MyFSIO v0.3.7 Release

Reviewed-on: #30
2026-03-09 06:25:50 +00:00
parent eb0e435a5a c6e368324a
commit 2a0e77a754
11 changed files with 596 additions and 69 deletions
--- a/app/init.py
+++ b/app/init.py
@@ -130,6 +130,7 @@ def create_app(
        Path(app.config["IAM_CONFIG"]),
        auth_max_attempts=app.config.get("AUTH_MAX_ATTEMPTS", 5),
        auth_lockout_minutes=app.config.get("AUTH_LOCKOUT_MINUTES", 15),
        encryption_key=app.config.get("SECRET_KEY"),
    )
    bucket_policies = BucketPolicyStore(Path(app.config["BUCKET_POLICY_PATH"]))
    secret_store = EphemeralSecretStore(default_ttl=app.config.get("SECRET_TTL_SECONDS", 300))
--- a/app/iam.py
+++ b/app/iam.py
@@ -1,5 +1,6 @@
 from __future__ import annotations
 import base64
 import hashlib
 import hmac
 import json
@@ -14,6 +15,8 @@ from datetime import datetime, timedelta, timezone
 from pathlib import Path
 from typing import Any, Deque, Dict, Iterable, List, Optional, Sequence, Set, Tuple
 from cryptography.fernet import Fernet, InvalidToken
 class IamError(RuntimeError):
    """Raised when authentication or authorization fails."""
@@ -107,13 +110,24 @@ class Principal:
    policies: List[Policy]
 def _derive_fernet_key(secret: str) -> bytes:
    raw = hashlib.pbkdf2_hmac("sha256", secret.encode(), b"myfsio-iam-encryption", 100_000)
    return base64.urlsafe_b64encode(raw)
 _IAM_ENCRYPTED_PREFIX = b"MYFSIO_IAM_ENC:"
 class IamService:
    """Loads IAM configuration, manages users, and evaluates policies."""
-    def __init__(self, config_path: Path, auth_max_attempts: int = 5, auth_lockout_minutes: int = 15) -> None:
+    def __init__(self, config_path: Path, auth_max_attempts: int = 5, auth_lockout_minutes: int = 15, encryption_key: str | None = None) -> None:
        self.config_path = Path(config_path)
        self.auth_max_attempts = auth_max_attempts
        self.auth_lockout_window = timedelta(minutes=auth_lockout_minutes)
        self._fernet: Fernet | None = None
        if encryption_key:
            self._fernet = Fernet(_derive_fernet_key(encryption_key))
        self.config_path.parent.mkdir(parents=True, exist_ok=True)
        if not self.config_path.exists():
            self._write_default()
@@ -145,6 +159,19 @@ class IamService:
        except OSError:
            pass
    def _check_expiry(self, access_key: str, record: Dict[str, Any]) -> None:
        expires_at = record.get("expires_at")
        if not expires_at:
            return
        try:
            exp_dt = datetime.fromisoformat(expires_at)
            if exp_dt.tzinfo is None:
                exp_dt = exp_dt.replace(tzinfo=timezone.utc)
            if datetime.now(timezone.utc) >= exp_dt:
                raise IamError(f"Credentials for '{access_key}' have expired")
        except (ValueError, TypeError):
            pass
    def authenticate(self, access_key: str, secret_key: str) -> Principal:
        self._maybe_reload()
        access_key = (access_key or "").strip()
@@ -161,6 +188,7 @@ class IamService:
        if not record or not hmac.compare_digest(stored_secret, secret_key):
            self._record_failed_attempt(access_key)
            raise IamError("Invalid credentials")
        self._check_expiry(access_key, record)
        self._clear_failed_attempts(access_key)
        return self._build_principal(access_key, record)
@@ -288,12 +316,16 @@ class IamService:
        if cached:
            principal, cached_time = cached
            if now - cached_time < self._cache_ttl:
                record = self._users.get(access_key)
                if record:
                    self._check_expiry(access_key, record)
                return principal
        self._maybe_reload()
        record = self._users.get(access_key)
        if not record:
            raise IamError("Unknown access key")
        self._check_expiry(access_key, record)
        principal = self._build_principal(access_key, record)
        self._principal_cache[access_key] = (principal, now)
        return principal
@@ -303,6 +335,7 @@ class IamService:
        record = self._users.get(access_key)
        if not record:
            raise IamError("Unknown access key")
        self._check_expiry(access_key, record)
        return record["secret_key"]
    def authorize(self, principal: Principal, bucket_name: str | None, action: str) -> None:
@@ -347,6 +380,7 @@ class IamService:
                {
                    "access_key": access_key,
                    "display_name": record["display_name"],
                    "expires_at": record.get("expires_at"),
                    "policies": [
                        {"bucket": policy.bucket, "actions": sorted(policy.actions)}
                        for policy in record["policies"]
@@ -362,20 +396,25 @@ class IamService:
        policies: Optional[Sequence[Dict[str, Any]]] = None,
        access_key: str | None = None,
        secret_key: str | None = None,
        expires_at: str | None = None,
    ) -> Dict[str, str]:
        access_key = (access_key or self._generate_access_key()).strip()
        if not access_key:
            raise IamError("Access key cannot be empty")
        if access_key in self._users:
            raise IamError("Access key already exists")
        if expires_at:
            self._validate_expires_at(expires_at)
        secret_key = secret_key or self._generate_secret_key()
        sanitized_policies = self._prepare_policy_payload(policies)
-        record = {
+        record: Dict[str, Any] = {
            "access_key": access_key,
            "secret_key": secret_key,
            "display_name": display_name or access_key,
            "policies": sanitized_policies,
        }
        if expires_at:
            record["expires_at"] = expires_at
        self._raw_config.setdefault("users", []).append(record)
        self._save()
        self._load()
@@ -414,17 +453,43 @@ class IamService:
        clear_signing_key_cache()
        self._load()
    def update_user_expiry(self, access_key: str, expires_at: str | None) -> None:
        user = self._get_raw_user(access_key)
        if expires_at:
            self._validate_expires_at(expires_at)
            user["expires_at"] = expires_at
        else:
            user.pop("expires_at", None)
        self._save()
        self._principal_cache.pop(access_key, None)
        self._secret_key_cache.pop(access_key, None)
        self._load()
    def update_user_policies(self, access_key: str, policies: Sequence[Dict[str, Any]]) -> None:
        user = self._get_raw_user(access_key)
        user["policies"] = self._prepare_policy_payload(policies)
        self._save()
        self._load()
    def _decrypt_content(self, raw_bytes: bytes) -> str:
        if raw_bytes.startswith(_IAM_ENCRYPTED_PREFIX):
            if not self._fernet:
                raise IamError("IAM config is encrypted but no encryption key provided. Set SECRET_KEY or use 'python run.py reset-cred'.")
            try:
                encrypted_data = raw_bytes[len(_IAM_ENCRYPTED_PREFIX):]
                return self._fernet.decrypt(encrypted_data).decode("utf-8")
            except InvalidToken:
                raise IamError("Cannot decrypt IAM config. SECRET_KEY may have changed. Use 'python run.py reset-cred' to reset credentials.")
