diff --git a/cmd/admin-handler-utils.go b/cmd/admin-handler-utils.go index 768a85baa..fc2c2c78f 100644 --- a/cmd/admin-handler-utils.go +++ b/cmd/admin-handler-utils.go @@ -154,15 +154,9 @@ func toAdminAPIErr(ctx context.Context, err error) APIError { Description: err.Error(), HTTPStatusCode: http.StatusForbidden, } - case errors.Is(err, errIAMServiceAccount): + case errors.Is(err, errIAMServiceAccountNotAllowed): apiErr = APIError{ - Code: "XMinioIAMServiceAccount", - Description: err.Error(), - HTTPStatusCode: http.StatusBadRequest, - } - case errors.Is(err, errIAMServiceAccountUsed): - apiErr = APIError{ - Code: "XMinioIAMServiceAccountUsed", + Code: "XMinioIAMServiceAccountNotAllowed", Description: err.Error(), HTTPStatusCode: http.StatusBadRequest, } diff --git a/cmd/iam-store.go b/cmd/iam-store.go index cc9ed0eaf..8788d5a9e 100644 --- a/cmd/iam-store.go +++ b/cmd/iam-store.go @@ -2093,14 +2093,14 @@ func (store *IAMStoreSys) AddServiceAccount(ctx context.Context, cred auth.Crede if su, found := cache.iamUsersMap[accessKey]; found { scred := su.Credentials if scred.ParentUser != parentUser { - return updatedAt, errIAMServiceAccountUsed + return updatedAt, fmt.Errorf("%w: the service account access key is taken by another user", errIAMServiceAccountNotAllowed) } - return updatedAt, errIAMServiceAccount + return updatedAt, fmt.Errorf("%w: the service account access key already taken", errIAMServiceAccountNotAllowed) } // Parent user must not be a service account. if u, found := cache.iamUsersMap[parentUser]; found && u.Credentials.IsServiceAccount() { - return updatedAt, errIAMServiceAccount + return updatedAt, fmt.Errorf("%w: unable to create a service account for another service account", errIAMServiceAccountNotAllowed) } u := newUserIdentity(cred) diff --git a/cmd/typed-errors.go b/cmd/typed-errors.go index 9494a7c78..1bfe9bea7 100644 --- a/cmd/typed-errors.go +++ b/cmd/typed-errors.go @@ -102,10 +102,7 @@ var errTooManyPolicies = errors.New("Only a single policy may be specified here. var errIAMActionNotAllowed = errors.New("Specified IAM action is not allowed") // error returned in IAM service account -var errIAMServiceAccount = errors.New("Specified service account cannot be updated in this API call") - -// error returned in IAM service account is already used. -var errIAMServiceAccountUsed = errors.New("Specified service account is used by another user") +var errIAMServiceAccountNotAllowed = errors.New("Specified service account action is not allowed") // error returned in IAM subsystem when IAM sub-system is still being initialized. var errIAMNotInitialized = errors.New("IAM sub-system is being initialized, please try again")