From 6fb3ec968d64e867ceb52c4f1db45c80309d91dd Mon Sep 17 00:00:00 2001
From: Chris Lu <chrislusf@users.noreply.github.com>
Date: Fri, 12 Dec 2025 14:45:23 -0800
Subject: s3: allow -s3.config and -s3.iam.config to work together (#7727)

When both -s3.config and -s3.iam.config are configured, traditional
credentials from -s3.config were failing with Access Denied because
the authorization code always used IAM authorization when IAM
integration was configured.

The fix checks if the identity has legacy Actions (from -s3.config).
If so, use the legacy canDo() authorization. Only use IAM authorization
for JWT/STS identities that don't have legacy Actions.

This allows both configuration options to coexist:
- Traditional credentials use legacy authorization
- JWT/STS credentials use IAM authorization

Fixes #7720
---
 weed/s3api/auth_credentials.go | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/weed/s3api/auth_credentials.go b/weed/s3api/auth_credentials.go
index eab237b0b..7b5d9a262 100644
--- a/weed/s3api/auth_credentials.go
+++ b/weed/s3api/auth_credentials.go
@@ -610,19 +610,19 @@ func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action)
 		}
 
 		// Only check IAM if bucket policy didn't explicitly allow
-		// This ensures bucket policies can independently grant access (AWS semantics)
 		if !policyAllows {
-			// Use enhanced IAM authorization if available, otherwise fall back to legacy authorization
-			if iam.iamIntegration != nil {
-				// Always use IAM when available for unified authorization
+			// Traditional identities (with Actions from -s3.config) use legacy auth,
+			// JWT/STS identities (no Actions) use IAM authorization
+			if len(identity.Actions) > 0 {
+				if !identity.canDo(action, bucket, object) {
+					return identity, s3err.ErrAccessDenied
+				}
+			} else if iam.iamIntegration != nil {
 				if errCode := iam.authorizeWithIAM(r, identity, action, bucket, object); errCode != s3err.ErrNone {
 					return identity, errCode
 				}
 			} else {
-				// Fall back to existing authorization when IAM is not configured
-				if !identity.canDo(action, bucket, object) {
-					return identity, s3err.ErrAccessDenied
-				}
+				return identity, s3err.ErrAccessDenied
 			}
 		}
 	}
-- 
cgit v1.2.3