test: safety

test: add more testing
test: temp
2026-01-29 14:32:02 +00:00 · 2026-01-28 16:30:27 -03:00 · 2026-01-26 16:13:38 -03:00 · 2026-01-26 13:29:41 -03:00 · 2026-01-23 19:11:54 -03:00 · 2026-01-23 13:06:15 -03:00
454 changed files with 82341 additions and 33865 deletions
--- a/.github/workflows/azurite.yml
+++ b/.github/workflows/azurite.yml
@@ -8,10 +8,10 @@ jobs:
              
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5

      - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
        with:
          go-version: 'stable'
        id: go
--- a/.github/workflows/docker-bats.yml
+++ b/.github/workflows/docker-bats.yml
@@ -8,13 +8,12 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5

      - name: Build Docker Image
        run: |
          cp tests/.env.docker.default tests/.env.docker
          cp tests/.secrets.default tests/.secrets
-          # see https://github.com/versity/versitygw/issues/1034
          docker build \
            --build-arg="GO_LIBRARY=go1.23.1.linux-amd64.tar.gz" \
            --build-arg="AWS_CLI=awscli-exe-linux-x86_64.zip" \
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -12,7 +12,7 @@ jobs:
      contents: read
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
--- a/.github/workflows/functional.yml
+++ b/.github/workflows/functional.yml
@@ -9,10 +9,10 @@ jobs:
    steps:

    - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5

    - name: Set up Go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@v6
      with:
        go-version: 'stable'
      id: go
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -9,10 +9,10 @@ jobs:
    steps:

    - name: Check out code into the Go module directory
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5

    - name: Set up Go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@v6
      with:
        go-version: 'stable'
      id: go
@@ -46,10 +46,10 @@ jobs:
    steps:

      - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5

      - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
        with:
          go-version: 'stable'

--- a/.github/workflows/goreleaser.yml
+++ b/.github/workflows/goreleaser.yml
@@ -12,7 +12,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          fetch-depth: 0

@@ -20,7 +20,7 @@ jobs:
        run: git fetch --force --tags

      - name: Setup Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
        with:
          go-version: stable

--- a/.github/workflows/host-style-tests.yml
+++ b/.github/workflows/host-style-tests.yml
@@ -7,7 +7,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5

      - name: run host-style tests
        run: make test-host-style
--- a/.github/workflows/shellcheck.yml
+++ b/.github/workflows/shellcheck.yml
@@ -9,7 +9,7 @@ jobs:
    steps:

    - name: Check out code
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5

    - name: Run checks
      run: |
--- a/.github/workflows/skips.yml
+++ b/.github/workflows/skips.yml
@@ -0,0 +1,84 @@
+name: skips check
+permissions: {}
+on: workflow_dispatch
+jobs:
+  skip-ticket-check:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Fail if any skip descriptions are empty or point to closed issues/PRs
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -euo pipefail
+
+          # Find uncommented lines with "skip " (ignore lines whose first non-space char is #)
+          mapfile -t MATCHES < <(
+            git ls-files 'tests/test_*.sh' \
+              | xargs -r grep -nE '^[[:space:]]*[^#][[:space:]]*skip[[:space:]]*$' \
+              || true
+          )
+
+          if [ ${#MATCHES[@]} -ne 0 ]; then
+            echo "${#MATCHES[@]} skip(s) lack a description"
+            printf ' - %s\n' "${MATCHES[@]}"
+            exit 1
+          fi
+          
+          mapfile -t MATCHES < <(
+            git ls-files 'tests/test_*.sh' \
+              | xargs -r grep -nE '^[[:space:]]*[^#][[:space:]]*skip[[:space:]]*"https://github.com' \
+              || true
+          )
+
+          urls=()
+          for m in "${MATCHES[@]}"; do
+            # Extract first GitHub issue/PR URL on the line:
+            # supports /issues/123 and /pull/123 (with or without extra suffix)
+            url="$(echo "$m" | grep -oE 'https://github\.com/[A-Za-z0-9_.-]+/[A-Za-z0-9_.-]+/(issues|pull)/[0-9]+' | head -n1 || true)"
+            if [ -n "$url" ]; then
+              urls+=("$url")
+            fi
+          done
+
+          if [ ${#urls[@]} -eq 0 ]; then
+            echo "Found skip lines, but no recognizable GitHub issue/PR URLs."
+            exit 0
+          fi
+
+          echo "Found skip ticket URLs:"
+          printf ' - %s\n' "${urls[@]}"
+
+          closed=()
+
+          for url in "${urls[@]}"; do
+            # Parse owner/repo and number from URL
+            # url format: https://github.com/OWNER/REPO/issues/123 or /pull/123
+            path="${url#https://github.com/}"
+            owner="$(echo "$path" | cut -d/ -f1)"
+            repo="$(echo "$path"  | cut -d/ -f2)"
+            num="$(echo "$path"   | cut -d/ -f4)"
+
+            # Issues API works for both issues and PRs; state=open/closed
+            state="$(curl -fsSL \
+              -H "Authorization: Bearer $GH_TOKEN" \
+              -H "Accept: application/vnd.github+json" \
+              "https://api.github.com/repos/$owner/$repo/issues/$num" \
+              | python -c "import sys,json; print(json.load(sys.stdin).get('state',''))")"
+
+            echo "$url -> $state"
+            if [ "$state" = "closed" ]; then
+              closed+=("$url")
+            fi
+          done
+
+          if [ ${#closed[@]} -gt 0 ]; then
+            echo "::error::Closed tickets referenced by uncommented skip URLs:"
+            printf '::error:: - %s\n' "${closed[@]}"
+            exit 1
+          fi
+
+          echo "All referenced tickets are open. ✅"
--- a/.github/workflows/static.yml
+++ b/.github/workflows/static.yml
@@ -9,12 +9,12 @@ jobs:
    steps:

    - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
      with:
        fetch-depth: 1

