1 files changed, 39 insertions, 0 deletions

diff --git a/weed/iam/utils/arn_utils.go b/weed/iam/utils/arn_utils.go
new file mode 100644
index 000000000..f4c05dab1
--- /dev/null
+++ b/weed/iam/utils/arn_utils.go
@@ -0,0 +1,39 @@
+package utils
+
+import "strings"
+
+// ExtractRoleNameFromPrincipal extracts role name from principal ARN
+// Handles both STS assumed role and IAM role formats
+func ExtractRoleNameFromPrincipal(principal string) string {
+	// Handle STS assumed role format: arn:seaweed:sts::assumed-role/RoleName/SessionName
+	stsPrefix := "arn:seaweed:sts::assumed-role/"
+	if strings.HasPrefix(principal, stsPrefix) {
+		remainder := principal[len(stsPrefix):]
+		// Split on first '/' to get role name
+		if slashIndex := strings.Index(remainder, "/"); slashIndex != -1 {
+			return remainder[:slashIndex]
+		}
+		// If no slash found, return the remainder (edge case)
+		return remainder
+	}
+
+	// Handle IAM role format: arn:seaweed:iam::role/RoleName
+	iamPrefix := "arn:seaweed:iam::role/"
+	if strings.HasPrefix(principal, iamPrefix) {
+		return principal[len(iamPrefix):]
+	}
+
+	// Return empty string to signal invalid ARN format
+	// This allows callers to handle the error explicitly instead of masking it
+	return ""
+}
+
+// ExtractRoleNameFromArn extracts role name from an IAM role ARN
+// Specifically handles: arn:seaweed:iam::role/RoleName
+func ExtractRoleNameFromArn(roleArn string) string {
+	prefix := "arn:seaweed:iam::role/"
+	if strings.HasPrefix(roleArn, prefix) && len(roleArn) > len(prefix) {
+		return roleArn[len(prefix):]
+	}
+	return ""
+}