expiry = requestedDuration
	}

	parentUser := "custom" + getKeySeparator() + res.Success.User

	// metadata map
	claims[expClaim] = UTCNow().Add(time.Duration(expiry) * time.Second).Unix()
	claims[subClaim] = parentUser
	claims[roleArnClaim] = roleArn.String()
	claims[parentClaim] = parentUser
	tokenRevokeType := r.Form.Get(stsRevokeTokenType)
	if tokenRevokeType != "" {

	}) {
		writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAccessDenied), r.URL)
		return
	}

	if selfOnly && len(userList) == 0 {
		selfDN := cred.AccessKey
		if cred.ParentUser != "" {
			selfDN = cred.ParentUser
		}
		userList = append(userList, selfDN)
	}

	listType := r.Form.Get("listType")
	var listSTSKeys, listServiceAccounts bool
	switch listType {
	case madmin.AccessKeyListUsersOnly:

		IsOwner:         owner,
		Claims:          cred.Claims,
	})

	if !adminPrivilege {
		parentUser := cred.AccessKey
		if cred.ParentUser != "" {
			parentUser = cred.ParentUser
		}
		if svcAccount.ParentUser != "" && parentUser != svcAccount.ParentUser {
			// The service account belongs to another user but return not
			// found error to mitigate brute force attacks. or the

	// root user.
	if newCred.ParentUser != globalActiveCred.AccessKey {
		replLogIf(ctx, globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{
			Type: madmin.SRIAMItemSvcAcc,
			SvcAccChange: &madmin.SRSvcAccChange{
				Create: &madmin.SRSvcAccCreate{
					Parent:        newCred.ParentUser,
					AccessKey:     newCred.AccessKey,
					SecretKey:     newCred.SecretKey,

	for parentUser, info := range parentUsers {
		if !sys.LDAPConfig.IsLDAPUserDN(parentUser) {
			continue
		}

		if info.subClaimValue != "" {
			// we need to ask LDAP about the actual user DN not normalized DN.
			allDistNames = append(allDistNames, info.subClaimValue)
		} else {
			allDistNames = append(allDistNames, parentUser)
		}
	}

		if ucred.ParentUser == globalActiveCred.AccessKey && !globalAPIConfig.permitRootAccess() {
			return nil, nil, false, errAccessKeyDisabled
		}

		// Now check if we have a sessionPolicy.
		if _, ok = eclaims[policy.SessionPolicyName]; ok {
			owner = false
		} else {
			owner = globalActiveCred.AccessKey == ucred.ParentUser
		}

		groups = ucred.Groups
	}

	defer store.unlock()

	accessKey := cred.AccessKey
	parentUser := cred.ParentUser

	// Found newly requested service account, to be an existing account -
	// reject such operation (updates to the service account are handled in
	// a different API).
	if su, found := cache.iamUsersMap[accessKey]; found {
		scred := su.Credentials
		if scred.ParentUser != parentUser {

				Type: madmin.SRIAMItemSTSAcc,
				STSCredential: &madmin.SRSTSCredential{
					AccessKey:    cred.AccessKey,
					SecretKey:    cred.SecretKey,
					SessionToken: cred.SessionToken,
					ParentUser:   cred.ParentUser,
				},
				UpdatedAt: updatedAt,
			}))

			mcreds = credentials.NewStaticV4(cred.AccessKey, cred.SecretKey, cred.SessionToken)
		} else {

		Type: madmin.SRIAMItemSTSAcc,
		STSCredential: &madmin.SRSTSCredential{
			AccessKey:    cred.AccessKey,
			SecretKey:    cred.SecretKey,
			SessionToken: cred.SessionToken,
			ParentUser:   cred.ParentUser,
		},
		UpdatedAt: updatedAt,
	}))

	return &ssh.Permissions{
		CriticalOptions: map[string]string{
			"AccessKey":    cred.AccessKey,
			"SecretKey":    cred.SecretKey,

		},
		UserRequest: levent.UserRequest{
			URL:     r.URL.String(),
			Headers: r.Header.Clone(),
		},
		UserIdentity: levent.Identity{
			Type:        "IAMUser",
			PrincipalID: cred.ParentUser,
			AccessKeyID: cred.AccessKey,
		},
	}
	return eventData, nil
}

func fwdHeadersToS3(h http.Header, w http.ResponseWriter) {
	const trim = "x-amz-fwd-header-"
	for k, v := range h {