    - name: Set up Go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@v6
      with:
        go-version: 'stable'
      id: go
--- a/.github/workflows/system.yml
+++ b/.github/workflows/system.yml
@@ -2,132 +2,34 @@ name: system tests
 permissions: {}
 on: pull_request
 jobs:
+  generate:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.make.outputs.matrix }}
+    steps:
+      - uses: actions/checkout@v4
+      - id: make
+        run: |
+          if ! matrix_output=$(tests/generate_matrix.sh 2>&1); then
+            echo "error generating matrix: $matrix_output"
+            exit 1
+          fi
+          MATRIX_JSON=$(echo -n "$matrix_output" | jq -c . )
+          echo "matrix=$MATRIX_JSON" >> "$GITHUB_OUTPUT"
+
  build:
    name: RunTests
+    needs: generate
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
-      matrix:
-        include:
-          - set: "mc, posix, non-file count, non-static, folder IAM"
-            IAM_TYPE: folder
-            RUN_SET: "mc-non-file-count"
-            RECREATE_BUCKETS: "true"
-            DELETE_BUCKETS_AFTER_TEST: "true"
-            BACKEND: "posix"
-          - set: "mc, posix, file count, non-static, folder IAM"
-            IAM_TYPE: folder
-            RUN_SET: "mc-file-count"
-            RECREATE_BUCKETS: "true"
-            DELETE_BUCKETS_AFTER_TEST: "true"
-            BACKEND: "posix"
-          - set: "REST, posix, non-static, base|acl, folder IAM"
-            IAM_TYPE: folder
-            RUN_SET: "rest-base,rest-acl"
-            RECREATE_BUCKETS: "true"
-            DELETE_BUCKETS_AFTER_TEST: "true"
-            BACKEND: "posix"
-          - set: "REST, posix, non-static, chunked|checksum|versioning|bucket, folder IAM"
-            IAM_TYPE: folder
-            RUN_SET: "rest-chunked,rest-checksum,rest-versioning,rest-bucket"
-            RECREATE_BUCKETS: "true"
-            DELETE_BUCKETS_AFTER_TEST: "true"
-            BACKEND: "posix"
-          - set: "s3, posix, non-file count, non-static, folder IAM"
-            IAM_TYPE: folder
-            RUN_SET: "s3-non-file-count"
-            RECREATE_BUCKETS: "true"
-            DELETE_BUCKETS_AFTER_TEST: "true"
-            BACKEND: "posix"
-          - set: "s3, posix, file count, non-static, folder IAM"
-            IAM_TYPE: folder
-            RUN_SET: "s3-file-count"
-            RECREATE_BUCKETS: "true"
-            DELETE_BUCKETS_AFTER_TEST: "true"
-            BACKEND: "posix"
-          - set: "s3api, posix, bucket|object|multipart, non-static, folder IAM"
-            IAM_TYPE: folder
-            RUN_SET: "s3api-bucket,s3api-object,s3api-multipart"
-            RECREATE_BUCKETS: "true"
-            DELETE_BUCKETS_AFTER_TEST: "true"
-            BACKEND: "posix"
-          - set: "s3api, posix, policy, non-static, folder IAM"
-            IAM_TYPE: folder
-            RUN_SET: "s3api-policy"
-            RECREATE_BUCKETS: "true"
-            DELETE_BUCKETS_AFTER_TEST: "true"
-            BACKEND: "posix"
-          - set: "s3api, posix, user, non-static, s3 IAM"
-            IAM_TYPE: s3
-            RUN_SET: "s3api-user"
-            RECREATE_BUCKETS: "true"
-            DELETE_BUCKETS_AFTER_TEST: "true"
-            BACKEND: "posix"
-          - set: "s3api, posix, bucket, static, folder IAM"
-            IAM_TYPE: folder
-            RUN_SET: "s3api-bucket"
-            RECREATE_BUCKETS: "false"
-            DELETE_BUCKETS_AFTER_TEST: "false"
-            BACKEND: "posix"
-          - set: "s3api, posix, multipart, static, folder IAM"
-            IAM_TYPE: folder
-            RUN_SET: "s3api-multipart"
-            RECREATE_BUCKETS: "false"
-            DELETE_BUCKETS_AFTER_TEST: "false"
-            BACKEND: "posix"
-          - set: "s3api, posix, object, static, folder IAM"
-            IAM_TYPE: folder
-            RUN_SET: "s3api-object"
-            RECREATE_BUCKETS: "false"
-            DELETE_BUCKETS_AFTER_TEST: "false"
-            BACKEND: "posix"
-          - set: "s3api, posix, policy, static, folder IAM"
-            IAM_TYPE: folder
-            RUN_SET: "s3api-policy"
-            RECREATE_BUCKETS: "false"
-            DELETE_BUCKETS_AFTER_TEST: "false"
-            BACKEND: "posix"
-          - set: "s3api, posix, user, static, folder IAM"
-            IAM_TYPE: folder
-            RUN_SET: "s3api-user"
-            RECREATE_BUCKETS: "false"
-            DELETE_BUCKETS_AFTER_TEST: "false"
-            BACKEND: "posix"
-          # TODO fix/debug s3 gateway
-          #- set: "s3api, s3, multipart|object, non-static, folder IAM"
-          #  IAM_TYPE: folder
-          #  RUN_SET: "s3api-bucket,s3api-object,s3api-multipart"
-          #  RECREATE_BUCKETS: "true"
-          #  BACKEND: "s3"
-          #- set: "s3api, s3, policy|user, non-static, folder IAM"
-          #  IAM_TYPE: folder
-          #  RUN_SET: "s3api-policy,s3api-user"
-          #  RECREATE_BUCKETS: "true"
-          #  BACKEND: "s3"
-          - set: "s3cmd, posix, file count, non-static, folder IAM"
-            IAM_TYPE: folder
-            RUN_SET: "s3cmd-file-count"
-            RECREATE_BUCKETS: "true"
-            DELETE_BUCKETS_AFTER_TEST: "true"
-            BACKEND: "posix"
-          - set: "s3cmd, posix, non-user, non-static, folder IAM"
-            IAM_TYPE: folder
-            RUN_SET: "s3cmd-non-user"
-            RECREATE_BUCKETS: "true"
-            DELETE_BUCKETS_AFTER_TEST: "true"
-            BACKEND: "posix"
-          - set: "s3cmd, posix, user, non-static, folder IAM"
-            IAM_TYPE: folder
-            RUN_SET: "s3cmd-user"
-            RECREATE_BUCKETS: "true"
-            DELETE_BUCKETS_AFTER_TEST: "true"
-            BACKEND: "posix"
+      matrix: ${{ fromJson(needs.generate.outputs.matrix) }}
    steps:
      - name: Check out code into the Go module directory
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5

      - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
        with:
          go-version: "stable"
        id: go
@@ -189,9 +91,9 @@ jobs:
          MC_ALIAS: versity
          LOG_LEVEL: 4
          GOCOVERDIR: ${{ github.workspace }}/cover
-          USERNAME_ONE: ABCDEFG
+          USERNAME_ONE: HIJKLMN
          PASSWORD_ONE: 1234567
-          USERNAME_TWO: HIJKLMN
+          USERNAME_TWO: OPQRSTU
          PASSWORD_TWO: 8901234
          TEST_FILE_FOLDER: ${{ github.workspace }}/versity-gwtest-files
          REMOVE_TEST_FILE_FOLDER: true
@@ -201,11 +103,12 @@ jobs:
          PYTHON_ENV_FOLDER: ${{ github.workspace }}/env
          AUTOGENERATE_USERS: true
          USER_AUTOGENERATION_PREFIX: github-actions-test-
+          AWS_REGION: ${{ matrix.AWS_REGION }}
        run: |
          make testbin
          export AWS_ACCESS_KEY_ID=ABCDEFGHIJKLMNOPQRST
          export AWS_SECRET_ACCESS_KEY=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmn
-          export AWS_REGION=us-east-1
+          export AWS_REGION=$AWS_REGION
          export AWS_ACCESS_KEY_ID_TWO=user
          export AWS_SECRET_ACCESS_KEY_TWO=pass
          export AWS_REQUEST_CHECKSUM_CALCULATION=WHEN_REQUIRED
@@ -220,10 +123,13 @@ jobs:
          if [[ $RECREATE_BUCKETS == "false" ]]; then
            BYPASS_ENV_FILE=true ${{ github.workspace }}/tests/setup_static.sh
          fi
-          BYPASS_ENV_FILE=true ${{ github.workspace }}/tests/run.sh $RUN_SET
+          BYPASS_ENV_FILE=true $HOME/bin/bats ${{ github.workspace }}/$RUN_SET

      - name: Time report
-        run: cat ${{ github.workspace }}/time.log
+        run: | 
+          if [ -e ${{ github.workspace }}/time.log ]; then
+            cat ${{ github.workspace }}/time.log
+          fi

      - name: Coverage report
        run: |
--- a/9
+++ b/9
@@ -23,13 +23,16 @@ RUN go build -ldflags "-X=main.Build=${BUILD} -X=main.BuildTime=${TIME} -X=main.

 FROM alpine:latest

-# These arguments can be overriden when building the image
+# These arguments can be overridden when building the image
 ARG IAM_DIR=/tmp/vgw
 ARG SETUP_DIR=/tmp/vgw

 RUN mkdir -p $IAM_DIR
 RUN mkdir -p $SETUP_DIR

-COPY --from=0 /app/cmd/versitygw/versitygw /app/versitygw
+COPY --from=0 /app/cmd/versitygw/versitygw /usr/local/bin/versitygw

