From 0638ccc5f39f3c3dd222f3964a5d28044238bceb Mon Sep 17 00:00:00 2001
From: M Alvee <alvee.developer@gmail.com>
Date: Fri, 8 Aug 2025 08:42:38 +0600
Subject: [PATCH] fix: claim based oidc for official aws libraries (#21468)

---
 cmd/sts-handlers.go | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/cmd/sts-handlers.go b/cmd/sts-handlers.go
index 80f512b4b..6ac8e677b 100644
--- a/cmd/sts-handlers.go
+++ b/cmd/sts-handlers.go
@@ -414,9 +414,13 @@ func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Requ
 	//
 	// Currently, we do not support multiple claim based IDPs, as there is no
 	// defined parameter to disambiguate the intended IDP in this STS request.
+	//
+	// Skip RoleArn existence check when policy mapping is based on a JWT claim.
+	// This is required to support clients (like the AWS CLI or SDKs) that enforce providing a RoleArn,
+	// even though it's not used in claim-based identity mode.
 	roleArn := openid.DummyRoleARN
 	roleArnStr := r.Form.Get(stsRoleArn)
-	if roleArnStr != "" {
+	if roleArnStr != "" && strings.TrimSpace(iamPolicyClaimNameOpenID()) == "" {
 		var err error
 		roleArn, _, err = globalIAMSys.GetRolePolicy(roleArnStr)
 		if err != nil {
@@ -451,7 +455,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Requ
 	}
 
 	var policyName string
-	if roleArnStr != "" && globalIAMSys.HasRolePolicy() {
+	if roleArnStr != "" && globalIAMSys.HasRolePolicy() && strings.TrimSpace(iamPolicyClaimNameOpenID()) == "" {
 		// If roleArn is used, we set it as a claim, and use the
 		// associated policy when credentials are used.
 		claims[roleArnClaim] = roleArn.String()