s3Err = authenticateRequest(ctx, r, action)
	reqInfo := logger.GetReqInfo(ctx)
	if reqInfo == nil {
		return cred, owner, ErrAccessDenied
	}

	cred = reqInfo.Cred
	owner = reqInfo.Owner
	if s3Err != ErrNone {
		return cred, owner, s3Err
	}

	return cred, owner, authorizeRequest(ctx, r, action)
}

	if color.IsTerminal() && (!globalServerCtxt.Anonymous && !globalServerCtxt.JSON && globalAPIConfig.permitRootAccess()) {
		logger.Startup(color.Blue("   RootUser: ") + color.Bold("%s ", cred.AccessKey))
		logger.Startup(color.Blue("   RootPass: ") + color.Bold("%s \n", cred.SecretKey))
		if region != "" {
			logger.Startup(color.Blue("   Region: ") + color.Bold("%s", fmt.Sprintf(getFormatStr(len(region), 2), region)))
		}
	}

func mustNewSignedRequest(method string, urlStr string, contentLength int64, body io.ReadSeeker, t *testing.T) *http.Request {
	req := mustNewRequest(method, urlStr, contentLength, body, t)
	cred := globalActiveCred
	if err := signRequestV4(req, cred.AccessKey, cred.SecretKey); err != nil {
		t.Fatalf("Unable to initialized new signed http request %s", err)
	}
	return req
}

// This is similar to mustNewRequest but additionally the request

	}
	testCases := []struct {
		cred           Credentials
		ccred          Credentials
		expectedResult bool
	}{
		// Same Credentialss.
		{cred, cred, true},
		// Empty credentials to compare.
		{cred, Credentials{}, false},
		// Empty credentials.
		{Credentials{}, cred, false},
		// Two different credentialss
		{cred, cred2, false},
		// Access key is different in credentials to compare.

	// Find the user for the request sender (as it may be sent via a service
	// account or STS account):
	requestorUser := cred.AccessKey
	requestorParentUser := cred.AccessKey
	requestorGroups := cred.Groups
	requestorIsDerivedCredential := false
	if cred.IsServiceAccount() || cred.IsTemp() {
		requestorParentUser = cred.ParentUser
		requestorIsDerivedCredential = true
	}

	// Check if we are creating svc account for request sender.

	if s3Err != ErrNone {
		return auth.Credentials{}, s3Err
	}

	r := &http.Request{Header: formValues}
	cred, _, s3Err := checkKeyValid(r, credHeader.accessKey)
	if s3Err != ErrNone {
		return cred, s3Err
	}

	// Get signing key.
	signingKey := getSigningKey(cred.SecretKey, credHeader.scope.date, credHeader.scope.region, serviceS3)

	// Get signature.

	extractedSignedHeaders, errCode := extractSignedHeaders(signV4Values.SignedHeaders, r)
	if errCode != ErrNone {
		return cred, "", "", time.Time{}, errCode
	}

	cred, _, errCode = checkKeyValid(r, signV4Values.Credential.accessKey)
	if errCode != ErrNone {
		return cred, "", "", time.Time{}, errCode
	}

	// Verify if region is valid.
	region = signV4Values.Credential.scope.region

		duration = time.Hour
	}

	clnt, err := miniogo.New(host, &miniogo.Options{
		Creds:     credentials.NewStaticV4(cred.AccessKey, cred.SecretKey, cred.SessionToken),
		Secure:    secure,
		Transport: globalRemoteTargetTransport,
		Region:    globalSite.Region(),
	})
	if err != nil {
		return levent.Event{}, err
	}

	reqParams := url.Values{}
	if partNumberStr := r.Form.Get("partNumber"); partNumberStr != "" {

	r := &http.Request{Header: formValues}
	cred, _, s3Err := checkKeyValid(r, accessKey)
	if s3Err != ErrNone {
		return cred, s3Err
	}
	policy := formValues.Get("Policy")
	signature := formValues.Get(xhttp.AmzSignatureV2)
	if !compareSignatureV2(signature, calculateSignatureV2(policy, cred.SecretKey)) {
		return cred, ErrSignatureDoesNotMatch
	}
	return cred, ErrNone
}

func checkKMSActionAllowed(r *http.Request, owner bool, cred auth.Credentials, action policy.KMSAction, resource string) bool {
	return globalIAMSys.IsAllowed(policy.Args{
		AccountName:     cred.AccessKey,
		Groups:          cred.Groups,
		Action:          policy.Action(action),
		ConditionValues: getConditionValues(r, "", cred),
		IsOwner:         owner,
		Claims:          cred.Claims,