-ENTRYPOINT [ "/app/versitygw" ]
+COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
+RUN chmod +x /usr/local/bin/docker-entrypoint.sh
+
+ENTRYPOINT [ "/usr/local/bin/docker-entrypoint.sh" ]
--- a/README.md
+++ b/README.md
@@ -70,6 +70,29 @@ versitygw [global options] command [command options] [arguments...]
 ```
 The [global options](https://github.com/versity/versitygw/wiki/Global-Options) are specified before the backend type and the backend options are specified after.

+### Run the gateway in Docker
+
+Use the published image like the native binary by passing CLI arguments:
+
+```bash
+docker run --rm versity/versitygw:latest --version
+```
+
+When no command arguments are supplied, the container looks for `VGW_BACKEND` and optional `VGW_BACKEND_ARG`/`VGW_BACKEND_ARGS` environment variables to determine which backend to start. Backend-specific configuration continues to come from the existing environment flags (for example `ROOT_ACCESS_KEY`, `VGW_PORT`, and others).
+
+```bash
+docker run --rm \
+  -e ROOT_ACCESS_KEY=testuser \
+  -e ROOT_SECRET_KEY=secret \
+  -e VGW_BACKEND=posix \
+  -e VGW_BACKEND_ARG=/data \
+  -p 10000:7070 \
+  -v $(pwd)/data:/data \
+  versity/versitygw:latest
+```
+
+If you need to pass additional CLI options, set `VGW_ARGS` with a space-delimited list, or continue passing arguments directly to `docker run`.
+
 ***

 #### Versity gives you clarity and control over your archival storage, so you can allocate more resources to your core mission.
--- a/auth/access-control.go
+++ b/auth/access-control.go
@@ -0,0 +1,189 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package auth
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"strings"
+
+	"github.com/aws/aws-sdk-go-v2/service/s3"
+	"github.com/versity/versitygw/backend"
+	"github.com/versity/versitygw/s3err"
+)
+
+func VerifyObjectCopyAccess(ctx context.Context, be backend.Backend, copySource string, opts AccessOptions) error {
+	if opts.IsRoot {
+		return nil
+	}
+	if opts.Acc.Role == RoleAdmin {
+		return nil
+	}
+
+	// Verify destination bucket access
+	if err := VerifyAccess(ctx, be, opts); err != nil {
+		return err
+	}
+	// Verify source bucket access
+	srcBucket, srcObject, found := strings.Cut(copySource, "/")
+	if !found {
+		return s3err.GetAPIError(s3err.ErrInvalidCopySourceBucket)
+	}
+
+	// Get source bucket ACL
+	srcBucketACLBytes, err := be.GetBucketAcl(ctx, &s3.GetBucketAclInput{Bucket: &srcBucket})
+	if err != nil {
+		return err
+	}
+
+	var srcBucketAcl ACL
+	if err := json.Unmarshal(srcBucketACLBytes, &srcBucketAcl); err != nil {
+		return err
+	}
+
+	if err := VerifyAccess(ctx, be, AccessOptions{
+		Acl:           srcBucketAcl,
+		AclPermission: PermissionRead,
+		IsRoot:        opts.IsRoot,
+		Acc:           opts.Acc,
+		Bucket:        srcBucket,
+		Object:        srcObject,
+		Action:        GetObjectAction,
+	}); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+type AccessOptions struct {
+	Acl             ACL
+	AclPermission   Permission
+	IsRoot          bool
+	Acc             Account
+	Bucket          string
+	Object          string
+	Action          Action
+	Readonly        bool
+	IsPublicRequest bool
+}
+
+func VerifyAccess(ctx context.Context, be backend.Backend, opts AccessOptions) error {
+	if opts.Readonly {
+		if opts.AclPermission == PermissionWrite || opts.AclPermission == PermissionWriteAcp {
+			return s3err.GetAPIError(s3err.ErrAccessDenied)
+		}
+	}
+	// Skip the access check for public bucket requests
+	if opts.IsPublicRequest {
+		return nil
+	}
+	if opts.IsRoot {
+		return nil
+	}
+	if opts.Acc.Role == RoleAdmin {
+		return nil
+	}
+
+	policy, policyErr := be.GetBucketPolicy(ctx, opts.Bucket)
+	if policyErr != nil {
+		if !errors.Is(policyErr, s3err.GetAPIError(s3err.ErrNoSuchBucketPolicy)) {
+			return policyErr
+		}
+	} else {
+		return VerifyBucketPolicy(policy, opts.Acc.Access, opts.Bucket, opts.Object, opts.Action)
+	}
+
+	if err := verifyACL(opts.Acl, opts.Acc.Access, opts.AclPermission); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// Detects if the action is policy related
+// e.g.
+// 'GetBucketPolicy', 'PutBucketPolicy'
+func isPolicyAction(action Action) bool {
+	return action == GetBucketPolicyAction || action == PutBucketPolicyAction
+}
+
+// VerifyPublicAccess checks if the bucket is publically accessible by ACL or Policy
+func VerifyPublicAccess(ctx context.Context, be backend.Backend, action Action, permission Permission, bucket, object string) error {
+	// ACL disabled
+	policy, err := be.GetBucketPolicy(ctx, bucket)
+	if err != nil && !errors.Is(err, s3err.GetAPIError(s3err.ErrNoSuchBucketPolicy)) {
+		return err
+	}
+	if err == nil {
+		err = VerifyPublicBucketPolicy(policy, bucket, object, action)
+		if err == nil {
+			// if ACLs are disabled, and the bucket grants public access,
+			// policy actions should return 'MethodNotAllowed'
+			if isPolicyAction(action) {
+				return s3err.GetAPIError(s3err.ErrMethodNotAllowed)
+			}
+
+			return nil
+		}
+	}
+
+	// if the action is not in the ACL whitelist the access is denied
+	_, ok := publicACLAllowedActions[action]
+	if !ok {
+		return s3err.GetAPIError(s3err.ErrAccessDenied)
+	}
+
+	err = VerifyPublicBucketACL(ctx, be, bucket, action, permission)
+	if err != nil {
+		return s3err.GetAPIError(s3err.ErrAccessDenied)
+	}
+
+	return nil
+}
+
+func IsAdminOrOwner(acct Account, isRoot bool, acl ACL) error {
+	// Owner check
+	if acct.Access == acl.Owner {
+		return nil
+	}
+
+	// Root user has access over almost everything
+	if isRoot {
+		return nil
+	}
+
+	// Admin user case
+	if acct.Role == RoleAdmin {
+		return nil
+	}
+
+	// Return access denied in all other cases
+	return s3err.GetAPIError(s3err.ErrAccessDenied)
+}
+
+type PublicACLAllowedActions map[Action]struct{}
+
+var publicACLAllowedActions PublicACLAllowedActions = PublicACLAllowedActions{
+	ListBucketAction:                 struct{}{},
+	PutObjectAction:                  struct{}{},
+	ListBucketMultipartUploadsAction: struct{}{},
+	DeleteObjectAction:               struct{}{},
+	ListBucketVersionsAction:         struct{}{},
+	GetObjectAction:                  struct{}{},
+	GetObjectAttributesAction:        struct{}{},
+	GetObjectAclAction:               struct{}{},
+}
--- a/auth/acl.go
+++ b/auth/acl.go
@@ -25,6 +25,7 @@ import (
 	"github.com/aws/aws-sdk-go-v2/service/s3"
 	"github.com/aws/aws-sdk-go-v2/service/s3/types"
 	"github.com/versity/versitygw/backend"
+	"github.com/versity/versitygw/debuglogger"
 	"github.com/versity/versitygw/s3err"
 )

@@ -33,6 +34,17 @@ type ACL struct {
 	Grantees []Grantee
 }

+// IsPublic specifies if the acl grants public read access
+func (acl *ACL) IsPublic(permission Permission) bool {
+	for _, grt := range acl.Grantees {
+		if grt.Permission == permission && grt.Type == types.TypeGroup && grt.Access == "all-users" {
+			return true
+		}
+	}
+
+	return false
+}
+
 type Grantee struct {
 	Permission Permission
 	Access     string
@@ -234,7 +246,7 @@ func ParseACLOutput(data []byte, owner string) (GetBucketAclOutput, error) {
 	}, nil
 }

-func UpdateACL(input *PutBucketAclInput, acl ACL, iam IAMService, isAdmin bool) ([]byte, error) {
+func UpdateACL(input *PutBucketAclInput, acl ACL, iam IAMService) ([]byte, error) {
 	if input == nil {
 		return nil, s3err.GetAPIError(s3err.ErrInvalidRequest)
 	}
@@ -374,7 +386,7 @@ func CheckIfAccountsExist(accs []string, iam IAMService) ([]string, error) {
 	for _, acc := range accs {
 		_, err := iam.GetUserAccount(acc)
 		if err != nil {
-			if err == ErrNoSuchUser {
