continue
			}
		}

		if listServiceAccounts {
			serviceAccounts, err := globalIAMSys.ListServiceAccounts(ctx, internalDN)
			if err != nil {
				writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
				return
			}
			for _, svc := range serviceAccounts {
				accessKeys.ServiceAccounts = append(accessKeys.ServiceAccounts, madmin.ServiceAccountInfo{
					AccessKey:   svc.AccessKey,

				continue
			}
		}

		if listServiceAccounts {
			serviceAccounts, err := globalIAMSys.ListServiceAccounts(ctx, user)
			if err != nil {
				writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
				return
			}
			for _, svc := range serviceAccounts {
				accessKeys.ServiceAccounts = append(accessKeys.ServiceAccounts, madmin.ServiceAccountInfo{
					AccessKey:  svc.AccessKey,

		}
		svcAccInfo := madmin.ServiceAccountInfo{
			AccessKey:  accessKey.AccessKey,
			Expiration: &accessKey.Expiration,
		}
		if accessKey.IsServiceAccount() {
			openIDUserAccessKeys.ServiceAccounts = append(openIDUserAccessKeys.ServiceAccounts, svcAccInfo)
		} else {
			openIDUserAccessKeys.STSKeys = append(openIDUserAccessKeys.STSKeys, svcAccInfo)
		}
		cfgToUsersMap[matchingCfgName][accessKey.ParentUser] = openIDUserAccessKeys
	}

	cache := store.rlock()
	defer store.runlock()

	var serviceAccounts []auth.Credentials
	for _, u := range cache.iamUsersMap {
		v := u.Credentials
		if accessKey != "" && v.ParentUser == accessKey {
			if v.IsServiceAccount() {
				// Hide secret key & session key here
				v.SecretKey = ""
				v.SessionToken = ""
				serviceAccounts = append(serviceAccounts, v)
			}
		}
	}

	// Service accounts are the static accounts that should be synced with
	// valid claims.
	{
		serviceAccounts := make(map[string]UserIdentity)
		err := globalIAMSys.store.loadUsers(ctx, svcUser, serviceAccounts)
		if err != nil {
			return errSRBackendIssue(err)
		}

		for user, acc := range serviceAccounts {
			if user == siteReplicatorSvcAcc {
				// skip the site replicate svc account as it is

	if err != nil {
		c.Fatalf("Unable to list access keys: %v", err)
	}

	epochTime := time.Unix(0, 0).UTC()
	expectedAccKeys := madmin.ListAccessKeysLDAPResp{
		ServiceAccounts: []madmin.ServiceAccountInfo{
			{
				AccessKey:  "u4ccRswj62HV3Ifwima7",
				Expiration: &epochTime,
			},
		},
	}

	if !reflect.DeepEqual(expectedAccKeys, res) {

podDisruptionBudget:
  enabled: false
  maxUnavailable: 1

## Specify the service account to use for the MinIO pods. If 'create' is set to 'false'
## and 'name' is left unspecified, the account 'default' will be used.
serviceAccount:
  create: true
  ## The name of the service account to use. If 'create' is 'true', a service account with that name
  ## will be created.
  name: "minio-sa"

metrics:
  serviceMonitor:

  - [Important Security Information](#important-security-information-1)
    - [CVE-2024-3177: Bypassing mountable secrets policy imposed by the ServiceAccount admission plugin](#cve-2024-3177-bypassing-mountable-secrets-policy-imposed-by-the-serviceaccount-admission-plugin)
  - [Changes by Kind](#changes-by-kind-6)
    - [Feature](#feature-4)
    - [Bug or Regression](#bug-or-regression-6)
  - [Dependencies](#dependencies-6)

- Allowed creating ServiceAccount tokens bound to Node objects.
  This allows users to bind a service account token's validity to a named Node object, similar to Pod bound tokens.

- ServiceAccount metadata.annotations[kubernetes.io/enforce-mountable-secrets]: deprecated since v1.32; no removal deadline. Prefer separate namespaces to isolate access to mounted secrets. ([#128396](https://github.com/kubernetes/kubernetes/pull/128396), [@r...