From fe5d5998022c6b8ef86521452f1f3b37f8af46e0 Mon Sep 17 00:00:00 2001
From: Harshavardhana <harsha@minio.io>
Date: Wed, 22 Jan 2020 01:39:46 -0800
Subject: [PATCH] fix: STS creds without "aud" should be honored with STS
 checks (#8868)

Fixes #8865
---
 cmd/iam.go | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/cmd/iam.go b/cmd/iam.go
index cfcf994bb..ece6955fb 100644
--- a/cmd/iam.go
+++ b/cmd/iam.go
@@ -1367,8 +1367,13 @@ func (sys *IAMSys) IsAllowed(args iampolicy.Args) bool {
 		return true
 	}
 
-	// With claims set, we should do STS related checks and validation.
-	if _, ok := args.Claims["aud"]; ok {
+	// If the credential is temporary, perform STS related checks.
+	ok, err := sys.IsTempUser(args.AccountName)
+	if err != nil {
+		logger.LogIf(context.Background(), err)
+		return false
+	}
+	if ok {
 		return sys.IsAllowedSTS(args)
 	}