+			if err == ErrNoSuchUser || err == s3err.GetAPIError(s3err.ErrAdminUserNotFound) {
 				result = append(result, acc)
 				continue
 			}
@@ -435,118 +447,61 @@ func verifyACL(acl ACL, access string, permission Permission) error {
 	return s3err.GetAPIError(s3err.ErrAccessDenied)
 }

-func MayCreateBucket(acct Account, isRoot bool) error {
-	if isRoot {
-		return nil
-	}
-
-	if acct.Role == RoleUser {
-		return s3err.GetAPIError(s3err.ErrAccessDenied)
-	}
-
-	return nil
-}
-
-func IsAdminOrOwner(acct Account, isRoot bool, acl ACL) error {
-	// Owner check
-	if acct.Access == acl.Owner {
-		return nil
-	}
-
-	// Root user has access over almost everything
-	if isRoot {
-		return nil
-	}
-
-	// Admin user case
-	if acct.Role == RoleAdmin {
-		return nil
-	}
-
-	// Return access denied in all other cases
-	return s3err.GetAPIError(s3err.ErrAccessDenied)
-}
-
-type AccessOptions struct {
-	Acl           ACL
-	AclPermission Permission
-	IsRoot        bool
-	Acc           Account
-	Bucket        string
-	Object        string
-	Action        Action
-	Readonly      bool
-}
-
-func VerifyAccess(ctx context.Context, be backend.Backend, opts AccessOptions) error {
-	if opts.Readonly {
-		if opts.AclPermission == PermissionWrite || opts.AclPermission == PermissionWriteAcp {
-			return s3err.GetAPIError(s3err.ErrAccessDenied)
-		}
-	}
-	if opts.IsRoot {
-		return nil
-	}
-	if opts.Acc.Role == RoleAdmin {
-		return nil
-	}
-
-	policy, policyErr := be.GetBucketPolicy(ctx, opts.Bucket)
-	if policyErr != nil {
-		if !errors.Is(policyErr, s3err.GetAPIError(s3err.ErrNoSuchBucketPolicy)) {
-			return policyErr
-		}
-	} else {
-		return VerifyBucketPolicy(policy, opts.Acc.Access, opts.Bucket, opts.Object, opts.Action)
-	}
-
-	if err := verifyACL(opts.Acl, opts.Acc.Access, opts.AclPermission); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func VerifyObjectCopyAccess(ctx context.Context, be backend.Backend, copySource string, opts AccessOptions) error {
-	if opts.IsRoot {
-		return nil
-	}
-	if opts.Acc.Role == RoleAdmin {
-		return nil
-	}
-
-	// Verify destination bucket access
-	if err := VerifyAccess(ctx, be, opts); err != nil {
-		return err
-	}
-	// Verify source bucket access
-	srcBucket, srcObject, found := strings.Cut(copySource, "/")
-	if !found {
-		return s3err.GetAPIError(s3err.ErrInvalidCopySource)
-	}
-
-	// Get source bucket ACL
-	srcBucketACLBytes, err := be.GetBucketAcl(ctx, &s3.GetBucketAclInput{Bucket: &srcBucket})
+// Verifies if the bucket acl grants public access
+func VerifyPublicBucketACL(ctx context.Context, be backend.Backend, bucket string, action Action, permission Permission) error {
+	aclBytes, err := be.GetBucketAcl(ctx, &s3.GetBucketAclInput{
+		Bucket: &bucket,
+	})
 	if err != nil {
 		return err
 	}

-	var srcBucketAcl ACL
-	if err := json.Unmarshal(srcBucketACLBytes, &srcBucketAcl); err != nil {
+	acl, err := ParseACL(aclBytes)
+	if err != nil {
 		return err
 	}

-	if err := VerifyAccess(ctx, be, AccessOptions{
-		Acl:           srcBucketAcl,
-		AclPermission: PermissionRead,
-		IsRoot:        opts.IsRoot,
-		Acc:           opts.Acc,
-		Bucket:        srcBucket,
-		Object:        srcObject,
-		Action:        GetObjectAction,
-	}); err != nil {
-		return err
+	if !acl.IsPublic(permission) {
+		return ErrAccessDenied
 	}

 	return nil
 }
+
+// UpdateBucketACLOwner sets default ACL with new owner and removes
+// any previous bucket policy that was in place
+func UpdateBucketACLOwner(ctx context.Context, be backend.Backend, bucket, newOwner string) error {
+	acl := ACL{
+		Owner: newOwner,
+		Grantees: []Grantee{
+			{
+				Permission: PermissionFullControl,
+				Access:     newOwner,
+				Type:       types.TypeCanonicalUser,
+			},
+		},
+	}
+
+	result, err := json.Marshal(acl)
+	if err != nil {
+		return fmt.Errorf("marshal ACL: %w", err)
+	}
+
+	err = be.PutBucketAcl(ctx, bucket, result)
+	if err != nil {
+		return err
+	}
+
+	return be.DeleteBucketPolicy(ctx, bucket)
+}
+
+// ValidateCannedACL validates bucket canned acl value
+func ValidateCannedACL(acl string) error {
+	switch types.BucketCannedACL(acl) {
+	case types.BucketCannedACLPrivate, types.BucketCannedACLPublicRead, types.BucketCannedACLPublicReadWrite, "":
+		return nil
+	default:
+		debuglogger.Logf("invalid bucket canned acl: %v", acl)
+		return s3err.GetAPIError(s3err.ErrInvalidArgument)
+	}
+}
--- a/auth/bucket_cors.go
+++ b/auth/bucket_cors.go
@@ -0,0 +1,338 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package auth
+
+import (
+	"encoding/xml"
+	"fmt"
+	"net/http"
+	"regexp"
+	"strings"
+
+	"github.com/versity/versitygw/debuglogger"
+	"github.com/versity/versitygw/s3err"
+)
+
+// headerRegex is the regexp to validate http header names
+var headerRegex = regexp.MustCompile(`^[!#$%&'*+\-.^_` + "`" + `|~0-9A-Za-z]+$`)
+
+type CORSHeader string
+type CORSHTTPMethod string
+
+// IsValid validates the CORS http header
+// the rules are based on http RFC
+// https://datatracker.ietf.org/doc/html/rfc7230#section-3.2
+//
+// Empty values are considered as valid
+func (ch CORSHeader) IsValid() bool {
+	return ch == "" || headerRegex.MatchString(ch.String())
+}
+
+// String converts the header value to 'string'
+func (ch CORSHeader) String() string {
+	return string(ch)
+}
+
+// ToLower converts the header to lower case
+func (ch CORSHeader) ToLower() string {
+	return strings.ToLower(string(ch))
+}
+
+// IsValid validates the cors http request method:
+// the methods are case sensitive
+func (cm CORSHTTPMethod) IsValid() bool {
+	return cm.IsEmpty() || cm == http.MethodGet || cm == http.MethodHead || cm == http.MethodPut ||
+		cm == http.MethodPost || cm == http.MethodDelete
+}
+
+// IsEmpty checks if the cors method is an empty string
+func (cm CORSHTTPMethod) IsEmpty() bool {
+	return cm == ""
+}
+
+// String converts the method value to 'string'
+func (cm CORSHTTPMethod) String() string {
+	return string(cm)
+}
+
+type CORSConfiguration struct {
+	Rules []CORSRule `xml:"CORSRule"`
+}
+
+// Validate validates the cors configuration rules
+func (cc *CORSConfiguration) Validate() error {
+	if cc == nil || cc.Rules == nil {
+		debuglogger.Logf("invalid CORS configuration")
+		return s3err.GetAPIError(s3err.ErrMalformedXML)
+	}
+
+	if len(cc.Rules) == 0 {
+		debuglogger.Logf("empty CORS config rules")
+		return s3err.GetAPIError(s3err.ErrMalformedXML)
+	}
+
+	// validate each CORS rule
+	for _, rule := range cc.Rules {
+		if err := rule.Validate(); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+type CORSAllowanceConfig struct {
+	Origin           string
+	Methods          string
+	ExposedHeaders   string
+	AllowCredentials string
+	AllowHeaders     string
+	MaxAge           *int32
+}
+
+// IsAllowed walks through the CORS rules and finds the first one allowing access.
+// If no rule grants access, returns 'AccessForbidden'
+func (cc *CORSConfiguration) IsAllowed(origin string, method CORSHTTPMethod, headers []CORSHeader) (*CORSAllowanceConfig, error) {
+	// if method is empty, anyways cors is forbidden
+	// skip, without going through the rules
+	if method.IsEmpty() {
+		debuglogger.Logf("empty Access-Control-Request-Method")
+		return nil, s3err.GetAPIError(s3err.ErrCORSForbidden)
+	}
+	for _, rule := range cc.Rules {
+		// find the first rule granting access
+		if isAllowed, wilcardOrigin := rule.Match(origin, method, headers); isAllowed {
+			o := origin
+			allowCredentials := "true"
+			if wilcardOrigin {
+				o = "*"
+				allowCredentials = "false"
+			}
+
+			return &CORSAllowanceConfig{
+				Origin:           o,
