diff --git a/cmd/iam.go b/cmd/iam.go index f5e12a1d0..48da26c9b 100644 --- a/cmd/iam.go +++ b/cmd/iam.go @@ -1177,6 +1177,10 @@ func (sys *IAMSys) NewServiceAccount(ctx context.Context, parentUser string, gro return auth.Credentials{}, errServerNotInitialized } + if parentUser == "" { + return auth.Credentials{}, errInvalidArgument + } + var policyBuf []byte if opts.sessionPolicy != nil { err := opts.sessionPolicy.Validate() @@ -1192,9 +1196,35 @@ func (sys *IAMSys) NewServiceAccount(ctx context.Context, parentUser string, gro } } + // found newly requested service account, to be same as + // parentUser, reject such operations. + if parentUser == opts.accessKey { + return auth.Credentials{}, errIAMActionNotAllowed + } + sys.store.lock() defer sys.store.unlock() + // Handle validation of incoming service accounts. + { + cr, found := sys.iamUsersMap[opts.accessKey] + // found newly requested service account, to be an existing + // user, reject such operations. + if found && !cr.IsTemp() && !cr.IsServiceAccount() { + return auth.Credentials{}, errIAMActionNotAllowed + } + // found newly requested service account, to be an existing + // temporary user, reject such operations. + if found && cr.IsTemp() { + return auth.Credentials{}, errIAMActionNotAllowed + } + // found newly requested service account, to be an existing + // service account for another parentUser, reject such operations. + if found && cr.IsServiceAccount() && cr.ParentUser != parentUser { + return auth.Credentials{}, errIAMActionNotAllowed + } + } + cr, found := sys.iamUsersMap[parentUser] // Disallow service accounts to further create more service accounts. if found && cr.IsServiceAccount() { diff --git a/cmd/typed-errors.go b/cmd/typed-errors.go index 2331b015d..0aa6adba1 100644 --- a/cmd/typed-errors.go +++ b/cmd/typed-errors.go @@ -82,7 +82,7 @@ var errGroupNotEmpty = errors.New("Specified group is not empty - cannot remove var errNoSuchPolicy = errors.New("Specified canned policy does not exist") // error returned in IAM subsystem when an external users systems is configured. -var errIAMActionNotAllowed = errors.New("Specified IAM action is not allowed with LDAP configuration") +var errIAMActionNotAllowed = errors.New("Specified IAM action is not allowed") // error returned in IAM subsystem when IAM sub-system is still being initialized. var errIAMNotInitialized = errors.New("IAM sub-system is being initialized, please try again")