed:s3:::*",
- "arn:seaweed:s3:::*/*"
+ "arn:aws:s3:::*",
+ "arn:aws:s3:::*/*"
]
},
{
@@ -298,8 +298,8 @@
"s3:ListBucket"
],
"Resource": [
- "arn:seaweed:s3:::*",
- "arn:seaweed:s3:::*/*"
+ "arn:aws:s3:::*",
+ "arn:aws:s3:::*/*"
]
},
{
@@ -325,8 +325,8 @@
"s3:*"
],
"Resource": [
- "arn:seaweed:s3:::*",
- "arn:seaweed:s3:::*/*"
+ "arn:aws:s3:::*",
+ "arn:aws:s3:::*/*"
]
},
{
diff --git a/test/s3/iam/iam_config_distributed.json b/test/s3/iam/iam_config_distributed.json
index c9827c220..a6d2aa395 100644
--- a/test/s3/iam/iam_config_distributed.json
+++ b/test/s3/iam/iam_config_distributed.json
@@ -40,7 +40,7 @@
"roles": [
{
"roleName": "S3AdminRole",
- "roleArn": "arn:seaweed:iam::role/S3AdminRole",
+ "roleArn": "arn:aws:iam::role/S3AdminRole",
"trustPolicy": {
"Version": "2012-10-17",
"Statement": [
@@ -63,7 +63,7 @@
},
{
"roleName": "S3ReadOnlyRole",
- "roleArn": "arn:seaweed:iam::role/S3ReadOnlyRole",
+ "roleArn": "arn:aws:iam::role/S3ReadOnlyRole",
"trustPolicy": {
"Version": "2012-10-17",
"Statement": [
@@ -86,7 +86,7 @@
},
{
"roleName": "S3ReadWriteRole",
- "roleArn": "arn:seaweed:iam::role/S3ReadWriteRole",
+ "roleArn": "arn:aws:iam::role/S3ReadWriteRole",
"trustPolicy": {
"Version": "2012-10-17",
"Statement": [
@@ -137,8 +137,8 @@
"s3:ListBucketVersions"
],
"Resource": [
- "arn:seaweed:s3:::*",
- "arn:seaweed:s3:::*/*"
+ "arn:aws:s3:::*",
+ "arn:aws:s3:::*/*"
]
}
]
@@ -162,8 +162,8 @@
"s3:ListBucketVersions"
],
"Resource": [
- "arn:seaweed:s3:::*",
- "arn:seaweed:s3:::*/*"
+ "arn:aws:s3:::*",
+ "arn:aws:s3:::*/*"
]
}
]
diff --git a/test/s3/iam/iam_config_docker.json b/test/s3/iam/iam_config_docker.json
index c0fd5ab87..a533b16d7 100644
--- a/test/s3/iam/iam_config_docker.json
+++ b/test/s3/iam/iam_config_docker.json
@@ -25,7 +25,7 @@
"roles": [
{
"roleName": "S3AdminRole",
- "roleArn": "arn:seaweed:iam::role/S3AdminRole",
+ "roleArn": "arn:aws:iam::role/S3AdminRole",
"trustPolicy": {
"Version": "2012-10-17",
"Statement": [
@@ -48,7 +48,7 @@
},
{
"roleName": "S3ReadOnlyRole",
- "roleArn": "arn:seaweed:iam::role/S3ReadOnlyRole",
+ "roleArn": "arn:aws:iam::role/S3ReadOnlyRole",
"trustPolicy": {
"Version": "2012-10-17",
"Statement": [
@@ -71,7 +71,7 @@
},
{
"roleName": "S3ReadWriteRole",
- "roleArn": "arn:seaweed:iam::role/S3ReadWriteRole",
+ "roleArn": "arn:aws:iam::role/S3ReadWriteRole",
"trustPolicy": {
"Version": "2012-10-17",
"Statement": [
@@ -122,8 +122,8 @@
"s3:ListBucketVersions"
],
"Resource": [
- "arn:seaweed:s3:::*",
- "arn:seaweed:s3:::*/*"
+ "arn:aws:s3:::*",
+ "arn:aws:s3:::*/*"
]
}
]
@@ -147,8 +147,8 @@
"s3:ListBucketVersions"
],
"Resource": [
- "arn:seaweed:s3:::*",
- "arn:seaweed:s3:::*/*"
+ "arn:aws:s3:::*",
+ "arn:aws:s3:::*/*"
]
}
]
diff --git a/test/s3/iam/s3_iam_framework.go b/test/s3/iam/s3_iam_framework.go
index 92e880bdc..178ae0763 100644
--- a/test/s3/iam/s3_iam_framework.go
+++ b/test/s3/iam/s3_iam_framework.go
