//
	// However, for a policy like `{"Statement":[]}`, the intention is to not
	// provide any permissions via the session policy - i.e. the service account
	// can do nothing (such a JSON could be generated by an external application
	// as the policy for the service account). Inheriting the parent policy in
	// such a case, is a security issue. Ideally, we should not allow such
	// behavior, but for compatibility with the Console, we currently allow it.

	if err != nil {
		return err
	}

	if token != "" {
		req.Header.Set("Authorization", token)
	}
	req.Header.Set("Content-Type", "application/json")

	clnt := http.Client{Transport: getRemoteInstanceTransport()}
	resp, err := clnt.Do(req)
	if err != nil {
		return err
	}

	xhttp.DrainBody(resp.Body)
	if resp.StatusCode != http.StatusOK {

		return
	}

	// Ensure body content type is opaque to ensure that request body has not
	// been interpreted as form data.
	contentType := r.Header.Get("Content-Type")
	if contentType != "application/octet-stream" {
		writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrBadRequest), r.URL)
		return
	}

	operation := mux.Vars(r)["operation"]
	if operation != "attach" && operation != "detach" {

	// create xlStorage test setup
	xlStorage, _, err := newXLStorageTestSetup(t)