fix: username replacements for aws:username must use parentUser (#16591)

2025-11-07 12:52:58 -05:00 · 2023-02-10 06:52:31 -08:00
parent 6b41f941b6
commit b363400587
2 changed files with 99 additions and 0 deletions
--- a/cmd/bucket-policy.go
+++ b/cmd/bucket-policy.go
@@ -75,6 +75,11 @@ func getConditionValues(r *http.Request, lc string, cred auth.Credentials) map[s
 		groups   = cred.Groups
 	)

+	if cred.IsTemp() || cred.IsServiceAccount() {
+		// For derived credentials, check the parent user's permissions.
+		username = cred.ParentUser
+	}
+
 	principalType := "Anonymous"
 	if username != "" {
 		principalType = "User"