private static Boolean iamPermissionsAllow( final AuthContextSupplier authContext, final String[] requiredActions, final String resourceType, final String resourceId, final long resourceAllocationSize) { /* IAM checks: Is the user allowed within the account? */ // the Permissions.isAuthorized() handles the default deny for each action. boolean iamAllow = true; // Evaluate each iam action required, all must be allowed for (String action : requiredActions) { // Any deny overrides an allow // Note: explicitly set resourceOwnerAccount to null here, otherwise iam will reject even if // the ACL checks // were valid, let ACLs handle cross-account access. iamAllow &= Permissions.isAuthorized( PolicySpec.VENDOR_S3, resourceType, resourceId, null, action, authContext) && Permissions.canAllocate( PolicySpec.VENDOR_S3, resourceType, resourceId, action, authContext, resourceAllocationSize); } return iamAllow; }