// Service accounts ops
		adminRouter.Methods(http.MethodPut).Path(adminVersion + "/add-service-account").HandlerFunc(adminMiddleware(adminAPI.AddServiceAccount))
		adminRouter.Methods(http.MethodPost).Path(adminVersion+"/update-service-account").HandlerFunc(adminMiddleware(adminAPI.UpdateServiceAccount)).Queries("accessKey", "{accessKey:.*}")

./mc admin service restart myminio --json
./mc ready myminio
./mc admin cluster iam import myminio docs/distributed/samples/myminio-iam-info.zip
sleep 10

# Verify the list of users and service accounts from the import
./mc admin user list myminio
USER_COUNT=$(./mc admin user list myminio | wc -l)
if [ "${USER_COUNT}" -ne 2 ]; then
	echo "BUG: Expected no of users: 2 Found: ${USER_COUNT}"
	exit 1
fi

OPA is enabled through MinIO's Access Management Plugin feature.

## Get started

### 1. Start OPA in a container

```sh
podman run -it \
    --name opa \
    --publish 8181:8181 \

		if s3Err != ErrNone {
			return nil, nil, false, errAuthentication
		}

		maps.Copy(claims.MapClaims, eclaims)

		// if root access is disabled, disable all its service accounts and temporary credentials.
		if ucred.ParentUser == globalActiveCred.AccessKey && !globalAPIConfig.permitRootAccess() {
			return nil, nil, false, errAccessKeyDisabled
		}

		// Now check if we have a sessionPolicy.

		return
	}

	// Permission checks:
	//
	// 1. Any type of account (i.e. access keys (previously/still called service
	// accounts), STS accounts, internal IDP accounts, etc) with the
	// policy.UpdateServiceAccountAdminAction permission can update any service
	// account.
	//
	// 2. We would like to let a user update their own access keys, however it

	// account or STS account):
	requestorUser := cred.AccessKey
	requestorParentUser := cred.AccessKey
	requestorGroups := cred.Groups
	requestorIsDerivedCredential := false
	if cred.IsServiceAccount() || cred.IsTemp() {
		requestorParentUser = cred.ParentUser
		requestorIsDerivedCredential = true
	}

	// Check if we are creating svc account for request sender.

##
podDisruptionBudget:
  enabled: false
  maxUnavailable: 1

## Specify the service account to use for the MinIO pods. If 'create' is set to 'false'
## and 'name' is left unspecified, the account 'default' will be used.
serviceAccount:
  create: true
  ## The name of the service account to use. If 'create' is 'true', a service account with that name
  ## will be created.
  name: "minio-sa"

metrics:
  serviceMonitor:

	}

	user, _, s3Err := getReqAccessKeyV4(r, globalSite.Region(), serviceSTS)
	if s3Err != ErrNone {
		return auth.Credentials{}, s3Err
	}

	// Temporary credentials or Service accounts cannot generate further temporary credentials.
	if user.IsTemp() || user.IsServiceAccount() {
		return auth.Credentials{}, ErrAccessDenied
	}

	// Session tokens are not allowed in STS AssumeRole requests.

     * Defines the root of the LDAP directory tree for user lookups.
     */
    @Size(max = 1000)
    public String ldapBaseDn;

    /**
     * LDAP filter for finding user accounts.
     * Defines the search filter used to locate user accounts in LDAP.
     */
    @Size(max = 1000)
    public String ldapAccountFilter;

    /**
     * LDAP filter for finding groups.

			stsPolicyMappingsCount++
			// If a service account's parent user is not in iamUsersMap, the
			// parent is an STS account. Such accounts may have a policy mapped
			// on the parent user, so we load them. This is not needed for the
			// initial server startup, however, it is needed for the case where
			// the STS account's policy mapping (for example in LDAP mode) may