@@ -369,9 +369,9 @@ func (f *S3IAMTestFramework) generateSTSSessionToken(username, roleName string,
sessionId := fmt.Sprintf("test-session-%s-%s-%d", username, roleName, now.Unix())
// Create session token claims exactly matching STSSessionClaims struct
- roleArn := fmt.Sprintf("arn:seaweed:iam::role/%s", roleName)
+ roleArn := fmt.Sprintf("arn:aws:iam::role/%s", roleName)
sessionName := fmt.Sprintf("test-session-%s", username)
- principalArn := fmt.Sprintf("arn:seaweed:sts::assumed-role/%s/%s", roleName, sessionName)
+ principalArn := fmt.Sprintf("arn:aws:sts::assumed-role/%s/%s", roleName, sessionName)
// Use jwt.MapClaims but with exact field names that STSSessionClaims expects
sessionClaims := jwt.MapClaims{
diff --git a/test/s3/iam/s3_iam_integration_test.go b/test/s3/iam/s3_iam_integration_test.go
index c7836c4bf..dcf8422b4 100644
--- a/test/s3/iam/s3_iam_integration_test.go
+++ b/test/s3/iam/s3_iam_integration_test.go
@@ -410,7 +410,7 @@ func TestS3IAMBucketPolicyIntegration(t *testing.T) {
"Effect": "Allow",
"Principal": "*",
"Action": ["s3:GetObject"],
- "Resource": ["arn:seaweed:s3:::%s/*"]
+ "Resource": ["arn:aws:s3:::%s/*"]
}
]
}`, bucketName)
@@ -443,6 +443,12 @@ func TestS3IAMBucketPolicyIntegration(t *testing.T) {
require.NoError(t, err)
assert.Equal(t, testObjectData, string(data))
result.Body.Close()
+
+ // Clean up bucket policy after this test
+ _, err = adminClient.DeleteBucketPolicy(&s3.DeleteBucketPolicyInput{
+ Bucket: aws.String(bucketName),
+ })
+ require.NoError(t, err)
})
t.Run("bucket_policy_denies_specific_action", func(t *testing.T) {
@@ -455,7 +461,7 @@ func TestS3IAMBucketPolicyIntegration(t *testing.T) {
"Effect": "Deny",
"Principal": "*",
"Action": ["s3:DeleteObject"],
- "Resource": ["arn:seaweed:s3:::%s/*"]
+ "Resource": ["arn:aws:s3:::%s/*"]
}
]
}`, bucketName)
@@ -474,17 +480,34 @@ func TestS3IAMBucketPolicyIntegration(t *testing.T) {
assert.Contains(t, *policyResult.Policy, "s3:DeleteObject")
assert.Contains(t, *policyResult.Policy, "Deny")
- // IMPLEMENTATION NOTE: Bucket policy enforcement in authorization flow
- // is planned for a future phase. Currently, this test validates policy
- // storage and retrieval. When enforcement is implemented, this test
- // should be extended to verify that delete operations are actually denied.
+ // NOTE: Enforcement test is commented out due to known architectural limitation:
+ //
+ // KNOWN LIMITATION: DeleteObject uses the coarse-grained ACTION_WRITE constant,
+ // which convertActionToS3Format maps to "s3:PutObject" (not "s3:DeleteObject").
+ // This means the policy engine evaluates the deny policy against "s3:PutObject",
+ // doesn't find a match, and allows the delete operation.
+ //
+ // TODO: Uncomment this test once the action mapping is refactored to use
+ // specific S3 action strings throughout the S3 API handlers.
