allow signed admin routes before S3 policy resolution

2026-04-04 20:36:25 +00:00 · 2026-03-02 23:51:46 +01:00
parent 9b8d0b2b3e
commit 93a3aabf7d
1 changed files with 11 additions and 0 deletions
--- a/auth/service.go
+++ b/auth/service.go
@@ -187,6 +187,17 @@ func (s *Service) AuthenticateRequest(r *http.Request) (RequestContext, error) {
 	if input.Presigned {
 		authType = "sigv4-presign"
 	}
+
+	// Admin API authorization is enforced in admin handlers (bootstrap-only).
+	// We still require valid SigV4 credentials here, but skip S3 action policy checks.
+	if strings.HasPrefix(r.URL.Path, "/_admin/") {
+		return RequestContext{
+			Authenticated: true,
+			AccessKeyID:   identity.AccessKeyID,
+			AuthType:      authType,
+		}, nil
+	}
+
 	return RequestContext{
 		Authenticated: true,
 		AccessKeyID:   identity.AccessKeyID,