method     string
		bucketName string
		accessKey  string
		secretKey  string
		// Sent body
		body []byte
		// Expected response
		expectedRespStatus int
		lifecycleResponse  []byte
		errorResponse      APIErrorResponse
		shouldPass         bool
	}{
		// GET empty credentials
		{
			method: http.MethodGet, bucketName: bucketName,
			accessKey:          "",
			secretKey:          "",

}

// SetAccessKey sets access key as jwt subject and custom
// "accessKey" field.
func (c *StandardClaims) SetAccessKey(accessKey string) {
	c.Subject = accessKey
	c.AccessKey = accessKey
}

// Valid - implements https://godoc.org/github.com/golang-jwt/jwt#Claims compatible
// claims interface, additionally validates "accessKey" fields.
func (c *StandardClaims) Valid() error {

ect"],"Resource":["arn:aws:s3:::*"]}]}} iam-assets/users.json {} iam-assets/groups.json {} iam-assets/svcaccts.json {"bobfisher-svcacct-1":{"parent":"uid=bobfisher,ou=people,ou=hwengg,dc=min,dc=io","accessKey":"bobfisher-svcacct-1","secretKey":"bobfisher-svcacct-1","groups":null,"claims":{"accessKey":"bobfisher-svcacct-1","ldapActualUser":"uid=bobfisher,ou=people,ou=hwengg,dc=min,dc=io","ldapUser":"uid=bobfisher,ou=people,ou=hwengg,dc=min,dc=io","ldapUsername":"bobfisher","parent":"uid=bobfisher...

	}

	claims, s3Err := checkClaimsFromToken(r, cred)
	if s3Err != ErrNone {
		return cred, false, s3Err
	}
	cred.Claims = claims

	owner := cred.AccessKey == globalActiveCred.AccessKey || (cred.ParentUser == globalActiveCred.AccessKey && cred.AccessKey != siteReplicatorSvcAcc)
	if owner && !globalAPIConfig.permitRootAccess() {
		// We disable root access and its service accounts if asked for.

func validateCredentialfields(t *testing.T, testNum int, expectedCredentials credentialHeader, actualCredential credentialHeader) {
	if expectedCredentials.accessKey != actualCredential.accessKey {
		t.Errorf("Test %d: AccessKey mismatch: Expected \"%s\", got \"%s\"", testNum, expectedCredentials.accessKey, actualCredential.accessKey)
	}
	if !expectedCredentials.scope.date.Equal(actualCredential.scope.date) {

			if err != nil {
				return nil, err
			}

			// Call hook for site replication.
			replLogIf(context.Background(), globalSiteReplicationSys.IAMChangeHook(context.Background(), madmin.SRIAMItem{
				Type: madmin.SRIAMItemSTSAcc,
				STSCredential: &madmin.SRSTSCredential{
					AccessKey:    cred.AccessKey,
					SecretKey:    cred.SecretKey,

	switch {
	case usersPrefix:
		accessKey := path.Dir(strings.TrimPrefix(event.keyPath, iamConfigUsersPrefix))
		err = sys.store.UserNotificationHandler(ctx, accessKey, regUser)
	case stsPrefix:
		accessKey := path.Dir(strings.TrimPrefix(event.keyPath, iamConfigSTSPrefix))
		err = sys.store.UserNotificationHandler(ctx, accessKey, stsUser)
	case svcPrefix:

#    endpoint: "http://127.0.0.1:9000"
#    # path: "on|off|auto" # "on" enables path-style bucket lookup. "off" enables virtual host (DNS)-style bucket lookup. Defaults to "auto"
#    credentials:
#      accessKey: minioadmin # Required
#      secretKey: minioadmin # Required
#    # sessionToken: SESSION-TOKEN # Optional only available when rotating credentials are used
    snowball: # automatically activated if the source is local

	defer cancel()

	accessKey, secretKey := mustGenerateCredentials(c)
	err := s.adm.SetUser(ctx, accessKey, secretKey, madmin.AccountEnabled)
	if err != nil {
		c.Fatalf("Unable to set user: %v", err)
	}

	userReq := madmin.PolicyAssociationReq{
		Policies: []string{"readwrite"},
		User:     accessKey,
	}
	if _, err := s.adm.AttachPolicy(ctx, userReq); err != nil {

					_ = store.deleteUserIdentity(ctx, u.AccessKey, svcUser)
					delete(cache.iamUsersMap, u.AccessKey)
				case u.IsTemp():
					_ = store.deleteUserIdentity(ctx, u.AccessKey, stsUser)
					delete(cache.iamSTSAccountsMap, u.AccessKey)
					delete(cache.iamUsersMap, u.AccessKey)
				}
				if store.group != nil {
					store.group.Forget(u.AccessKey)
				}
			}
		}
	}