+ // See: weed/s3api/s3api_bucket_policy_engine.go lines 135-146
+ //
+ // _, err = adminClient.DeleteObject(&s3.DeleteObjectInput{
+ // Bucket: aws.String(bucketName),
+ // Key: aws.String(testObjectKey),
+ // })
+ // require.Error(t, err, "DeleteObject should be denied by the bucket policy")
+ // awsErr, ok := err.(awserr.Error)
+ // require.True(t, ok, "Error should be an awserr.Error")
+ // assert.Equal(t, "AccessDenied", awsErr.Code(), "Expected AccessDenied error code")
+
+ // Clean up bucket policy after this test
+ _, err = adminClient.DeleteBucketPolicy(&s3.DeleteBucketPolicyInput{
+ Bucket: aws.String(bucketName),
+ })
+ require.NoError(t, err)
})
- // Cleanup - delete bucket policy first, then objects and bucket
- _, err = adminClient.DeleteBucketPolicy(&s3.DeleteBucketPolicyInput{
- Bucket: aws.String(bucketName),
- })
- require.NoError(t, err)
+ // Cleanup - delete objects and bucket (policy already cleaned up in subtests)
_, err = adminClient.DeleteObject(&s3.DeleteObjectInput{
Bucket: aws.String(bucketName),
diff --git a/test/s3/iam/setup_keycloak_docker.sh b/test/s3/iam/setup_keycloak_docker.sh
index 6dce68abf..99a952615 100755
--- a/test/s3/iam/setup_keycloak_docker.sh
+++ b/test/s3/iam/setup_keycloak_docker.sh
@@ -178,25 +178,25 @@ cat > iam_config.json << 'EOF'
{
"claim": "roles",
"value": "s3-admin",
- "role": "arn:seaweed:iam::role/KeycloakAdminRole"
+ "role": "arn:aws:iam::role/KeycloakAdminRole"
},
{
"claim": "roles",
"value": "s3-read-only",
- "role": "arn:seaweed:iam::role/KeycloakReadOnlyRole"
+ "role": "arn:aws:iam::role/KeycloakReadOnlyRole"
},
{
"claim": "roles",
"value": "s3-write-only",
- "role": "arn:seaweed:iam::role/KeycloakWriteOnlyRole"
+ "role": "arn:aws:iam::role/KeycloakWriteOnlyRole"
},
{
"claim": "roles",
"value": "s3-read-write",
- "role": "arn:seaweed:iam::role/KeycloakReadWriteRole"
+ "role": "arn:aws:iam::role/KeycloakReadWriteRole"
}
],
- "defaultRole": "arn:seaweed:iam::role/KeycloakReadOnlyRole"
+ "defaultRole": "arn:aws:iam::role/KeycloakReadOnlyRole"
}
}
}
@@ -207,7 +207,7 @@ cat > iam_config.json << 'EOF'
"roles": [
{
"roleName": "KeycloakAdminRole",
- "roleArn": "arn:seaweed:iam::role/KeycloakAdminRole",
+ "roleArn": "arn:aws:iam::role/KeycloakAdminRole",
"trustPolicy": {
"Version": "2012-10-17",
"Statement": [
@@ -225,7 +225,7 @@ cat > iam_config.json << 'EOF'
},
{
"roleName": "KeycloakReadOnlyRole",
- "roleArn": "arn:seaweed:iam::role/KeycloakReadOnlyRole",
+ "roleArn": "arn:aws:iam::role/KeycloakReadOnlyRole",
"trustPolicy": {
"Version": "2012-10-17",
"Statement": [
@@ -243,7 +243,7 @@ cat > iam_config.json << 'EOF'
},
{
"roleName": "KeycloakWriteOnlyRole",
- "roleArn": "arn:seaweed:iam::role/KeycloakWriteOnlyRole",
+ "roleArn": "arn:aws:iam::role/KeycloakWriteOnlyRole",
"trustPolicy": {
"Version": "2012-10-17",
"Statement": [
@@ -261,7 +261,7 @@ cat > iam_config.json << 'EOF'
},
{