        return raw_bytes.decode("utf-8")
    def _load(self) -> None:
        try:
            self._last_load_time = self.config_path.stat().st_mtime
-            content = self.config_path.read_text(encoding='utf-8')
+            raw_bytes = self.config_path.read_bytes()
            content = self._decrypt_content(raw_bytes)
            raw = json.loads(content)
        except IamError:
            raise
        except FileNotFoundError:
            raise IamError(f"IAM config not found: {self.config_path}")
        except json.JSONDecodeError as e:
@@ -434,33 +499,47 @@ class IamService:
        except (OSError, ValueError) as e:
            raise IamError(f"Failed to load IAM config: {e}")
        was_plaintext = not raw_bytes.startswith(_IAM_ENCRYPTED_PREFIX)
        users: Dict[str, Dict[str, Any]] = {}
        for user in raw.get("users", []):
            policies = self._build_policy_objects(user.get("policies", []))
-            users[user["access_key"]] = {
+            user_record: Dict[str, Any] = {
                "secret_key": user["secret_key"],
                "display_name": user.get("display_name", user["access_key"]),
                "policies": policies,
            }
            if user.get("expires_at"):
                user_record["expires_at"] = user["expires_at"]
            users[user["access_key"]] = user_record
        if not users:
            raise IamError("IAM configuration contains no users")
        self._users = users
-        self._raw_config = {
+        raw_users: List[Dict[str, Any]] = []
-            "users": [
+        for entry in raw.get("users", []):
-                {
+            raw_entry: Dict[str, Any] = {
-                    "access_key": entry["access_key"],
+                "access_key": entry["access_key"],
-                    "secret_key": entry["secret_key"],
+                "secret_key": entry["secret_key"],
-                    "display_name": entry.get("display_name", entry["access_key"]),
+                "display_name": entry.get("display_name", entry["access_key"]),
-                    "policies": entry.get("policies", []),
+                "policies": entry.get("policies", []),
-                }
+            }
-                for entry in raw.get("users", [])
+            if entry.get("expires_at"):
-            ]
+                raw_entry["expires_at"] = entry["expires_at"]
-        }
+            raw_users.append(raw_entry)
        self._raw_config = {"users": raw_users}
        if was_plaintext and self._fernet:
            self._save()
    def _save(self) -> None:
        try:
            json_text = json.dumps(self._raw_config, indent=2)
            temp_path = self.config_path.with_suffix('.json.tmp')
-            temp_path.write_text(json.dumps(self._raw_config, indent=2), encoding='utf-8')
+            if self._fernet:
                encrypted = self._fernet.encrypt(json_text.encode("utf-8"))
                temp_path.write_bytes(_IAM_ENCRYPTED_PREFIX + encrypted)
            else:
                temp_path.write_text(json_text, encoding='utf-8')
            temp_path.replace(self.config_path)
        except (OSError, PermissionError) as e:
            raise IamError(f"Cannot save IAM config: {e}")
@@ -475,9 +554,14 @@ class IamService:
    def export_config(self, mask_secrets: bool = True) -> Dict[str, Any]:
        payload: Dict[str, Any] = {"users": []}
        for user in self._raw_config.get("users", []):
-            record = dict(user)
+            record: Dict[str, Any] = {
-            if mask_secrets and "secret_key" in record:
+                "access_key": user["access_key"],
-                record["secret_key"] = "••••••••••"
+                "secret_key": "••••••••••" if mask_secrets else user["secret_key"],
                "display_name": user["display_name"],
                "policies": user["policies"],
            }
            if user.get("expires_at"):
                record["expires_at"] = user["expires_at"]
            payload["users"].append(record)
        return payload
@@ -546,8 +630,9 @@ class IamService:
        return candidate if candidate in ALLOWED_ACTIONS else ""
    def _write_default(self) -> None:
-        access_key = secrets.token_hex(12)
+        access_key = os.environ.get("ADMIN_ACCESS_KEY", "").strip() or secrets.token_hex(12)
-        secret_key = secrets.token_urlsafe(32)
+        secret_key = os.environ.get("ADMIN_SECRET_KEY", "").strip() or secrets.token_urlsafe(32)
        custom_keys = bool(os.environ.get("ADMIN_ACCESS_KEY", "").strip())
        default = {
            "users": [
                {
@@ -560,16 +645,37 @@ class IamService:
                }
            ]
        }
-        self.config_path.write_text(json.dumps(default, indent=2))
+        json_text = json.dumps(default, indent=2)
        if self._fernet:
            encrypted = self._fernet.encrypt(json_text.encode("utf-8"))
            self.config_path.write_bytes(_IAM_ENCRYPTED_PREFIX + encrypted)
        else:
            self.config_path.write_text(json_text)
        print(f"\n{'='*60}")
-        print("MYFSIO FIRST RUN - ADMIN CREDENTIALS GENERATED")
+        print("MYFSIO FIRST RUN - ADMIN CREDENTIALS")
        print(f"{'='*60}")
-        print(f"Access Key: {access_key}")
+        if custom_keys:
-        print(f"Secret Key: {secret_key}")
+            print(f"Access Key: {access_key} (from ADMIN_ACCESS_KEY)")
            print(f"Secret Key: {'(from ADMIN_SECRET_KEY)' if os.environ.get('ADMIN_SECRET_KEY', '').strip() else secret_key}")
        else:
            print(f"Access Key: {access_key}")
            print(f"Secret Key: {secret_key}")
        print(f"{'='*60}")
-        print(f"Missed this? Check: {self.config_path}")
+        if self._fernet:
            print("IAM config is encrypted at rest.")
