svc: Assume Access Key creation to be permitted

Anis Eleuch · Anis Eleuch · commit 9e3df37eae90 · 2024-05-01T16:40:41.000+01:00
Adding this policy will make the user not able to create a service account anymore:

```
    {
      "Effect": "Deny",
      "Action": [
              "admin:CreateServiceAccount"
      ],
      "Condition": {
              "NumericGreaterThanIfExists": {"svc:DurationSeconds": "1500"}
      }
    },

```

The reason is that policy.IsAllowedActions() is called with conditions from the user login.

Assume svc account creation to be possible for now until we come up with a better fix
diff --git a/api/user_session.go b/api/user_session.go
@@ -139,8 +139,11 @@ func getSessionResponse(ctx context.Context, session *models.Principal) (*models
 
 	defaultActions := policy.IsAllowedActions("", "", conditionValues)
 
+	consoleDefaultActions := defaultActions.Clone()
+	consoleDefaultActions.Add(minioIAMPolicy.Action(minioIAMPolicy.CreateServiceAccountAdminAction))
+
 	permissions := map[string]minioIAMPolicy.ActionSet{
-		ConsoleResourceName: defaultActions,
+		ConsoleResourceName: consoleDefaultActions,
 	}
 	deniedActions := map[string]minioIAMPolicy.ActionSet{}
 