+				AllowCredentials: allowCredentials,
+				Methods:          rule.GetAllowedMethods(),
+				ExposedHeaders:   rule.GetExposeHeaders(),
+				AllowHeaders:     buildAllowedHeaders(headers),
+				MaxAge:           rule.MaxAgeSeconds,
+			}, nil
+		}
+	}
+
+	// if no matching rule is found, return AccessForbidden
+	return nil, s3err.GetAPIError(s3err.ErrCORSForbidden)
+}
+
+type CORSRule struct {
+	AllowedMethods []CORSHTTPMethod `xml:"AllowedMethod"`
+	AllowedHeaders []CORSHeader     `xml:"AllowedHeader"`
+	ExposeHeaders  []CORSHeader     `xml:"ExposeHeader"`
+	AllowedOrigins []string         `xml:"AllowedOrigin"`
+	ID             *string
+	MaxAgeSeconds  *int32
+}
+
+// Validate validates and returns error if CORS configuration has invalid rule
+func (cr *CORSRule) Validate() error {
+	// validate CORS allowed headers
+	for _, header := range cr.AllowedHeaders {
+		if !header.IsValid() {
+			debuglogger.Logf("invalid CORS allowed header: %s", header)
+			return s3err.GetInvalidCORSHeaderErr(header.String())
+		}
+	}
+	// validate CORS allowed methods
+	for _, method := range cr.AllowedMethods {
+		if !method.IsValid() {
+			debuglogger.Logf("invalid CORS allowed method: %s", method)
+			return s3err.GetUnsopportedCORSMethodErr(method.String())
+		}
+	}
+	// validate CORS expose headers
+	for _, header := range cr.ExposeHeaders {
+		if !header.IsValid() {
+			debuglogger.Logf("invalid CORS exposed header: %s", header)
+			return s3err.GetInvalidCORSHeaderErr(header.String())
+		}
+	}
+
+	return nil
+}
+
+// Match matches the provided origin, method and headers with the
+// CORS configuration rule
+// if the matching origin is "*", it returns true as the first argument
+func (cr *CORSRule) Match(origin string, method CORSHTTPMethod, headers []CORSHeader) (bool, bool) {
+	wildcardOrigin := false
+	originFound := false
+
+	// check if the provided origin exists in CORS AllowedOrigins
+	for _, or := range cr.AllowedOrigins {
+		if wildcardMatch(or, origin) {
+			originFound = true
+			if or == "*" {
+				// mark wildcardOrigin as true, if "*" is found in AllowedOrigins
+				wildcardOrigin = true
+			}
+			break
+		}
+	}
+
+	if !originFound {
+		return false, false
+	}
+
+	// cache the CORS AllowedMethods in a map
+	allowedMethods := cacheCORSMethods(cr.AllowedMethods)
+	// check if the provided method exists in CORS AllowedMethods
+	if _, ok := allowedMethods[method]; !ok {
+		return false, false
+	}
+
+	// check is CORS rule allowed headers match
+	// with the requested allowed headers
+	for _, reqHeader := range headers {
+		match := false
+		for _, header := range cr.AllowedHeaders {
+			if wildcardMatch(header.ToLower(), reqHeader.ToLower()) {
+				match = true
+				break
+			}
+		}
+
+		if !match {
+			return false, false
+		}
+	}
+
+	return true, wildcardOrigin
+}
+
+// GetExposeHeaders returns comma separated CORS expose headers
+func (cr *CORSRule) GetExposeHeaders() string {
+	var result strings.Builder
+
+	for i, h := range cr.ExposeHeaders {
+		if i > 0 {
+			result.WriteString(", ")
+		}
+		result.WriteString(h.String())
+	}
+
+	return result.String()
+}
+
+// buildAllowedHeaders builds a comma separated string from []CORSHeader
+func buildAllowedHeaders(headers []CORSHeader) string {
+	var result strings.Builder
+
+	for i, h := range headers {
+		if i > 0 {
+			result.WriteString(", ")
+		}
+		result.WriteString(h.ToLower())
+	}
+
+	return result.String()
+}
+
+// GetAllowedMethods returns comma separated CORS allowed methods
+func (cr *CORSRule) GetAllowedMethods() string {
+	var result strings.Builder
+
+	for i, m := range cr.AllowedMethods {
+		if i > 0 {
+			result.WriteString(", ")
+		}
+		result.WriteString(m.String())
+	}
+
+	return result.String()
+}
+
+// ParseCORSOutput parses raw bytes to 'CORSConfiguration'
+func ParseCORSOutput(data []byte) (*CORSConfiguration, error) {
+	var config CORSConfiguration
+	err := xml.Unmarshal(data, &config)
+	if err != nil {
+		debuglogger.Logf("unmarshal cors output: %v", err)
+		return nil, fmt.Errorf("failed to parse cors config: %w", err)
+	}
+
+	return &config, nil
+}
+
+func cacheCORSMethods(input []CORSHTTPMethod) map[CORSHTTPMethod]struct{} {
+	result := make(map[CORSHTTPMethod]struct{}, len(input))
+	for _, el := range input {
+		result[el] = struct{}{}
+	}
+
+	return result
+}
+
+// ParseCORSHeaders parses/validates Access-Control-Request-Headers
+// and returns []CORSHeaders
+func ParseCORSHeaders(headers string) ([]CORSHeader, error) {
+	result := []CORSHeader{}
+	if headers == "" {
+		return result, nil
+	}
+
+	headersSplitted := strings.Split(headers, ",")
+	for _, h := range headersSplitted {
+		corsHeader := CORSHeader(strings.TrimSpace(h))
+		if corsHeader == "" || !corsHeader.IsValid() {
+			debuglogger.Logf("invalid access control header: %s", h)
+			return nil, s3err.GetInvalidCORSRequestHeaderErr(h)
+		}
+		result = append(result, corsHeader)
+	}
+
+	return result, nil
+}
+
+func wildcardMatch(pattern, input string) bool {
+	pIdx, sIdx := 0, 0
+	starIdx, matchIdx := -1, 0
+
+	for sIdx < len(input) {
+		if pIdx < len(pattern) && pattern[pIdx] == input[sIdx] {
+			// exact match of current char
+			sIdx++
+			pIdx++
+		} else if pIdx < len(pattern) && pattern[pIdx] == '*' {
+			// remember star position
+			starIdx = pIdx
+			matchIdx = sIdx
+			pIdx++
+		} else if starIdx != -1 {
+			// backtrack: try to match more characters with '*'
+			pIdx = starIdx + 1
+			matchIdx++
+			sIdx = matchIdx
+		} else {
+			return false
+		}
+	}
+
+	// skip trailing stars
+	for pIdx < len(pattern) && pattern[pIdx] == '*' {
+		pIdx++
+	}
+
+	return pIdx == len(pattern)
+}
--- a/auth/bucket_cors_test.go
+++ b/auth/bucket_cors_test.go
@@ -0,0 +1,736 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package auth
+
+import (
+	"net/http"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/versity/versitygw/s3err"
+)
+
+func TestCORSHeader_IsValid(t *testing.T) {
+	tests := []struct {
+		name   string
+		header CORSHeader
+		want   bool
+	}{
+		{"empty", "", true},
+		{"valid", "X-Custom-Header", true},
+		{"invalid_1", "Invalid Header", false},
+		{"invalid_2", "invalid/header", false},
+		{"invalid_3", "Invalid\tHeader", false},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := tt.header.IsValid(); got != tt.want {
+				t.Errorf("IsValid() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+func TestCORSHTTPMethod_IsValid(t *testing.T) {
+	tests := []struct {
+		name   string
+		method CORSHTTPMethod
+		want   bool
+	}{
+		{"empty valid", "", true},
+		{"GET valid", http.MethodGet, true},
+		{"HEAD valid", http.MethodHead, true},
+		{"PUT valid", http.MethodPut, true},
+		{"POST valid", http.MethodPost, true},
+		{"DELETE valid", http.MethodDelete, true},
+		{"get valid", "get", false},
+		{"put valid", "put", false},
+		{"post valid", "post", false},
+		{"head valid", "head", false},
+		{"invalid", "FOO", false},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := tt.method.IsValid(); got != tt.want {
+				t.Errorf("IsValid() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+func TestCORSHeader_ToLower(t *testing.T) {
+	tests := []struct {
+		name   string
+		header CORSHeader
+		want   string
+	}{
+		{
+			name:   "already lowercase",
+			header: CORSHeader("content-type"),
+			want:   "content-type",
+		},
+		{
+			name:   "mixed case",
+			header: CORSHeader("X-CuStOm-HeAdEr"),
+			want:   "x-custom-header",
+		},
+		{
+			name:   "uppercase",
+			header: CORSHeader("AUTHORIZATION"),
+			want:   "authorization",
+		},
+		{
+			name:   "empty string",
