docs: Add policy variables for resource and conditions (#10278)

Bonus fix adds LDAP policy variable and clarifies the usage of policy variables for temporary credentials. fixes #10197
2025-11-07 12:52:58 -05:00 · 2020-08-17 17:39:55 -07:00
parent e57c742674
commit ede86845e5
14 changed files with 176 additions and 14 deletions
--- a/cmd/bucket-policy.go
+++ b/cmd/bucket-policy.go
@@ -68,6 +68,12 @@ func getConditionValues(r *http.Request, lc string, username string, claims map[
 	principalType := "Anonymous"
 	if username != "" {
 		principalType = "User"
+		if len(claims) > 0 {
+			principalType = "AssumedRole"
+		}
+		if username == globalActiveCred.AccessKey {
+			principalType = "Account"
+		}
 	}

 	vid := r.URL.Query().Get("versionId")
@@ -143,6 +149,10 @@ func getConditionValues(r *http.Request, lc string, username string, claims map[
 	for k, v := range claims {
 		vStr, ok := v.(string)
 		if ok {
+			// Special case for AD/LDAP STS users
+			if k == ldapUser {
+				args[ldapUserPolicyVariable] = []string{vStr}
+			}
 			args[k] = []string{vStr}
 		}
 	}