"roleName": "KeycloakReadWriteRole",
- "roleArn": "arn:seaweed:iam::role/KeycloakReadWriteRole",
+ "roleArn": "arn:aws:iam::role/KeycloakReadWriteRole",
"trustPolicy": {
"Version": "2012-10-17",
"Statement": [
@@ -309,8 +309,8 @@ cat > iam_config.json << 'EOF'
"s3:ListBucket"
],
"Resource": [
- "arn:seaweed:s3:::*",
- "arn:seaweed:s3:::*/*"
+ "arn:aws:s3:::*",
+ "arn:aws:s3:::*/*"
]
},
{
@@ -330,8 +330,8 @@ cat > iam_config.json << 'EOF'
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": [
- "arn:seaweed:s3:::*",
- "arn:seaweed:s3:::*/*"
+ "arn:aws:s3:::*",
+ "arn:aws:s3:::*/*"
]
},
{
@@ -341,8 +341,8 @@ cat > iam_config.json << 'EOF'
"s3:ListBucket"
],
"Resource": [
- "arn:seaweed:s3:::*",
- "arn:seaweed:s3:::*/*"
+ "arn:aws:s3:::*",
+ "arn:aws:s3:::*/*"
]
},
{
@@ -362,8 +362,8 @@ cat > iam_config.json << 'EOF'
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": [
- "arn:seaweed:s3:::*",
- "arn:seaweed:s3:::*/*"
+ "arn:aws:s3:::*",
+ "arn:aws:s3:::*/*"
]
},
{
diff --git a/test/s3/iam/test_config.json b/test/s3/iam/test_config.json
index d2f1fb09e..2684c3cc3 100644
--- a/test/s3/iam/test_config.json
+++ b/test/s3/iam/test_config.json
@@ -164,8 +164,8 @@
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": [
- "arn:seaweed:s3:::*",
- "arn:seaweed:s3:::*/*"
+ "arn:aws:s3:::*",
+ "arn:aws:s3:::*/*"
]
}
]
@@ -184,8 +184,8 @@
"s3:GetBucketVersioning"
],
"Resource": [
- "arn:seaweed:s3:::*",
- "arn:seaweed:s3:::*/*"
+ "arn:aws:s3:::*",
+ "arn:aws:s3:::*/*"
]
}
]
@@ -207,7 +207,7 @@
"s3:ListMultipartUploadParts"
],
"Resource": [
- "arn:seaweed:s3:::*/*"
+ "arn:aws:s3:::*/*"
]
}
]
@@ -227,7 +227,7 @@
"s3:PutBucketVersioning"
],
"Resource": [
- "arn:seaweed:s3:::*"
+ "arn:aws:s3:::*"
]
}
]
@@ -239,8 +239,8 @@
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": [
- "arn:seaweed:s3:::*",
- "arn:seaweed:s3:::*/*"
+ "arn:aws:s3:::*",
+ "arn:aws:s3:::*/*"
],
"Condition": {
"IpAddress": {
@@ -257,8 +257,8 @@
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:ListBucket"],
"Resource": [
- "arn:seaweed:s3:::*",
- "arn:seaweed:s3:::*/*"
+ "arn:aws:s3:::*",
+ "arn:aws:s3:::*/*"
],
"Condition": {
"DateGreaterThan": {
@@ -281,7 +281,7 @@
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
- "Resource": "arn:seaweed:s3:::example-bucket/*"
+ "Resource": "arn:aws:s3:::example-bucket/*"
}
]
},
@@ -294,8 +294,8 @@
"Principal": "*",
"Action": ["s3:DeleteObject", "s3:DeleteBucket"],
"Resource": [
- "arn:seaweed:s3:::example-bucket",
- "arn:seaweed:s3:::example-bucket/*"
+ "arn:aws:s3:::example-bucket",
+ "arn:aws:s3:::example-bucket/*"
]
}
]
@@ -308,7 +308,7 @@
"Effect": "Allow",
"Principal": "*",
"Action": ["s3:GetObject", "s3:PutObject"],
- "Resource": "arn:seaweed:s3:::example-bucket/*",
+ "Resource": "arn:aws:s3:::example-bucket/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": ["203.0.113.0/24"]
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-20 20:27:41 +0000