            print("Lost credentials? Run: python run.py reset-cred")
        else:
            print(f"Missed this? Check: {self.config_path}")
        print(f"{'='*60}\n")
    def _validate_expires_at(self, expires_at: str) -> None:
        try:
            dt = datetime.fromisoformat(expires_at)
            if dt.tzinfo is None:
                dt = dt.replace(tzinfo=timezone.utc)
        except (ValueError, TypeError):
            raise IamError(f"Invalid expires_at format: {expires_at}. Use ISO 8601 (e.g. 2026-12-31T23:59:59Z)")
    def _generate_access_key(self) -> str:
        return secrets.token_hex(8)
@@ -588,11 +694,15 @@ class IamService:
        if cached:
            secret_key, cached_time = cached
            if now - cached_time < self._cache_ttl:
                record = self._users.get(access_key)
                if record:
                    self._check_expiry(access_key, record)
                return secret_key
        self._maybe_reload()
        record = self._users.get(access_key)
        if record:
            self._check_expiry(access_key, record)
            secret_key = record["secret_key"]
            self._secret_key_cache[access_key] = (secret_key, now)
            return secret_key
@@ -604,11 +714,15 @@ class IamService:
        if cached:
            principal, cached_time = cached
            if now - cached_time < self._cache_ttl:
                record = self._users.get(access_key)
                if record:
                    self._check_expiry(access_key, record)
                return principal
        self._maybe_reload()
        record = self._users.get(access_key)
        if record:
            self._check_expiry(access_key, record)
            principal = self._build_principal(access_key, record)
            self._principal_cache[access_key] = (principal, now)
            return principal
--- a/app/ui.py
+++ b/app/ui.py
@@ -1754,6 +1754,10 @@ def iam_dashboard():
    users = iam_service.list_users() if not locked else []
    config_summary = iam_service.config_summary()
    config_document = json.dumps(iam_service.export_config(mask_secrets=True), indent=2)
    from datetime import datetime as _dt, timedelta as _td, timezone as _tz
    _now = _dt.now(_tz.utc)
    now_iso = _now.isoformat()
    soon_iso = (_now + _td(days=7)).isoformat()
    return render_template(
        "iam.html",
        users=users,
@@ -1763,6 +1767,8 @@ def iam_dashboard():
        config_summary=config_summary,
        config_document=config_document,
        disclosed_secret=disclosed_secret,
        now_iso=now_iso,
        soon_iso=soon_iso,
    )
@@ -1782,6 +1788,8 @@ def create_iam_user():
            return jsonify({"error": "Display name must be 64 characters or fewer"}), 400
        flash("Display name must be 64 characters or fewer", "danger")
        return redirect(url_for("ui.iam_dashboard"))
    custom_access_key = request.form.get("access_key", "").strip() or None
    custom_secret_key = request.form.get("secret_key", "").strip() or None
    policies_text = request.form.get("policies", "").strip()
    policies = None
    if policies_text:
@@ -1792,8 +1800,21 @@ def create_iam_user():
                return jsonify({"error": f"Invalid JSON: {exc}"}), 400
            flash(f"Invalid JSON: {exc}", "danger")
            return redirect(url_for("ui.iam_dashboard"))
    expires_at = request.form.get("expires_at", "").strip() or None
    if expires_at:
        try:
            from datetime import datetime as _dt, timezone as _tz
            exp_dt = _dt.fromisoformat(expires_at)
            if exp_dt.tzinfo is None:
                exp_dt = exp_dt.replace(tzinfo=_tz.utc)
            expires_at = exp_dt.isoformat()
        except (ValueError, TypeError):
            if _wants_json():
                return jsonify({"error": "Invalid expiry date format"}), 400
            flash("Invalid expiry date format", "danger")
            return redirect(url_for("ui.iam_dashboard"))
    try:
-        created = _iam().create_user(display_name=display_name, policies=policies)
+        created = _iam().create_user(display_name=display_name, policies=policies, access_key=custom_access_key, secret_key=custom_secret_key, expires_at=expires_at)
    except IamError as exc:
        if _wants_json():
            return jsonify({"error": str(exc)}), 400
@@ -1967,6 +1988,45 @@ def update_iam_policies(access_key: str):
    return redirect(url_for("ui.iam_dashboard"))
@ui_bp.post("/iam/users/<access_key>/expiry")
 def update_iam_expiry(access_key: str):
    principal = _current_principal()
    try:
        _iam().authorize(principal, None, "iam:update_policy")
    except IamError as exc:
        if _wants_json():
            return jsonify({"error": str(exc)}), 403
        flash(str(exc), "danger")
        return redirect(url_for("ui.iam_dashboard"))
    expires_at = request.form.get("expires_at", "").strip() or None
    if expires_at:
        try:
            from datetime import datetime as _dt, timezone as _tz
            exp_dt = _dt.fromisoformat(expires_at)
            if exp_dt.tzinfo is None:
                exp_dt = exp_dt.replace(tzinfo=_tz.utc)
            expires_at = exp_dt.isoformat()
        except (ValueError, TypeError):
            if _wants_json():
                return jsonify({"error": "Invalid expiry date format"}), 400
            flash("Invalid expiry date format", "danger")
            return redirect(url_for("ui.iam_dashboard"))
    try:
        _iam().update_user_expiry(access_key, expires_at)
        if _wants_json():
            return jsonify({"success": True, "message": f"Updated expiry for {access_key}", "expires_at": expires_at})
        label = expires_at if expires_at else "never"
        flash(f"Expiry for {access_key} set to {label}", "success")
    except IamError as exc:
        if _wants_json():
            return jsonify({"error": str(exc)}), 400
        flash(str(exc), "danger")
    return redirect(url_for("ui.iam_dashboard"))
@ui_bp.post("/connections")
 def create_connection():
    principal = _current_principal()
--- a/app/version.py
+++ b/app/version.py
@@ -1,6 +1,6 @@
 from __future__ import annotations
-APP_VERSION = "0.3.6"
+APP_VERSION = "0.3.7"
 def get_version() -> str:
--- a/docs.md
+++ b/docs.md
@@ -145,13 +145,15 @@ All configuration is done via environment variables. The table below lists every
 | Variable | Default | Notes |
 | --- | --- | --- |
-| `IAM_CONFIG` | `data/.myfsio.sys/config/iam.json` | Stores users, secrets, and inline policies. |
+| `IAM_CONFIG` | `data/.myfsio.sys/config/iam.json` | Stores users, secrets, and inline policies. Encrypted at rest when `SECRET_KEY` is set. |
 | `BUCKET_POLICY_PATH` | `data/.myfsio.sys/config/bucket_policies.json` | Bucket policy store (auto hot-reload). |
 | `AUTH_MAX_ATTEMPTS` | `5` | Failed login attempts before lockout. |
 | `AUTH_LOCKOUT_MINUTES` | `15` | Lockout duration after max failed attempts. |
 | `SESSION_LIFETIME_DAYS` | `30` | How long UI sessions remain valid. |
 | `SECRET_TTL_SECONDS` | `300` | TTL for ephemeral secrets (presigned URLs). |
 | `UI_ENFORCE_BUCKET_POLICIES` | `false` | Whether the UI should enforce bucket policies. |
 | `ADMIN_ACCESS_KEY` | (none) | Custom access key for the admin user on first run or credential reset. If unset, a random key is generated. |
 | `ADMIN_SECRET_KEY` | (none) | Custom secret key for the admin user on first run or credential reset. If unset, a random key is generated. |
 ### CORS (Cross-Origin Resource Sharing)
@@ -277,13 +279,14 @@ API responses for JSON, XML, HTML, CSS, and JavaScript are automatically gzip-co
 Before deploying to production, ensure you:
-1. **Set `SECRET_KEY`** - Use a strong, unique value (e.g., `openssl rand -base64 32`)
+1. **Set `SECRET_KEY`** - Use a strong, unique value (e.g., `openssl rand -base64 32`). This also enables IAM config encryption at rest.
 2. **Restrict CORS** - Set `CORS_ORIGINS` to your specific domains instead of `*`
 3. **Configure `API_BASE_URL`** - Required for correct presigned URLs behind proxies
 4. **Enable HTTPS** - Use a reverse proxy (nginx, Cloudflare) with TLS termination
 5. **Review rate limits** - Adjust `RATE_LIMIT_DEFAULT` based on your needs
 6. **Secure master keys** - Back up `ENCRYPTION_MASTER_KEY_PATH` if using encryption
 7. **Use `--prod` flag** - Runs with Waitress instead of Flask dev server
 8. **Set credential expiry** - Assign `expires_at` to non-admin users for time-limited access
 ### Proxy Configuration
@@ -633,9 +636,10 @@ MyFSIO implements a comprehensive Identity and Access Management (IAM) system th
 ### Getting Started
-1. On first boot, `data/.myfsio.sys/config/iam.json` is created with a randomly generated admin user. The access key and secret key are printed to the console during first startup. If you miss it, check the `iam.json` file directly—credentials are stored in plaintext.
+1. On first boot, `data/.myfsio.sys/config/iam.json` is created with a randomly generated admin user. The access key and secret key are printed to the console during first startup. You can set `ADMIN_ACCESS_KEY` and `ADMIN_SECRET_KEY` environment variables to use custom credentials instead of random ones. If `SECRET_KEY` is configured, the IAM config file is encrypted at rest using AES (Fernet). To reset admin credentials later, run `python run.py --reset-cred`.
 2. Sign into the UI using the generated credentials, then open **IAM**:
-   - **Create user**: supply a display name and optional JSON inline policy array.
