diff --git a/cmd/iam-store.go b/cmd/iam-store.go index 6f415d345..324cd8799 100644 --- a/cmd/iam-store.go +++ b/cmd/iam-store.go @@ -1017,18 +1017,37 @@ func (store *IAMStoreSys) PolicyDBUpdate(ctx context.Context, name string, isGro newPolicyMapping.UpdatedAt = UTCNow() addedOrRemoved = policiesToUpdate.ToSlice() - if err = store.saveMappedPolicy(ctx, name, userType, isGroup, newPolicyMapping); err != nil { - return - } - if !isGroup { - if userType == stsUser { - cache.iamSTSPolicyMap[name] = newPolicyMapping + // In case of detach operation, it is possible that no policies are mapped - + // in this case, we delete the mapping from the store. + if len(newPolicies) == 0 { + if err = store.deleteMappedPolicy(ctx, name, userType, isGroup); err != nil && !errors.Is(err, errNoSuchPolicy) { + return + } + if !isGroup { + if userType == stsUser { + delete(cache.iamSTSPolicyMap, name) + } else { + delete(cache.iamUserPolicyMap, name) + } } else { - cache.iamUserPolicyMap[name] = newPolicyMapping + delete(cache.iamGroupPolicyMap, name) } } else { - cache.iamGroupPolicyMap[name] = newPolicyMapping + + if err = store.saveMappedPolicy(ctx, name, userType, isGroup, newPolicyMapping); err != nil { + return + } + if !isGroup { + if userType == stsUser { + cache.iamSTSPolicyMap[name] = newPolicyMapping + } else { + cache.iamUserPolicyMap[name] = newPolicyMapping + } + } else { + cache.iamGroupPolicyMap[name] = newPolicyMapping + } } + cache.updatedAt = UTCNow() return cache.updatedAt, addedOrRemoved, newPolicies, nil }