notValues: ["not-presenter", "not-presenter-prefix-*", "*-not-suffix-presenter", "*"]
        - key: "request.auth.claims[iss]"
          values: ["iss", "iss-prefix-*", "*-suffix-iss", "*"]
          notValues: ["not-iss", "not-iss-prefix-*", "*-not-suffix-iss", "*"]
        - key: "request.auth.claims[nested1][nested2]"
          values: ["nested", "nested-prefix-*", "*-suffix-nested", "*"]

// pass as arguments to an exec.Command.
//
// Windows has a limit of 32 KB. To be conservative and not worry about whether
// that includes spaces or not, just use 30 KB. Darwin's limit is less clear.
// The OS claims 256KB, but we've seen failures with arglen as small as 50KB.

				return cred, false, ErrAccessKeyDisabled
			}
			return cred, false, ErrInvalidAccessKeyID
		}
		cred = u.Credentials
	}

	claims, s3Err := checkClaimsFromToken(r, cred)
	if s3Err != ErrNone {
		return cred, false, s3Err
	}
	cred.Claims = claims

	owner := cred.AccessKey == globalActiveCred.AccessKey || (cred.ParentUser == globalActiveCred.AccessKey && cred.AccessKey != siteReplicatorSvcAcc)

	// Resource is the name of the resource this rule applies to.
	// For example, if the administrator wants to limit consumption
	// of a storage resource associated with persistent volume claims,
	// the value would be "persistentvolumeclaims".
	Resource string `json:"resource"`

	// For each intercepted request, the quota system will evaluate
	// its resource usage.  It will iterate through each resource consumed

	// Resource is the name of the resource this rule applies to.
	// For example, if the administrator wants to limit consumption
	// of a storage resource associated with persistent volume claims,
	// the value would be "persistentvolumeclaims".
	Resource string `json:"resource"`

	// For each intercepted request, the quota system will evaluate
	// its resource usage.  It will iterate through each resource consumed

       namespaces: ["test"]
   to:
   - operation:
       methods: ["GET"]
       paths: ["/info*"]
   - operation:
       methods: ["POST"]
       paths: ["/data"]
   when:
   - key: request.auth.claims[iss]

	// Resource is the name of the resource this rule applies to.
	// For example, if the administrator wants to limit consumption
	// of a storage resource associated with persistent volume claims,
	// the value would be "persistentvolumeclaims".
	Resource string `json:"resource"`

	// For each intercepted request, the quota system will evaluate
	// its resource usage.  It will iterate through each resource consumed

decode the id_token to access the payload of the token that includes following JWT claims, `policy` claim is mandatory and should be present as part of your JWT claim. Without this claim the generated credentials will not have access to any resources on the server, using these credentials application would receive 'Access Denied' errors.

| Claim Name | Type                                              | Claim Value                                                                           ...

import, and otherwise transfer the Work, where such license applies only to 
those patent claims licensable by such Contributor that are necessarily 
infringed by their Contribution(s) alone or by combination of their 
Contribution(s) with the Work to which such Contribution(s) was submitted. 
If You institute patent litigation against any entity (including a 
cross-claim or counterclaim in a lawsuit) alleging that the Work or a 

       namespaces: ["test"]
   to:
   - operation:
       methods: ["GET"]
       paths: ["/info*"]
   - operation:
       methods: ["POST"]
       paths: ["/data"]
   when:
   - key: request.auth.claims[iss]