+   - **Create user**: supply a display name, optional JSON inline policy array, and optional credential expiry date.
   - **Set expiry**: assign an expiration date to any user's credentials. Expired credentials are rejected at authentication time. The UI shows expiry badges and preset durations (1h, 24h, 7d, 30d, 90d).
   - **Rotate secret**: generates a new secret key; the UI surfaces it once.
   - **Policy editor**: select a user, paste an array of objects (`{"bucket": "*", "actions": ["list", "read"]}`), and submit. Alias support includes AWS-style verbs (e.g., `s3:GetObject`).
 3. Wildcard action `iam:*` is supported for admin user definitions.
@@ -653,8 +657,11 @@ The API expects every request to include authentication headers. The UI persists
 **Security Features:**
 - **Lockout Protection**: After `AUTH_MAX_ATTEMPTS` (default: 5) failed login attempts, the account is locked for `AUTH_LOCKOUT_MINUTES` (default: 15 minutes).
 - **Credential Expiry**: Each user can have an optional `expires_at` timestamp (ISO 8601). Once expired, all API requests using those credentials are rejected. Set or clear expiry via the UI or API.
 - **IAM Config Encryption**: When `SECRET_KEY` is set, the IAM config file (`iam.json`) is encrypted at rest using Fernet (AES-256-CBC with HMAC). Existing plaintext configs are automatically encrypted on next load.
 - **Session Management**: UI sessions remain valid for `SESSION_LIFETIME_DAYS` (default: 30 days).
 - **Hot Reload**: IAM configuration changes take effect immediately without restart.
 - **Credential Reset**: Run `python run.py --reset-cred` to reset admin credentials. Supports `ADMIN_ACCESS_KEY` and `ADMIN_SECRET_KEY` env vars for deterministic keys.
 ### Permission Model
@@ -814,7 +821,8 @@ curl -X POST http://localhost:5000/iam/users \
  -H "X-Access-Key: ..." -H "X-Secret-Key: ..." \
  -d '{
    "display_name": "New User",
-    "policies": [{"bucket": "*", "actions": ["list", "read"]}]
+    "policies": [{"bucket": "*", "actions": ["list", "read"]}],
    "expires_at": "2026-12-31T23:59:59Z"
  }'
 # Rotate user secret (requires iam:rotate_key)
@@ -827,6 +835,18 @@ curl -X PUT http://localhost:5000/iam/users/<access-key>/policies \
  -H "X-Access-Key: ..." -H "X-Secret-Key: ..." \
  -d '[{"bucket": "*", "actions": ["list", "read", "write"]}]'
 # Update credential expiry (requires iam:update_policy)
 curl -X POST http://localhost:5000/iam/users/<access-key>/expiry \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -H "X-Access-Key: ..." -H "X-Secret-Key: ..." \
  -d 'expires_at=2026-12-31T23:59:59Z'
 # Remove credential expiry (never expires)
 curl -X POST http://localhost:5000/iam/users/<access-key>/expiry \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -H "X-Access-Key: ..." -H "X-Secret-Key: ..." \
  -d 'expires_at='
 # Delete a user (requires iam:delete_user)
 curl -X DELETE http://localhost:5000/iam/users/<access-key> \
  -H "X-Access-Key: ..." -H "X-Secret-Key: ..."
@@ -838,8 +858,9 @@ When a request is made, permissions are evaluated in this order:
 1. **Authentication** – Verify the access key and secret key are valid
 2. **Lockout Check** – Ensure the account is not locked due to failed attempts
-3. **IAM Policy Check** – Verify the user has the required action for the target bucket
+3. **Expiry Check** – Reject requests if the user's credentials have expired (`expires_at`)
-4. **Bucket Policy Check** – If a bucket policy exists, verify it allows the action
+4. **IAM Policy Check** – Verify the user has the required action for the target bucket
 5. **Bucket Policy Check** – If a bucket policy exists, verify it allows the action
 A request is allowed only if:
 - The IAM policy grants the action, AND
--- a/run.py
+++ b/run.py
@@ -23,6 +23,7 @@ from typing import Optional
 from app import create_api_app, create_ui_app
 from app.config import AppConfig
 from app.iam import IamService, IamError, ALLOWED_ACTIONS, _derive_fernet_key
 def _server_host() -> str:
@@ -87,21 +88,121 @@ def serve_ui(port: int, prod: bool = False, config: Optional[AppConfig] = None)
        app.run(host=_server_host(), port=port, debug=debug)
 def reset_credentials() -> None:
    import json
    import secrets
    from cryptography.fernet import Fernet
    config = AppConfig.from_env()
    iam_path = config.iam_config_path
    encryption_key = config.secret_key
    access_key = os.environ.get("ADMIN_ACCESS_KEY", "").strip() or secrets.token_hex(12)
    secret_key = os.environ.get("ADMIN_SECRET_KEY", "").strip() or secrets.token_urlsafe(32)
    custom_keys = bool(os.environ.get("ADMIN_ACCESS_KEY", "").strip())
    fernet = Fernet(_derive_fernet_key(encryption_key)) if encryption_key else None
    raw_config = None
    if iam_path.exists():
        try:
            raw_bytes = iam_path.read_bytes()
            from app.iam import _IAM_ENCRYPTED_PREFIX
            if raw_bytes.startswith(_IAM_ENCRYPTED_PREFIX):
                if fernet:
                    try:
                        content = fernet.decrypt(raw_bytes[len(_IAM_ENCRYPTED_PREFIX):]).decode("utf-8")
                        raw_config = json.loads(content)
                    except Exception:
                        print("WARNING: Could not decrypt existing IAM config. Creating fresh config.")
                else:
                    print("WARNING: IAM config is encrypted but no SECRET_KEY available. Creating fresh config.")
            else:
                try:
                    raw_config = json.loads(raw_bytes.decode("utf-8"))
                except json.JSONDecodeError:
                    print("WARNING: Existing IAM config is corrupted. Creating fresh config.")
        except OSError:
            pass
    if raw_config and raw_config.get("users"):
        admin_user = None
        for user in raw_config["users"]:
            policies = user.get("policies", [])
            for p in policies:
                actions = p.get("actions", [])
                if "iam:*" in actions or "*" in actions:
                    admin_user = user
                    break
            if admin_user:
                break
        if not admin_user:
            admin_user = raw_config["users"][0]
        admin_user["access_key"] = access_key
        admin_user["secret_key"] = secret_key
    else:
        raw_config = {
            "users": [
                {
                    "access_key": access_key,
                    "secret_key": secret_key,
                    "display_name": "Local Admin",
                    "policies": [
                        {"bucket": "*", "actions": list(ALLOWED_ACTIONS)}
                    ],
                }
            ]
        }
    json_text = json.dumps(raw_config, indent=2)
    iam_path.parent.mkdir(parents=True, exist_ok=True)
    temp_path = iam_path.with_suffix(".json.tmp")
    if fernet:
        from app.iam import _IAM_ENCRYPTED_PREFIX
        encrypted = fernet.encrypt(json_text.encode("utf-8"))
        temp_path.write_bytes(_IAM_ENCRYPTED_PREFIX + encrypted)
    else:
        temp_path.write_text(json_text, encoding="utf-8")
    temp_path.replace(iam_path)
    print(f"\n{'='*60}")
    print("MYFSIO - ADMIN CREDENTIALS RESET")
    print(f"{'='*60}")
    if custom_keys:
        print(f"Access Key: {access_key} (from ADMIN_ACCESS_KEY)")
        print(f"Secret Key: {'(from ADMIN_SECRET_KEY)' if os.environ.get('ADMIN_SECRET_KEY', '').strip() else secret_key}")
    else:
        print(f"Access Key: {access_key}")
        print(f"Secret Key: {secret_key}")
    print(f"{'='*60}")
    if fernet:
        print("IAM config saved (encrypted).")
    else:
        print(f"IAM config saved to: {iam_path}")
    print(f"{'='*60}\n")
 if __name__ == "__main__":
    multiprocessing.freeze_support()
    if _is_frozen():
        multiprocessing.set_start_method("spawn", force=True)
    parser = argparse.ArgumentParser(description="Run the S3 clone services.")