+			header: CORSHeader(""),
+			want:   "",
+		},
+		{
+			name:   "numeric and symbols",
+			header: CORSHeader("X-123-HEADER"),
+			want:   "x-123-header",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := tt.header.ToLower()
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
+
+func TestCORSHTTPMethod_IsEmpty(t *testing.T) {
+	tests := []struct {
+		name   string
+		method CORSHTTPMethod
+		want   bool
+	}{
+		{
+			name:   "empty string is empty",
+			method: CORSHTTPMethod(""),
+			want:   true,
+		},
+		{
+			name:   "GET method is not empty",
+			method: CORSHTTPMethod("GET"),
+			want:   false,
+		},
+		{
+			name:   "random string is not empty",
+			method: CORSHTTPMethod("FOO"),
+			want:   false,
+		},
+		{
+			name:   "lowercase get is not empty (case sensitive)",
+			method: CORSHTTPMethod("get"),
+			want:   false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := tt.method.IsEmpty()
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
+
+func TestCORSConfiguration_Validate(t *testing.T) {
+	tests := []struct {
+		name string
+		cfg  *CORSConfiguration
+		want error
+	}{
+		{"nil config", nil, s3err.GetAPIError(s3err.ErrMalformedXML)},
+		{"nil rules", &CORSConfiguration{}, s3err.GetAPIError(s3err.ErrMalformedXML)},
+		{"empty rules", &CORSConfiguration{Rules: []CORSRule{}}, s3err.GetAPIError(s3err.ErrMalformedXML)},
+		{"invalid rule", &CORSConfiguration{Rules: []CORSRule{{AllowedHeaders: []CORSHeader{"Invalid Header"}}}}, s3err.GetInvalidCORSHeaderErr("Invalid Header")},
+		{"valid rule", &CORSConfiguration{Rules: []CORSRule{{
+			AllowedOrigins: []string{"origin"},
+			AllowedHeaders: []CORSHeader{"X-Test"},
+			AllowedMethods: []CORSHTTPMethod{http.MethodGet},
+			ExposeHeaders:  []CORSHeader{"X-Expose"},
+		}}}, nil},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := tt.cfg.Validate()
+			assert.EqualValues(t, tt.want, err)
+		})
+	}
+}
+
+func TestCORSConfiguration_IsAllowed(t *testing.T) {
+	type input struct {
+		cfg     *CORSConfiguration
+		origin  string
+		method  CORSHTTPMethod
+		headers []CORSHeader
+	}
+	type output struct {
+		result *CORSAllowanceConfig
+		err    error
+	}
+	tests := []struct {
+		name   string
+		input  input
+		output output
+	}{
+		{
+			name: "allowed exact origin",
+			input: input{
+				cfg: &CORSConfiguration{Rules: []CORSRule{{
+					AllowedOrigins: []string{"http://allowed.com"},
+					AllowedMethods: []CORSHTTPMethod{http.MethodGet},
+					AllowedHeaders: []CORSHeader{"X-Test"},
+				}}},
+				origin:  "http://allowed.com",
+				method:  http.MethodGet,
+				headers: []CORSHeader{"X-Test"},
+			},
+			output: output{
+				result: &CORSAllowanceConfig{
+					Origin:           "http://allowed.com",
+					AllowCredentials: "true",
+					Methods:          http.MethodGet,
+					AllowHeaders:     "x-test",
+					ExposedHeaders:   "",
+					MaxAge:           nil,
+				},
+				err: nil,
+			},
+		},
+		{
+			name: "allowed wildcard origin",
+			input: input{
+				cfg: &CORSConfiguration{Rules: []CORSRule{{
+					AllowedOrigins: []string{"*"},
+					AllowedMethods: []CORSHTTPMethod{http.MethodGet},
+					AllowedHeaders: []CORSHeader{"X-Test"},
+				}}},
+				origin:  "anything",
+				method:  http.MethodGet,
+				headers: []CORSHeader{"X-Test"},
+			},
+			output: output{
+				result: &CORSAllowanceConfig{
+					Origin:           "*",
+					AllowCredentials: "false",
+					AllowHeaders:     "x-test",
+					Methods:          http.MethodGet,
+					ExposedHeaders:   "",
+					MaxAge:           nil,
+				},
+				err: nil,
+			},
+		},
+		{
+			name: "forbidden no matching origin",
+			input: input{
+				cfg: &CORSConfiguration{Rules: []CORSRule{{
+					AllowedOrigins: []string{"http://nope.com"},
+				}}},
+				origin: "http://not-allowed.com",
+				method: http.MethodGet,
+			},
+			output: output{
+				result: nil,
+				err:    s3err.GetAPIError(s3err.ErrCORSForbidden),
+			},
+		},
+		{
+			name: "forbidden method not allowed",
+			input: input{
+				cfg: &CORSConfiguration{Rules: []CORSRule{{
+					AllowedOrigins: []string{"http://allowed.com"},
+					AllowedMethods: []CORSHTTPMethod{http.MethodPost},
+					AllowedHeaders: []CORSHeader{"X-Test"},
+				}}},
+				origin:  "http://allowed.com",
+				method:  http.MethodGet,
+				headers: []CORSHeader{"X-Test"},
+			},
+			output: output{
+				result: nil,
+				err:    s3err.GetAPIError(s3err.ErrCORSForbidden),
+			},
+		},
+		{
+			name: "forbidden header not allowed",
+			input: input{
+				cfg: &CORSConfiguration{Rules: []CORSRule{{
+					AllowedOrigins: []string{"http://allowed.com"},
+					AllowedMethods: []CORSHTTPMethod{http.MethodGet},
+					AllowedHeaders: []CORSHeader{"X-Test"},
+				}}},
+				origin:  "http://allowed.com",
+				method:  http.MethodGet,
+				headers: []CORSHeader{"X-Nope"},
+			},
+			output: output{
+				result: nil,
+				err:    s3err.GetAPIError(s3err.ErrCORSForbidden),
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := tt.input.cfg.IsAllowed(tt.input.origin, tt.input.method, tt.input.headers)
+			assert.EqualValues(t, tt.output.err, err)
+			assert.EqualValues(t, tt.output.result, got)
+		})
+	}
+}
+
+func TestCORSRule_Validate(t *testing.T) {
+	tests := []struct {
+		name string
+		rule CORSRule
+		want error
+	}{
+		{
+			name: "valid rule",
+			rule: CORSRule{
+				AllowedOrigins: []string{"http://allowed.com"},
+				AllowedMethods: []CORSHTTPMethod{http.MethodGet},
+				AllowedHeaders: []CORSHeader{"X-Test"},
+			},
+			want: nil,
+		},
+		{
+			name: "invalid allowed methods",
+			rule: CORSRule{
+				AllowedOrigins: []string{"http://allowed.com"},
+				AllowedMethods: []CORSHTTPMethod{"invalid_method"},
+				AllowedHeaders: []CORSHeader{"X-Test"},
+			},
+			want: s3err.GetUnsopportedCORSMethodErr("invalid_method"),
+		},
+		{
+			name: "invalid allowed header",
+			rule: CORSRule{
+				AllowedOrigins: []string{"http://allowed.com"},
+				AllowedMethods: []CORSHTTPMethod{http.MethodGet},
+				AllowedHeaders: []CORSHeader{"Invalid Header"},
+			},
+			want: s3err.GetInvalidCORSHeaderErr("Invalid Header"),
+		},
+		{
+			name: "invalid allowed header",
+			rule: CORSRule{
+				AllowedOrigins: []string{"http://allowed.com"},
+				AllowedMethods: []CORSHTTPMethod{http.MethodGet},
+				AllowedHeaders: []CORSHeader{"Content-Length"},
+				ExposeHeaders:  []CORSHeader{"Content-Encoding", "invalid header"},
+			},
+			want: s3err.GetInvalidCORSHeaderErr("invalid header"),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := tt.rule.Validate()
+			assert.EqualValues(t, tt.want, err)
+		})
+	}
+}
+
+func TestCORSRule_Match(t *testing.T) {
+	type input struct {
+		rule    CORSRule
+		origin  string
+		method  CORSHTTPMethod
+		headers []CORSHeader
+	}
+	type output struct {
+		isAllowed  bool
+		isWildcard bool
+	}
+	tests := []struct {
+		name   string
+		input  input
+		output output
+	}{
+		{
+			name: "exact origin and method match",
+			input: input{
+				rule: CORSRule{
+					AllowedOrigins: []string{"http://allowed.com"},
+					AllowedMethods: []CORSHTTPMethod{http.MethodGet},
+					AllowedHeaders: []CORSHeader{"X-Test"},
+				},
+				origin:  "http://allowed.com",
+				method:  http.MethodGet,
+				headers: []CORSHeader{"X-Test"},
+			},
+			output: output{isAllowed: true, isWildcard: false},
+		},
+		{
+			name: "wildcard origin match",
+			input: input{
+				rule: CORSRule{
+					AllowedOrigins: []string{"*"},
+					AllowedMethods: []CORSHTTPMethod{http.MethodPost},
+					AllowedHeaders: []CORSHeader{"X-Test"},
+				},
+				origin:  "http://random.com",
