// Only consider service account or STS credentials with
		// non-empty session tokens.
		if !(cred.IsServiceAccount() || cred.IsTemp()) ||
			cred.SessionToken == "" {
			continue
		}

		var (
			err    error
			claims *jwt.MapClaims
		)

		if cred.IsServiceAccount() {
			claims, err = getClaimsFromTokenWithSecret(cred.SessionToken, cred.SecretKey)
		} else if cred.IsTemp() {

}

// IsServiceAccount - returns whether credential is a service account or not
func (cred Credentials) IsServiceAccount() bool {
	_, ok := cred.Claims[iamPolicyClaimNameSA]
	return cred.ParentUser != "" && ok
}

// IsImpliedPolicy - returns if the policy is implied via ParentUser or not.
func (cred Credentials) IsImpliedPolicy() bool {
	if cred.IsServiceAccount() {

	}

	if token == "" && cred.IsTemp() && !cred.IsServiceAccount() {
		// Temporary credentials should always have x-amz-security-token
		return nil, ErrInvalidToken
	}

	if token != "" && !cred.IsTemp() {
		// x-amz-security-token should not present for static credentials.
		return nil, ErrInvalidToken
	}

	return false, "", nil
}

// IsServiceAccount - returns if given key is a service account
func (sys *IAMSys) IsServiceAccount(name string) (bool, string, error) {
	if !sys.Initialized() {
		return false, "", errServerNotInitialized
	}

	u, found := sys.store.GetUser(name)
	if !found {
		return false, "", errNoSuchUser
	}
	cred := u.Credentials
	if cred.IsServiceAccount() {
		return true, cred.ParentUser, nil

	currTime := UTCNow()

	var (
		username = cred.AccessKey
		claims   = cred.Claims
		groups   = cred.Groups
	)

	if cred.IsTemp() || cred.IsServiceAccount() {
		// For derived credentials, check the parent user's permissions.
		username = cred.ParentUser
	}

	principalType := "Anonymous"
	if username != "" {
		principalType = "User"
		if len(claims) > 0 {

	if exists && (user.Credentials.IsTemp() || user.Credentials.IsServiceAccount()) {
		// Updating STS credential is not allowed, and this API does not
		// support updating service accounts.
		writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAddUserInvalidArgument), r.URL)
		return
	}

	if (cred.IsTemp() || cred.IsServiceAccount()) && cred.ParentUser == accessKey {

	// account or STS account):
	requestorUser := cred.AccessKey
	requestorParentUser := cred.AccessKey
	requestorGroups := cred.Groups
	requestorIsDerivedCredential := false
	if cred.IsServiceAccount() || cred.IsTemp() {
		requestorParentUser = cred.ParentUser
		requestorIsDerivedCredential = true
	}

	// Check if we are creating svc account for request sender.
	isSvcAccForRequestor := false

	if s3Err != ErrNone {
		return auth.Credentials{}, s3Err
	}

	// Temporary credentials or Service accounts cannot generate further temporary credentials.
	if user.IsTemp() || user.IsServiceAccount() {
		return auth.Credentials{}, ErrAccessDenied
	}

	// Session tokens are not allowed in STS AssumeRole requests.
	if getSessionToken(r) != "" {
		return auth.Credentials{}, ErrAccessDenied
	}

			continue
		}

		peerName := info.Sites[dID].Name

		u, ok := globalIAMSys.GetUser(ctx, user)
		if !ok {
			continue
		}
		creds := u.Credentials
		if creds.IsServiceAccount() {
			claims, err := globalIAMSys.GetClaimsForSvcAcc(ctx, creds.AccessKey)
			if err != nil {
				replLogOnceIf(ctx,