return
			}
			for policyName, policy := range allPolicies {
				if policy.IsEmpty() {
					err = globalIAMSys.DeletePolicy(ctx, policyName, true)
					removed.Policies = append(removed.Policies, policyName)
				} else {
					_, err = globalIAMSys.SetPolicy(ctx, policyName, policy)
					added.Policies = append(added.Policies, policyName)
				}
				if err != nil {

		return
	}

	_, policyName, err := globalIAMSys.GetRolePolicy(roleArnStr)
	if err != nil {
		writeSTSErrorResponse(ctx, w, ErrSTSAccessDenied, err)
		return
	}

	if newGlobalAuthZPluginFn() == nil { // if authZ is not set - we expect the policyname to be present.
		if globalIAMSys.CurrentPolicies(policyName) == "" {
			writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue,

	g := errgroup.WithNErrs(len(policies))

	for index := range policies {
		g.Go(func() error {
			policyName := path.Dir(policies[index])
			policyDoc, err := iamOS.loadPolicy(ctx, policyName)
			if err != nil && !errors.Is(err, errNoSuchPolicy) {
				return fmt.Errorf("unable to load the policy doc `%s`: %w", policyName, err)
			}
			policyDocs[index] = policyDoc
			return nil
		}, index)
	}

func (sys *IAMSys) DeletePolicy(ctx context.Context, policyName string, notifyPeers bool) error {
	if !sys.Initialized() {
		return errServerNotInitialized
	}

	for _, v := range policy.DefaultPolicies {
		if v.Name == policyName {
			if err := checkConfig(ctx, globalObjectAPI, getPolicyDocPath(policyName)); err != nil && err == errConfigNotFound {

	if accessKey == "" || !cred.IsTemp() || cred.IsExpired() || cred.ParentUser == "" {
		return time.Time{}, errInvalidArgument
	}

	ttl := int64(cred.Expiration.Sub(UTCNow()).Seconds())

	cache := store.lock()
	defer store.unlock()

	if policyName != "" {
		mp := newMappedPolicy(policyName)

			cred.ParentUser = lookupResult.NormDN

			// Set this value to LDAP groups, LDAP user can be part
			// of large number of groups
			cred.Groups = targetGroups

			// Set the newly generated credentials, policyName is empty on purpose
			// LDAP policies are applied automatically using their ldapUser, ldapGroups
			// mapping.
			updatedAt, err := globalIAMSys.SetTempUser(context.Background(), cred.AccessKey, cred, "")

			return err
		}
	}
	return nil
}

func (ies *IAMEtcdStore) savePolicyDoc(ctx context.Context, policyName string, p PolicyDoc) error {
	return ies.saveIAMConfig(ctx, &p, getPolicyDocPath(policyName))
}

func (ies *IAMEtcdStore) saveMappedPolicy(ctx context.Context, name string, userType IAMUserType, isGroup bool, mp MappedPolicy, opts ...options) error {

func (sys *NotificationSys) DeletePolicy(ctx context.Context, policyName string) []NotificationPeerErr {
	ng := WithNPeers(len(sys.peerClients)).WithRetries(1)
	for idx, client := range sys.peerClients {
		ng.Go(ctx, func() error {
			if client == nil {
				return errPeerNotReachable
			}
			return client.DeletePolicy(ctx, policyName)
		}, idx, *client.host)
	}
	return ng.Wait()
}

	cred.ParentUser = lookupResult.NormDN

	// Set this value to LDAP groups, LDAP user can be part
	// of large number of groups
	cred.Groups = targetGroups

	// Set the newly generated credentials, policyName is empty on purpose
	// LDAP policies are applied automatically using their ldapUser, ldapGroups
	// mapping.
	updatedAt, err := globalIAMSys.SetTempUser(context.Background(), cred.AccessKey, cred, "")
	if err != nil {

// causes the named policy to be deleted.
func (c *SiteReplicationSys) PeerAddPolicyHandler(ctx context.Context, policyName string, p *policy.Policy, updatedAt time.Time) error {
	var err error
	// skip overwrite of local update if peer sent stale info
	if !updatedAt.IsZero() {
		if p, err := globalIAMSys.store.GetPolicyDoc(policyName); err == nil && p.UpdateDate.After(updatedAt) {
			return nil
		}
	}
	if p == nil {