"metadata": {
                           "filter": "istio_authn",
                           "path": [
                            {
                             "key": "request.auth.claims"
                            },
                            {
                             "key": "iss"
                            }
                           ],
                           "value": {

			Action:          policy.GetObjectAction,
			BucketName:      bucketName,
			ConditionValues: getConditionValues(r, "", cred),
			IsOwner:         owner,
			ObjectName:      "",
			Claims:          cred.Claims,
		}) {
			rd = true
		}

		if globalIAMSys.IsAllowed(policy.Args{
			AccountName:     cred.AccessKey,
			Groups:          cred.Groups,
			Action:          policy.PutObjectAction,

	}

	// Verify the session token of the stsCred
	claims, err := auth.ExtractClaims(stsCred.SessionToken, secretKey)
	if err != nil {
		return fmt.Errorf("STS credential could not be verified: %w", err)
	}

	mapClaims := claims.Map()
	expiry, err := auth.ExpToInt64(mapClaims["exp"])
	if err != nil {
		return fmt.Errorf("Expiry claim was not found: %v: %w", mapClaims, err)
	}

- Promotes the ServiceAccountTokenJTI feature to GA, which adds a `jti` claim to issued service account tokens and embeds the `jti` claim as a `authentication.kubernetes.io/credential-id=["JTI=..."]` value in user extra info

    server.enqueue(builder.build())
    server.enqueue(builder.build())
    val inputStream = getResponse(newRequest("/")).body.byteStream()
    assertThat(inputStream.markSupported(), "This implementation claims to support mark().")
      .isFalse()
    inputStream.mark(5)
    assertThat(readAscii(inputStream, 5)).isEqualTo("ABCDE")
    assertFailsWith<IOException> {
      inputStream.reset()
    }

// citic : 2014-01-09 CITIC Group Corporation
citic

// city : 2014-05-29 Binky Moon, LLC
city

// cityeats : 2014-12-11 Lifestyle Domain Holdings, Inc.
cityeats

// claims : 2014-03-20 Binky Moon, LLC
claims

// cleaning : 2013-12-05 Binky Moon, LLC
cleaning

// click : 2014-06-05 Internet Naming Company LLC
click

// clinic : 2014-03-20 Binky Moon, LLC
clinic

AAO,GAAI5B,GAASJ,EAAAA,QAAE0B,MAAMiC,QAE1CA,IACHA,EAAO,IAAIkS,EAASnU,KAAMkC,GAC1B5D,EAAAA,QAAE0B,MAAMiC,KAAK7D,GAAU6D,IAGA,iBAAdwG,GAA0B,yBAAyBtG,KAAKsG,IACjExG,EAAKwG,WAhJP0L,GA2JN7V,EAAAA,QAAE8D,UAAUN,GAAG,QAAS6R,IAAwB,SAAAtR,GAC9CA,EAAMC,iBAEN,IAAImS,EAASpS,EAAMqS,cAEc,aAA7BpW,EAAAA,QAAEmW,GAAQxS,KAAK,YACjBwS,EAASnW,EAAAA,QAAEmW,GAAQE,QAAQhB,KAG7BQ,GAASpS,iBAAiBlB,KAAKvC,EAAAA,QAAEmW,GAAS,aAG5CnW,EAAAA,QAAEwI,QAAQhF,GAAG,QAAQ,WACnBqS,GAASpS,iBAAiBlB,KAAKvC,EAAAA,QAAEqV,QAQnCrV,EAAAA,QAAEC,GAA...

UtN,EAAO6Q,EAAMtL,EAAQ4C,GACpE,IAAI2I,EAAUvL,EAAOF,QAAQ4M,cAAcjS,EAAOmI,EAAO5C,EAAOzB,SAEjD,MAAXgN,EACAD,EAAKqB,EAAIpB,EAET5O,EAAgBqD,GAAQ1B,eAAiB7D,IAIjDsN,GAAkB,CAAC,IAAK,IAAK,KAAM,SAAUtN,EAAO6Q,EAAMtL,EAAQ4C,GAC9D0I,EAAK1I,GAASuC,EAAM1K,KAkCxB,IAAImS,GAAwB,2DAA2DxD,MAC/E,KAEJyD,GAA6B,8BAA8BzD,MAAM,KACjE0D,GAA2B,uBAAuB1D,MAAM,KACxD2D,GAAuBhG,GACvBiG,GAA4BjG,GAC5BkG,GAA0BlG,GAiR9B,SAASmG,KACL,SAASpD,EAAU7O,EAAGC,GAClB,OAAOA,EAAEK,OAASN,EAAEM,OAYxB,IATA,IAKIgI,EACA4J,EACAC,EACAC,EARAC,EAAY,GACZv...