From 134db72bb7c8e9b7ddf85526f9d1de83e0c4a3be Mon Sep 17 00:00:00 2001
From: Harshavardhana <harsha@minio.io>
Date: Wed, 14 Feb 2024 10:37:12 -0800
Subject: [PATCH] fix: reject service account access key same as root
 credentials (#19055)

---
 cmd/admin-handlers-users.go | 5 +++++
 cmd/api-errors.go           | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/cmd/admin-handlers-users.go b/cmd/admin-handlers-users.go
index 593a8d88e..457334216 100644
--- a/cmd/admin-handlers-users.go
+++ b/cmd/admin-handlers-users.go
@@ -621,6 +621,11 @@ func (a adminAPIHandlers) AddServiceAccount(w http.ResponseWriter, r *http.Reque
 		return
 	}
 
+	if createReq.AccessKey == globalActiveCred.AccessKey {
+		writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAddUserInvalidArgument), r.URL)
+		return
+	}
+
 	var (
 		targetGroups []string
 		err          error
diff --git a/cmd/api-errors.go b/cmd/api-errors.go
index 59b5ed90b..ccde67ecb 100644
--- a/cmd/api-errors.go
+++ b/cmd/api-errors.go
@@ -2021,7 +2021,7 @@ var errorCodes = errorCodeMap{
 	},
 	ErrAddUserInvalidArgument: {
 		Code:           "XMinioInvalidIAMCredentials",
-		Description:    "User is not allowed to be same as admin access key",
+		Description:    "Credential is not allowed to be same as admin access key",
 		HTTPStatusCode: http.StatusForbidden,
 	},
 	ErrAdminResourceInvalidArgument: {