+				method:  http.MethodPost,
+				headers: []CORSHeader{"X-Test"},
+			},
+			output: output{isAllowed: true, isWildcard: true},
+		},
+		{
+			name: "wildcard containing origin match",
+			input: input{
+				rule: CORSRule{
+					AllowedOrigins: []string{"http://random*"},
+					AllowedMethods: []CORSHTTPMethod{http.MethodPost},
+					AllowedHeaders: []CORSHeader{"X-Test"},
+				},
+				origin:  "http://random.com",
+				method:  http.MethodPost,
+				headers: []CORSHeader{"X-Test"},
+			},
+			output: output{isAllowed: true, isWildcard: false},
+		},
+		{
+			name: "wildcard allowed headers match",
+			input: input{
+				rule: CORSRule{
+					AllowedOrigins: []string{"http://something.com"},
+					AllowedMethods: []CORSHTTPMethod{http.MethodPost},
+					AllowedHeaders: []CORSHeader{"X-*"},
+				},
+				origin:  "http://something.com",
+				method:  http.MethodPost,
+				headers: []CORSHeader{"X-Test", "X-Something", "X-Anyting"},
+			},
+			output: output{isAllowed: true, isWildcard: false},
+		},
+		{
+			name: "origin mismatch",
+			input: input{
+				rule: CORSRule{
+					AllowedOrigins: []string{"http://allowed.com"},
+					AllowedMethods: []CORSHTTPMethod{http.MethodGet},
+					AllowedHeaders: []CORSHeader{"X-Test"},
+				},
+				origin:  "http://notallowed.com",
+				method:  http.MethodGet,
+				headers: []CORSHeader{"X-Test"},
+			},
+			output: output{isAllowed: false, isWildcard: false},
+		},
+		{
+			name: "method mismatch",
+			input: input{
+				rule: CORSRule{
+					AllowedOrigins: []string{"http://allowed.com"},
+					AllowedMethods: []CORSHTTPMethod{http.MethodPost},
+					AllowedHeaders: []CORSHeader{"X-Test"},
+				},
+				origin:  "http://allowed.com",
+				method:  http.MethodGet,
+				headers: []CORSHeader{"X-Test"},
+			},
+			output: output{isAllowed: false, isWildcard: false},
+		},
+		{
+			name: "header mismatch",
+			input: input{
+				rule: CORSRule{
+					AllowedOrigins: []string{"http://allowed.com"},
+					AllowedMethods: []CORSHTTPMethod{http.MethodGet},
+					AllowedHeaders: []CORSHeader{"X-Test"},
+				},
+				origin:  "http://allowed.com",
+				method:  http.MethodGet,
+				headers: []CORSHeader{"X-Other"},
+			},
+			output: output{isAllowed: false, isWildcard: false},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			isAllowed, wild := tt.input.rule.Match(tt.input.origin, tt.input.method, tt.input.headers)
+			assert.Equal(t, tt.output.isAllowed, isAllowed)
+			assert.Equal(t, tt.output.isWildcard, wild)
+		})
+	}
+}
+
+func TestGetExposeHeaders(t *testing.T) {
+	tests := []struct {
+		name string
+		rule CORSRule
+		want string
+	}{
+		{"multiple headers", CORSRule{ExposeHeaders: []CORSHeader{"Content-Length", "Content-Type", "Content-Encoding"}}, "Content-Length, Content-Type, Content-Encoding"},
+		{"single header", CORSRule{ExposeHeaders: []CORSHeader{"Authorization"}}, "Authorization"},
+		{"no headers", CORSRule{}, ""},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := tt.rule.GetExposeHeaders()
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
+
+func TestBuildAllowedHeaders(t *testing.T) {
+	tests := []struct {
+		name    string
+		headers []CORSHeader
+		want    string
+	}{
+		{
+			name:    "empty slice returns empty string",
+			headers: []CORSHeader{},
+			want:    "",
+		},
+		{
+			name:    "single header lowercase",
+			headers: []CORSHeader{"Content-Type"},
+			want:    "content-type",
+		},
+		{
+			name:    "multiple headers lowercased with commas",
+			headers: []CORSHeader{"Content-Type", "X-Custom-Header", "Authorization"},
+			want:    "content-type, x-custom-header, authorization",
+		},
+		{
+			name:    "already lowercase header",
+			headers: []CORSHeader{"accept"},
+			want:    "accept",
+		},
+		{
+			name:    "mixed case headers",
+			headers: []CORSHeader{"ACCEPT", "x-Powered-By"},
+			want:    "accept, x-powered-by",
+		},
+		{
+			name:    "empty header value",
+			headers: []CORSHeader{""},
+			want:    "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := buildAllowedHeaders(tt.headers)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
+
+func TestGetAllowedMethods(t *testing.T) {
+	tests := []struct {
+		name string
+		rule CORSRule
+		want string
+	}{
+		{"multiple methods", CORSRule{AllowedMethods: []CORSHTTPMethod{http.MethodGet, http.MethodPost, http.MethodPut}}, "GET, POST, PUT"},
+		{"single method", CORSRule{AllowedMethods: []CORSHTTPMethod{http.MethodGet}}, "GET"},
+		{"no methods", CORSRule{}, ""},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := tt.rule.GetAllowedMethods()
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
+
+func TestParseCORSOutput(t *testing.T) {
+	tests := []struct {
+		name string
+		data string
+		want bool
+	}{
+		{"valid", `<CORSConfiguration><CORSRule></CORSRule></CORSConfiguration>`, true},
+		{"invalid xml", `<CORSConfiguration><CORSRule>`, false},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cfg, err := ParseCORSOutput([]byte(tt.data))
+			if (err == nil) != tt.want {
+				t.Errorf("ParseCORSOutput() err = %v, want success=%v", err, tt.want)
+			}
+			if tt.want && cfg == nil {
+				t.Errorf("Expected non-nil config")
+			}
+		})
+	}
+}
+
+func TestCacheCORSProps(t *testing.T) {
+	tests := []struct {
+		name string
+		in   []CORSHTTPMethod
+		want map[string]struct{}
+	}{
+		{
+			name: "empty CORSHTTPMethod slice",
+			in:   []CORSHTTPMethod{},
+			want: map[string]struct{}{},
+		},
+		{
+			name: "single CORSHTTPMethod",
+			in:   []CORSHTTPMethod{http.MethodGet},
+			want: map[string]struct{}{http.MethodGet: {}},
+		},
+		{
+			name: "multiple CORSHTTPMethods",
+			in:   []CORSHTTPMethod{http.MethodGet, http.MethodPost, http.MethodPut},
+			want: map[string]struct{}{
+				http.MethodGet:  {},
+				http.MethodPost: {},
+				http.MethodPut:  {},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := cacheCORSMethods(tt.in)
+			assert.Equal(t, len(tt.want), len(got))
+			for key := range tt.want {
+				_, ok := got[CORSHTTPMethod(key)]
+				assert.True(t, ok)
+			}
+		})
+	}
+}
+
+func TestParseCORSHeaders(t *testing.T) {
+	tests := []struct {
+		name string
+		in   string
+		want []CORSHeader
+		err  error
+	}{
+		{
+			name: "empty string",
+			in:   "",
+			want: []CORSHeader{},
+			err:  nil,
+		},
+		{
+			name: "single valid header",
+			in:   "X-Test",
+			want: []CORSHeader{"X-Test"},
+			err:  nil,
+		},
+		{
+			name: "multiple valid headers with spaces",
+			in:   "X-Test, Content-Type, Authorization",
+			want: []CORSHeader{"X-Test", "Content-Type", "Authorization"},
+			err:  nil,
+		},
+		{
+			name: "header with leading/trailing spaces",
+			in:   "   X-Test   ",
+			want: []CORSHeader{"X-Test"},
+			err:  nil,
+		},
+		{
+			name: "contains invalid header",
+			in:   "X-Test, Invalid Header, Content-Type",
+			want: nil,
+			err:  s3err.GetInvalidCORSRequestHeaderErr(" Invalid Header"),
+		},
+		{
+			name: "only invalid header",
+			in:   "Invalid Header",
+			want: nil,
+			err:  s3err.GetInvalidCORSRequestHeaderErr("Invalid Header"),
+		},
+		{
+			name: "multiple commas in a row",
+			in:   "X-Test,,Content-Type",
+			want: nil,
+			err:  s3err.GetInvalidCORSRequestHeaderErr(""),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := ParseCORSHeaders(tt.in)
+			assert.EqualValues(t, tt.err, err)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
+
+func TestWildcardMatch(t *testing.T) {
+	tests := []struct {
+		name    string
+		pattern string
+		input   string
+		want    bool
+	}{
+		// Exact match, no wildcards
+		{"exact match", "hello", "hello", true},