-    parser.add_argument("--mode", choices=["api", "ui", "both"], default="both")
+    parser.add_argument("--mode", choices=["api", "ui", "both", "reset-cred"], default="both")
    parser.add_argument("--api-port", type=int, default=5000)
    parser.add_argument("--ui-port", type=int, default=5100)
    parser.add_argument("--prod", action="store_true", help="Run in production mode using Waitress")
    parser.add_argument("--dev", action="store_true", help="Force development mode (Flask dev server)")
    parser.add_argument("--check-config", action="store_true", help="Validate configuration and exit")
    parser.add_argument("--show-config", action="store_true", help="Show configuration summary and exit")
    parser.add_argument("--reset-cred", action="store_true", help="Reset admin credentials and exit")
    args = parser.parse_args()
    if args.reset_cred or args.mode == "reset-cred":
        reset_credentials()
        sys.exit(0)
    if args.check_config or args.show_config:
        config = AppConfig.from_env()
        config.print_startup_summary()
--- a/static/css/main.css
+++ b/static/css/main.css
@@ -1154,39 +1154,20 @@ html.sidebar-will-collapse .sidebar-user {
 	position: relative;
 	border: 1px solid var(--myfsio-card-border) !important;
 	border-radius: 1rem !important;
-	overflow: hidden;
+	overflow: visible;
 	transition: all 0.2s cubic-bezier(0.4, 0, 0.2, 1);
 }
 .iam-user-card::before {
 	content: '';
 	position: absolute;
 	top: 0;
 	left: 0;
 	right: 0;
 	height: 4px;
 	background: linear-gradient(90deg, #3b82f6, #8b5cf6);
 	opacity: 0;
 	transition: opacity 0.2s ease;
 }
 .iam-user-card:hover {
 	transform: translateY(-2px);
 	box-shadow: 0 8px 24px -4px rgba(0, 0, 0, 0.12), 0 4px 8px -4px rgba(0, 0, 0, 0.08);
 	border-color: var(--myfsio-accent) !important;
 }
 .iam-user-card:hover::before {
 	opacity: 1;
 }
 [data-theme='dark'] .iam-user-card:hover {
 	box-shadow: 0 8px 24px -4px rgba(0, 0, 0, 0.4), 0 4px 8px -4px rgba(0, 0, 0, 0.3);
 }
 .iam-admin-card::before {
 	background: linear-gradient(90deg, #f59e0b, #ef4444);
 }
 .iam-role-badge {
 	display: inline-flex;
--- a/static/js/iam-management.js
+++ b/static/js/iam-management.js
@@ -11,9 +11,11 @@ window.IAMManagement = (function() {
  var editUserModal = null;
  var deleteUserModal = null;
  var rotateSecretModal = null;
  var expiryModal = null;
  var currentRotateKey = null;
  var currentEditKey = null;
  var currentDeleteKey = null;
  var currentExpiryKey = null;
  var ALL_S3_ACTIONS = ['list', 'read', 'write', 'delete', 'share', 'policy', 'replication', 'lifecycle', 'cors'];
@@ -65,6 +67,7 @@ window.IAMManagement = (function() {
    setupEditUserModal();
    setupDeleteUserModal();
    setupRotateSecretModal();
    setupExpiryModal();
    setupFormHandlers();
    setupSearch();
    setupCopyAccessKeyButtons();
@@ -75,11 +78,13 @@ window.IAMManagement = (function() {
    var editModalEl = document.getElementById('editUserModal');
    var deleteModalEl = document.getElementById('deleteUserModal');
    var rotateModalEl = document.getElementById('rotateSecretModal');
    var expiryModalEl = document.getElementById('expiryModal');
    if (policyModalEl) policyModal = new bootstrap.Modal(policyModalEl);
    if (editModalEl) editUserModal = new bootstrap.Modal(editModalEl);
    if (deleteModalEl) deleteUserModal = new bootstrap.Modal(deleteModalEl);
    if (rotateModalEl) rotateSecretModal = new bootstrap.Modal(rotateModalEl);
    if (expiryModalEl) expiryModal = new bootstrap.Modal(expiryModalEl);
  }
  function setupJsonAutoIndent() {
@@ -97,6 +102,15 @@ window.IAMManagement = (function() {
      });
    });
    var accessKeyCopyButton = document.querySelector('[data-access-key-copy]');
    if (accessKeyCopyButton) {
      accessKeyCopyButton.addEventListener('click', async function() {
        var accessKeyInput = document.getElementById('disclosedAccessKeyValue');
        if (!accessKeyInput) return;
        await window.UICore.copyToClipboard(accessKeyInput.value, accessKeyCopyButton, 'Copy');
      });
    }
    var secretCopyButton = document.querySelector('[data-secret-copy]');
    if (secretCopyButton) {
      secretCopyButton.addEventListener('click', async function() {
@@ -143,6 +157,22 @@ window.IAMManagement = (function() {
    });
  }
  function generateSecureHex(byteCount) {
    var arr = new Uint8Array(byteCount);
    crypto.getRandomValues(arr);
    return Array.from(arr).map(function(b) { return b.toString(16).padStart(2, '0'); }).join('');
  }
  function generateSecureBase64(byteCount) {
    var arr = new Uint8Array(byteCount);
    crypto.getRandomValues(arr);
    var binary = '';
    for (var i = 0; i < arr.length; i++) {
      binary += String.fromCharCode(arr[i]);
    }
    return btoa(binary).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
  }
  function setupCreateUserModal() {
    var createUserPoliciesEl = document.getElementById('createUserPolicies');
@@ -151,6 +181,22 @@ window.IAMManagement = (function() {
        applyPolicyTemplate(button.dataset.createPolicyTemplate, createUserPoliciesEl);
      });
    });
    var genAccessKeyBtn = document.getElementById('generateAccessKeyBtn');
    if (genAccessKeyBtn) {
      genAccessKeyBtn.addEventListener('click', function() {
        var input = document.getElementById('createUserAccessKey');
        if (input) input.value = generateSecureHex(8);
      });
    }
    var genSecretKeyBtn = document.getElementById('generateSecretKeyBtn');
    if (genSecretKeyBtn) {
      genSecretKeyBtn.addEventListener('click', function() {
        var input = document.getElementById('createUserSecretKey');
        if (input) input.value = generateSecureBase64(24);
      });
    }
  }
  function setupEditUserModal() {
@@ -271,6 +317,77 @@ window.IAMManagement = (function() {
    }
  }
  function openExpiryModal(key, expiresAt) {
    currentExpiryKey = key;
    var label = document.getElementById('expiryUserLabel');
    var input = document.getElementById('expiryDateInput');
    var form = document.getElementById('expiryForm');
    if (label) label.textContent = key;
    if (expiresAt) {
      try {
        var dt = new Date(expiresAt);
        var local = new Date(dt.getTime() - dt.getTimezoneOffset() * 60000);
        if (input) input.value = local.toISOString().slice(0, 16);
      } catch(e) {
        if (input) input.value = '';
      }
    } else {
      if (input) input.value = '';
    }
    if (form) form.action = endpoints.updateExpiry.replace('ACCESS_KEY', key);
    var modalEl = document.getElementById('expiryModal');
    if (modalEl) {
      var modal = bootstrap.Modal.getOrCreateInstance(modalEl);
      modal.show();
    }
  }
  function setupExpiryModal() {
    document.querySelectorAll('[data-expiry-user]').forEach(function(btn) {
      btn.addEventListener('click', function(e) {
        e.preventDefault();
        openExpiryModal(btn.dataset.expiryUser, btn.dataset.expiresAt || '');
      });
    });
    document.querySelectorAll('[data-expiry-preset]').forEach(function(btn) {
