if err != nil && err != errNoSuchUser {
			return
		}
		if isTemp {
			err = errIAMActionNotAllowed
			return
		}

		// When the user is root credential you are not allowed to
		// add policies for root user.
		if userOrGroup == globalActiveCred.AccessKey {
			err = errIAMActionNotAllowed
			return
		}

		// Validate that user exists.
		var userExists bool

	if err != nil {
		secretKey, err := getTokenSigningKey()
		if err != nil {
			return nil, err
		}
		// Session tokens for STS creds will be generated with root secret or site-replicator-0 secret
		jwtClaims, err = auth.ExtractClaims(u.Credentials.SessionToken, secretKey)
		if err != nil {
			return nil, err
		}
	}
	return jwtClaims, nil
}