fix: support IAM policy handling for wildcard actions (#11530)

This PR fixes - allow 's3:versionid` as a valid conditional for Get,Put,Tags,Object locking APIs - allow additional headers missing for object APIs - allow wildcard based action matching
2025-11-28 21:18:10 -05:00 · 2021-02-12 23:05:09 -08:00
parent 79b6a43467
commit a94a9c37fa
6 changed files with 365 additions and 25 deletions
--- a/pkg/iam/policy/statement.go
+++ b/pkg/iam/policy/statement.go
@@ -114,8 +114,13 @@ func (statement Statement) isValid() error {
 			return Errorf("unsupported Resource found %v for action %v", statement.Resources, action)
 		}

+		condKeys, ok := iamActionConditionKeyMap.Lookup(action)
+		if !ok {
+			return Errorf("conditions are not supported for action %v", action)
+		}
+
 		keys := statement.Conditions.Keys()
-		keyDiff := keys.Difference(actionConditionKeyMap[action])
+		keyDiff := keys.Difference(condKeys)
 		if !keyDiff.IsEmpty() {
 			return Errorf("unsupported condition keys '%v' used for action '%v'", keyDiff, action)
 		}