      btn.addEventListener('click', function() {
        var preset = btn.dataset.expiryPreset;
        var input = document.getElementById('expiryDateInput');
        if (!input) return;
        if (preset === 'clear') {
          input.value = '';
          return;
        }
        var now = new Date();
        var ms = 0;
        if (preset === '1h') ms = 3600000;
        else if (preset === '24h') ms = 86400000;
        else if (preset === '7d') ms = 7 * 86400000;
        else if (preset === '30d') ms = 30 * 86400000;
        else if (preset === '90d') ms = 90 * 86400000;
        var future = new Date(now.getTime() + ms);
        var local = new Date(future.getTime() - future.getTimezoneOffset() * 60000);
        input.value = local.toISOString().slice(0, 16);
      });
    });
    var expiryForm = document.getElementById('expiryForm');
    if (expiryForm) {
      expiryForm.addEventListener('submit', function(e) {
        e.preventDefault();
        window.UICore.submitFormAjax(expiryForm, {
          successMessage: 'Expiry updated',
          onSuccess: function() {
            var modalEl = document.getElementById('expiryModal');
            if (modalEl) bootstrap.Modal.getOrCreateInstance(modalEl).hide();
            window.location.reload();
          }
        });
      });
    }
  }
  function createUserCardHtml(accessKey, displayName, policies) {
    var admin = isAdminUser(policies);
    var cardClass = 'card h-100 iam-user-card' + (admin ? ' iam-admin-card' : '');
@@ -324,6 +441,8 @@ window.IAMManagement = (function() {
      '<ul class="dropdown-menu dropdown-menu-end">' +
      '<li><button class="dropdown-item" type="button" data-edit-user="' + esc(accessKey) + '" data-display-name="' + esc(displayName) + '">' +
      '<svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" class="me-2" viewBox="0 0 16 16"><path d="M12.146.146a.5.5 0 0 1 .708 0l3 3a.5.5 0 0 1 0 .708l-10 10a.5.5 0 0 1-.168.11l-5 2a.5.5 0 0 1-.65-.65l2-5a.5.5 0 0 1 .11-.168l10-10zM11.207 2.5 13.5 4.793 14.793 3.5 12.5 1.207 11.207 2.5zm1.586 3L10.5 3.207 4 9.707V10h.5a.5.5 0 0 1 .5.5v.5h.5a.5.5 0 0 1 .5.5v.5h.293l6.5-6.5z"/></svg>Edit Name</button></li>' +
      '<li><button class="dropdown-item" type="button" data-expiry-user="' + esc(accessKey) + '" data-expires-at="">' +
      '<svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" class="me-2" viewBox="0 0 16 16"><path d="M8 3.5a.5.5 0 0 0-1 0V9a.5.5 0 0 0 .252.434l3.5 2a.5.5 0 0 0 .496-.868L8 8.71V3.5z"/><path d="M8 16A8 8 0 1 0 8 0a8 8 0 0 0 0 16zm7-8A7 7 0 1 1 1 8a7 7 0 0 1 14 0z"/></svg>Set Expiry</button></li>' +
      '<li><button class="dropdown-item" type="button" data-rotate-user="' + esc(accessKey) + '">' +
      '<svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" class="me-2" viewBox="0 0 16 16"><path d="M11.534 7h3.932a.25.25 0 0 1 .192.41l-1.966 2.36a.25.25 0 0 1-.384 0l-1.966-2.36a.25.25 0 0 1 .192-.41zm-11 2h3.932a.25.25 0 0 0 .192-.41L2.692 6.23a.25.25 0 0 0-.384 0L.342 8.59A.25.25 0 0 0 .534 9z"/><path fill-rule="evenodd" d="M8 3c-1.552 0-2.94.707-3.857 1.818a.5.5 0 1 1-.771-.636A6.002 6.002 0 0 1 13.917 7H12.9A5.002 5.002 0 0 0 8 3zM3.1 9a5.002 5.002 0 0 0 8.757 2.182.5.5 0 1 1 .771.636A6.002 6.002 0 0 1 2.083 9H3.1z"/></svg>Rotate Secret</button></li>' +
      '<li><hr class="dropdown-divider"></li>' +
@@ -379,6 +498,14 @@ window.IAMManagement = (function() {
      });
    }
    var expiryBtn = cardElement.querySelector('[data-expiry-user]');
    if (expiryBtn) {
      expiryBtn.addEventListener('click', function(e) {
        e.preventDefault();
        openExpiryModal(accessKey, '');
      });
    }
    var policyBtn = cardElement.querySelector('[data-policy-editor]');
    if (policyBtn) {
      policyBtn.addEventListener('click', function() {
@@ -428,10 +555,15 @@ window.IAMManagement = (function() {
                '</svg>' +
                '<div class="flex-grow-1">' +
                '<div class="fw-semibold">New user created: <code>' + window.UICore.escapeHtml(data.access_key) + '</code></div>' +
-                '<p class="mb-2 small">This secret is only shown once. Copy it now and store it securely.</p>' +
+                '<p class="mb-2 small">These credentials are only shown once. Copy them now and store them securely.</p>' +
                '</div>' +
                '<button type="button" class="btn-close" data-bs-dismiss="alert" aria-label="Close"></button>' +
                '</div>' +
                '<div class="input-group mb-2">' +
                '<span class="input-group-text"><strong>Access key</strong></span>' +
                '<input class="form-control font-monospace" type="text" value="' + window.UICore.escapeHtml(data.access_key) + '" readonly />' +
                '<button class="btn btn-outline-primary" type="button" id="copyNewUserAccessKey">Copy</button>' +
                '</div>' +
                '<div class="input-group">' +
                '<span class="input-group-text"><strong>Secret key</strong></span>' +
                '<input class="form-control font-monospace" type="text" value="' + window.UICore.escapeHtml(data.secret_key) + '" readonly id="newUserSecret" />' +
@@ -440,6 +572,9 @@ window.IAMManagement = (function() {
              var container = document.querySelector('.page-header');
              if (container) {
                container.insertAdjacentHTML('afterend', alertHtml);
                document.getElementById('copyNewUserAccessKey').addEventListener('click', async function() {
                  await window.UICore.copyToClipboard(data.access_key, this, 'Copy');
                });
                document.getElementById('copyNewUserSecret').addEventListener('click', async function() {
                  await window.UICore.copyToClipboard(data.secret_key, this, 'Copy');
                });
--- a/templates/docs.html
+++ b/templates/docs.html
@@ -202,6 +202,16 @@ python run.py --mode ui
                <td><code>60 per minute</code></td>
                <td>Rate limit for admin API endpoints (<code>/admin/*</code>).</td>
              </tr>
              <tr>
                <td><code>ADMIN_ACCESS_KEY</code></td>
                <td>(none)</td>
                <td>Custom access key for the admin user on first run or credential reset. Random if unset.</td>
              </tr>
              <tr>
                <td><code>ADMIN_SECRET_KEY</code></td>
                <td>(none)</td>
                <td>Custom secret key for the admin user on first run or credential reset. Random if unset.</td>
              </tr>
              <tr class="table-secondary">
                <td colspan="3" class="fw-semibold">Server Settings</td>
              </tr>
@@ -428,7 +438,7 @@ python run.py --mode ui
          </table>
        </div>
        <div class="alert alert-warning mt-3 mb-0 small">
-          <strong>Production Checklist:</strong> Set <code>SECRET_KEY</code>, restrict <code>CORS_ORIGINS</code>, configure <code>API_BASE_URL</code>, enable HTTPS via reverse proxy, and use <code>--prod</code> flag.
+          <strong>Production Checklist:</strong> Set <code>SECRET_KEY</code> (also enables IAM config encryption at rest), restrict <code>CORS_ORIGINS</code>, configure <code>API_BASE_URL</code>, enable HTTPS via reverse proxy, use <code>--prod</code> flag, and set credential expiry on non-admin users.
        </div>
      </div>
    </article>
@@ -495,11 +505,12 @@ sudo journalctl -u myfsio -f   # View logs</code></pre>
          <span class="docs-section-kicker">03</span>
          <h2 class="h4 mb-0">Authenticate &amp; manage IAM</h2>
        </div>
-        <p class="text-muted">On first startup, MyFSIO generates random admin credentials and prints them to the console. Missed it? Check <code>data/.myfsio.sys/config/iam.json</code> directly—credentials are stored in plaintext.</p>
+        <p class="text-muted">On first startup, MyFSIO generates random admin credentials and prints them to the console. Set <code>ADMIN_ACCESS_KEY</code> and <code>ADMIN_SECRET_KEY</code> env vars for custom credentials. When <code>SECRET_KEY</code> is configured, the IAM config is encrypted at rest. To reset credentials, run <code>python run.py --reset-cred</code>.</p>
        <div class="docs-highlight mb-3">
          <ol class="mb-0">
-            <li>Check the console output (or <code>iam.json</code>) for the generated <code>Access Key</code> and <code>Secret Key</code>, then visit <code>/ui/login</code>.</li>
+            <li>Check the console output for the generated <code>Access Key</code> and <code>Secret Key</code>, then visit <code>/ui/login</code>.</li>
-            <li>Create additional users with descriptive display names and AWS-style inline policies (for example <code>{"bucket": "*", "actions": ["list", "read"]}</code>).</li>
+            <li>Create additional users with descriptive display names, AWS-style inline policies (for example <code>{"bucket": "*", "actions": ["list", "read"]}</code>), and optional credential expiry dates.</li>
            <li>Set credential expiry on users to grant time-limited access. The UI shows expiry badges and provides preset durations (1h, 24h, 7d, 30d, 90d). Expired credentials are rejected at authentication.</li>
            <li>Rotate secrets when sharing with CI jobs—new secrets display once and persist to <code>data/.myfsio.sys/config/iam.json</code>.</li>
            <li>Bucket policies layer on top of IAM. Apply Private/Public presets or paste custom JSON; changes reload instantly.</li>
          </ol>
--- a/templates/iam.html
+++ b/templates/iam.html
@@ -50,9 +50,20 @@
        New user created: <code>{{ disclosed_secret.access_key }}</code>
        {% endif %}
      </div>
-      <p class="mb-2 small">⚠️ This secret is only shown once. Copy it now and store it securely.</p>
+      <p class="mb-2 small">These credentials are only shown once. Copy them now and store them securely.</p>
    </div>
  </div>
  <div class="input-group mb-2">
    <span class="input-group-text"><strong>Access key</strong></span>
    <input class="form-control font-monospace" type="text" value="{{ disclosed_secret.access_key }}" readonly id="disclosedAccessKeyValue" />
    <button class="btn btn-outline-primary" type="button" data-access-key-copy>
      <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" class="bi bi-clipboard" viewBox="0 0 16 16">
        <path d="M4 1.5H3a2 2 0 0 0-2 2V14a2 2 0 0 0 2 2h10a2 2 0 0 0 2-2V3.5a2 2 0 0 0-2-2h-1v1h1a1 1 0 0 1 1 1V14a1 1 0 0 1-1 1H3a1 1 0 0 1-1-1V3.5a1 1 0 0 1 1-1h1v-1z"/>
        <path d="M9.5 1a.5.5 0 0 1 .5.5v1a.5.5 0 0 1-.5.5h-3a.5.5 0 0 1-.5-.5v-1a.5.5 0 0 1 .5-.5h3zm-3-1A1.5 1.5 0 0 0 5 1.5v1A1.5 1.5 0 0 0 6.5 4h3A1.5 1.5 0 0 0 11 2.5v-1A1.5 1.5 0 0 0 9.5 0h-3z"/>
      </svg>
      Copy
    </button>
  </div>
  <div class="input-group">
    <span class="input-group-text"><strong>Secret key</strong></span>
    <input class="form-control font-monospace" type="text" value="{{ disclosed_secret.secret_key }}" readonly id="disclosedSecretValue" />
@@ -79,7 +90,7 @@
        <pre class="policy-preview mb-0" id="iamConfigPreview">{{ config_document }}</pre>
        <button class="btn btn-outline-light btn-sm config-copy" type="button" data-copy-target="iamConfigPreview">Copy JSON</button>
      </div>
-      <p class="text-muted small mt-2 mb-0">Secrets are masked above. Access <code>{{ config_summary.path }}</code> directly to view full credentials.</p>
+      <p class="text-muted small mt-2 mb-0">Secrets are masked above. IAM config is encrypted at rest.</p>
    </div>
  </div>
 </div>
@@ -122,12 +133,20 @@
    {% endif %}
    <div class="row g-3">
      {% for user in users %}
-      {% set ns = namespace(is_admin=false) %}
+      {% set ns = namespace(is_admin=false, is_expired=false, is_expiring_soon=false) %}
      {% for policy in user.policies %}
        {% if 'iam:*' in policy.actions or '*' in policy.actions %}
          {% set ns.is_admin = true %}
        {% endif %}
      {% endfor %}
      {% if user.expires_at %}
        {% set exp_str = user.expires_at %}
        {% if exp_str <= now_iso %}
          {% set ns.is_expired = true %}
        {% elif exp_str <= soon_iso %}
          {% set ns.is_expiring_soon = true %}
        {% endif %}
      {% endif %}
      <div class="col-md-6 col-xl-4 iam-user-item" data-display-name="{{ user.display_name|lower }}" data-access-key-filter="{{ user.access_key|lower }}">
        <div class="card h-100 iam-user-card{{ ' iam-admin-card' if ns.is_admin else '' }}">
          <div class="card-body">
@@ -146,6 +165,11 @@
                    {% else %}
                    <span class="iam-role-badge iam-role-user" data-role-badge>User</span>
                    {% endif %}
                    {% if ns.is_expired %}
                    <span class="badge text-bg-danger" style="font-size: .65rem">Expired</span>
                    {% elif ns.is_expiring_soon %}
                    <span class="badge text-bg-warning" style="font-size: .65rem">Expiring soon</span>
                    {% endif %}
                  </div>
                  <div class="d-flex align-items-center gap-1">
                    <code class="small text-muted text-truncate" title="{{ user.access_key }}">{{ user.access_key }}</code>
@@ -173,6 +197,15 @@
                      Edit Name
                    </button>
                  </li>
                  <li>
                    <button class="dropdown-item" type="button" data-expiry-user="{{ user.access_key }}" data-expires-at="{{ user.expires_at or '' }}">
                      <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" class="me-2" viewBox="0 0 16 16">
                        <path d="M8 3.5a.5.5 0 0 0-1 0V9a.5.5 0 0 0 .252.434l3.5 2a.5.5 0 0 0 .496-.868L8 8.71V3.5z"/>
                        <path d="M8 16A8 8 0 1 0 8 0a8 8 0 0 0 0 16zm7-8A7 7 0 1 1 1 8a7 7 0 0 1 14 0z"/>
                      </svg>
                      Set Expiry
                    </button>
                  </li>
                  <li>
                    <button class="dropdown-item" type="button" data-rotate-user="{{ user.access_key }}">
                      <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" class="me-2" viewBox="0 0 16 16">
@@ -283,6 +316,32 @@
            <label class="form-label fw-medium">Display Name</label>
            <input class="form-control" type="text" name="display_name" placeholder="Analytics Team" required autofocus />
          </div>
          <div class="mb-3">
            <label class="form-label fw-medium d-flex justify-content-between align-items-center">
              Access Key <span class="text-muted fw-normal small">optional</span>
            </label>
            <div class="input-group">
              <input class="form-control font-monospace" type="text" name="access_key" id="createUserAccessKey" placeholder="Leave blank to auto-generate" />
              <button class="btn btn-outline-secondary" type="button" id="generateAccessKeyBtn" title="Generate secure access key">Generate</button>
            </div>
          </div>
          <div class="mb-3">
            <label class="form-label fw-medium d-flex justify-content-between align-items-center">
              Secret Key <span class="text-muted fw-normal small">optional</span>
            </label>
            <div class="input-group">
              <input class="form-control font-monospace" type="text" name="secret_key" id="createUserSecretKey" placeholder="Leave blank to auto-generate" />
              <button class="btn btn-outline-secondary" type="button" id="generateSecretKeyBtn" title="Generate secure secret key">Generate</button>
            </div>
            <div class="form-text">If you set a custom secret key, copy it now. It will be encrypted and cannot be recovered.</div>
          </div>
          <div class="mb-3">
            <label class="form-label fw-medium d-flex justify-content-between align-items-center">
              Expiry <span class="text-muted fw-normal small">optional</span>
            </label>
            <input class="form-control" type="datetime-local" name="expires_at" id="createUserExpiry" />
            <div class="form-text">Leave blank for no expiration. Expired users cannot authenticate.</div>
          </div>
          <div class="mb-3">
            <label class="form-label fw-medium">Initial Policies (JSON)</label>
            <textarea class="form-control font-monospace" name="policies" id="createUserPolicies" rows="6" spellcheck="false" placeholder='[
@@ -495,6 +554,52 @@
  </div>
 </div>
 <div class="modal fade" id="expiryModal" tabindex="-1" aria-hidden="true">
  <div class="modal-dialog modal-dialog-centered">
    <div class="modal-content">
      <div class="modal-header border-0 pb-0">
        <h1 class="modal-title fs-5 fw-semibold">
          <svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" fill="currentColor" class="text-primary" viewBox="0 0 16 16">
            <path d="M8 3.5a.5.5 0 0 0-1 0V9a.5.5 0 0 0 .252.434l3.5 2a.5.5 0 0 0 .496-.868L8 8.71V3.5z"/>
            <path d="M8 16A8 8 0 1 0 8 0a8 8 0 0 0 0 16zm7-8A7 7 0 1 1 1 8a7 7 0 0 1 14 0z"/>
          </svg>
          Set Expiry
        </h1>
        <button type="button" class="btn-close" data-bs-dismiss="modal" aria-label="Close"></button>
      </div>
      <form method="post" id="expiryForm">
        <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
        <div class="modal-body">
          <p class="text-muted small mb-3">Set expiration for <code id="expiryUserLabel"></code></p>
          <div class="mb-3">
            <label class="form-label fw-medium">Expires at</label>
            <input class="form-control" type="datetime-local" name="expires_at" id="expiryDateInput" />
            <div class="form-text">Leave blank to remove expiration (never expires).</div>
          </div>
          <div class="d-flex flex-wrap gap-2">
            <span class="text-muted small me-2 align-self-center">Quick presets:</span>
            <button class="btn btn-outline-secondary btn-sm" type="button" data-expiry-preset="1h">1 hour</button>
            <button class="btn btn-outline-secondary btn-sm" type="button" data-expiry-preset="24h">24 hours</button>
            <button class="btn btn-outline-secondary btn-sm" type="button" data-expiry-preset="7d">7 days</button>
            <button class="btn btn-outline-secondary btn-sm" type="button" data-expiry-preset="30d">30 days</button>
            <button class="btn btn-outline-secondary btn-sm" type="button" data-expiry-preset="90d">90 days</button>
            <button class="btn btn-outline-secondary btn-sm text-danger" type="button" data-expiry-preset="clear">Never</button>
          </div>
        </div>
        <div class="modal-footer">
          <button type="button" class="btn btn-outline-secondary" data-bs-dismiss="modal">Cancel</button>
          <button class="btn btn-primary" type="submit">
            <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" class="me-1" viewBox="0 0 16 16">
              <path d="M10.97 4.97a.75.75 0 0 1 1.07 1.05l-3.99 4.99a.75.75 0 0 1-1.08.02L4.324 8.384a.75.75 0 1 1 1.06-1.06l2.094 2.093 3.473-4.425a.267.267 0 0 1 .02-.022z"/>
            </svg>
            Save Expiry
          </button>
        </div>
      </form>
    </div>
  </div>
 </div>
 <script id="iamUsersJson" type="application/json">{{ users | tojson }}</script>
 {% endblock %}
@@ -512,7 +617,8 @@
      updateUser: "{{ url_for('ui.update_iam_user', access_key='ACCESS_KEY') }}",
      deleteUser: "{{ url_for('ui.delete_iam_user', access_key='ACCESS_KEY') }}",
      updatePolicies: "{{ url_for('ui.update_iam_policies', access_key='ACCESS_KEY') }}",
-      rotateSecret: "{{ url_for('ui.rotate_iam_secret', access_key='ACCESS_KEY') }}"
+      rotateSecret: "{{ url_for('ui.rotate_iam_secret', access_key='ACCESS_KEY') }}",
      updateExpiry: "{{ url_for('ui.update_iam_expiry', access_key='ACCESS_KEY') }}"
    }
  });
 </script>
--- a/templates/login.html
+++ b/templates/login.html
@@ -73,9 +73,6 @@
            </svg>
          </button>
        </form>
        <div class="text-center mt-4">
          <small class="text-muted">Need help? Check the <a href="{{ url_for('ui.docs_page') }}" class="text-decoration-none">documentation</a></small>
        </div>
      </div>
    </div>
  </div>