+		{"exact mismatch", "hello", "hell", false},
+		// Single '*' matching zero chars
+		{"star matches zero chars", "he*lo", "helo", true},
+		// Single '*' matching multiple chars
+		{"star matches multiple chars", "he*o", "heyyyyyo", true},
+		// '*' at start
+		{"star at start", "*world", "hello world", true},
+		// '*' at end
+		{"star at end", "hello*", "hello there", true},
+		// '*' matches whole string
+		{"only star", "*", "anything", true},
+		{"only star empty", "*", "", true},
+		// Multiple '*'s
+		{"multiple stars", "a*b*c", "axxxbzzzzyc", true},
+		{"multiple stars no match", "a*b*c", "axxxbzzzzy", false},
+		// Backtracking needed
+		{"backtracking required", "a*b*c", "ab123c", true},
+		// No match with star present
+		{"star but mismatch", "he*world", "hey there", false},
+		// Trailing stars in pattern
+		{"trailing stars match", "abc**", "abc", true},
+		{"trailing stars match longer", "abc**", "abccc", true},
+		// Empty pattern cases
+		{"empty pattern and empty input", "", "", true},
+		{"empty pattern non-empty input", "", "a", false},
+		{"only stars pattern with empty input", "***", "", true},
+		// Pattern longer than input
+		{"pattern longer no star", "abcd", "abc", false},
+		// Input longer but no star
+		{"input longer no star", "abc", "abcd", false},
+		// Complex interleaved match
+		{"complex interleaved", "*a*b*cd*", "xxaYYbZZcd123", true},
+		// Star match at the end after mismatch
+		{"mismatch then star match", "ab*xyz", "abzzzxyz", true},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := wildcardMatch(tt.pattern, tt.input)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
--- a/auth/bucket_policy.go
+++ b/auth/bucket_policy.go
@@ -17,11 +17,14 @@ package auth
 import (
 	"encoding/json"
 	"errors"
+	"fmt"
 	"net/http"

 	"github.com/versity/versitygw/s3err"
 )

+var ErrAccessDenied = errors.New("access denied")
+
 type policyErr string

 func (p policyErr) Error() string {
@@ -37,14 +40,17 @@ const (
 	policyErrInvalidFirstChar     = policyErr("Policies must be valid JSON and the first byte must be '{'")
 	policyErrEmptyStatement       = policyErr("Could not parse the policy: Statement is empty!")
 	policyErrMissingStatmentField = policyErr("Missing required field Statement")
+	policyErrInvalidVersion       = policyErr("The policy must contain a valid version string")
 )

 type BucketPolicy struct {
+	Version   PolicyVersion      `json:"Version"`
 	Statement []BucketPolicyItem `json:"Statement"`
 }

 func (bp *BucketPolicy) UnmarshalJSON(data []byte) error {
 	var tmp struct {
+		Version   *PolicyVersion
 		Statement *[]BucketPolicyItem `json:"Statement"`
 	}

@@ -57,12 +63,22 @@ func (bp *BucketPolicy) UnmarshalJSON(data []byte) error {
 		return policyErrMissingStatmentField
 	}

-	// Assign the parsed value to the actual struct
+	if tmp.Version == nil {
+		// bucket policy version should defualt to '2008-10-17'
+		bp.Version = PolicyVersion2008
+	} else {
+		bp.Version = *tmp.Version
+	}
+
 	bp.Statement = *tmp.Statement
 	return nil
 }

 func (bp *BucketPolicy) Validate(bucket string, iam IAMService) error {
+	if !bp.Version.isValid() {
+		return policyErrInvalidVersion
+	}
+
 	for _, statement := range bp.Statement {
 		err := statement.Validate(bucket, iam)
 		if err != nil {
@@ -89,6 +105,36 @@ func (bp *BucketPolicy) isAllowed(principal string, action Action, resource stri
 	return isAllowed
 }

+// IsPublicFor checks if the bucket policy statements contain
+// an entity granting public access to the given resource and action
+func (bp *BucketPolicy) isPublicFor(resource string, action Action) bool {
+	var isAllowed bool
+	for _, statement := range bp.Statement {
+		if statement.isPublicFor(resource, action) {
+			switch statement.Effect {
+			case BucketPolicyAccessTypeAllow:
+				isAllowed = true
+			case BucketPolicyAccessTypeDeny:
+				return false
+			}
+		}
+	}
+
+	return isAllowed
+}
+
+// IsPublic checks if one of bucket policy statments grant
+// public access to ALL users
+func (bp *BucketPolicy) IsPublic() bool {
+	for _, statement := range bp.Statement {
+		if statement.isPublic() {
+			return true
+		}
+	}
+
+	return false
+}
+
 type BucketPolicyItem struct {
 	Effect     BucketPolicyAccessType `json:"Effect"`
 	Principals Principals             `json:"Principal"`
@@ -134,6 +180,18 @@ func (bpi *BucketPolicyItem) findMatch(principal string, action Action, resource
 	return false
 }

+// isPublicFor checks if the bucket policy statemant grants public access
+// for given resource and action
+func (bpi *BucketPolicyItem) isPublicFor(resource string, action Action) bool {
+	return bpi.Principals.isPublic() && bpi.Actions.FindMatch(action) && bpi.Resources.FindMatch(resource)
+}
+
+// isPublic checks if the statement grants public access
+// to ALL users
+func (bpi *BucketPolicyItem) isPublic() bool {
+	return bpi.Principals.isPublic()
+}
+
 func getMalformedPolicyError(err error) error {
 	return s3err.APIError{
 		Code:           "MalformedPolicy",
@@ -142,17 +200,27 @@ func getMalformedPolicyError(err error) error {
 	}
 }

+// ParsePolicyDocument parses raw bytes to 'BucketPolicy'
+func ParsePolicyDocument(data []byte) (*BucketPolicy, error) {
+	var policy BucketPolicy
+	if err := json.Unmarshal(data, &policy); err != nil {
+		var pe policyErr
+		if errors.As(err, &pe) {
+			return nil, getMalformedPolicyError(err)
+		}
+		return nil, getMalformedPolicyError(policyErrInvalidPolicy)
+	}
+
+	return &policy, nil
+}
+
 func ValidatePolicyDocument(policyBin []byte, bucket string, iam IAMService) error {
 	if len(policyBin) == 0 || policyBin[0] != '{' {
 		return getMalformedPolicyError(policyErrInvalidFirstChar)
 	}
-	var policy BucketPolicy
-	if err := json.Unmarshal(policyBin, &policy); err != nil {
-		var pe policyErr
-		if errors.As(err, &pe) {
-			return getMalformedPolicyError(err)
-		}
-		return getMalformedPolicyError(policyErrInvalidPolicy)
+	policy, err := ParsePolicyDocument(policyBin)
+	if err != nil {
+		return err
 	}

 	if len(policy.Statement) == 0 {
@@ -169,7 +237,7 @@ func ValidatePolicyDocument(policyBin []byte, bucket string, iam IAMService) err
 func VerifyBucketPolicy(policy []byte, access, bucket, object string, action Action) error {
 	var bucketPolicy BucketPolicy
 	if err := json.Unmarshal(policy, &bucketPolicy); err != nil {
-		return err
+		return fmt.Errorf("failed to parse the bucket policy: %w", err)
 	}

 	resource := bucket
@@ -183,3 +251,53 @@ func VerifyBucketPolicy(policy []byte, access, bucket, object string, action Act

 	return nil
 }
+
+// Checks if the bucket policy grants public access
+func VerifyPublicBucketPolicy(policy []byte, bucket, object string, action Action) error {
+	var bucketPolicy BucketPolicy
+	if err := json.Unmarshal(policy, &bucketPolicy); err != nil {
+		return err
+	}
+
+	resource := bucket
+	if object != "" {
+		resource += "/" + object
+	}
+
+	if !bucketPolicy.isPublicFor(resource, action) {
+		return ErrAccessDenied
+	}
+
+	return nil
+}
+
+// matchPattern checks if the input string matches the given pattern with wildcard(`*`) and any character(`?`).
+// - `?` matches exactly one occurrence of any character.
+// - `*` matches arbitrary many (including zero) occurrences of any character.
+func matchPattern(pattern, input string) bool {
+	pIdx, sIdx := 0, 0
+	starIdx, matchIdx := -1, 0
+
+	for sIdx < len(input) {
+		if pIdx < len(pattern) && (pattern[pIdx] == '?' || pattern[pIdx] == input[sIdx]) {
+			sIdx++
+			pIdx++
+		} else if pIdx < len(pattern) && pattern[pIdx] == '*' {
+			starIdx = pIdx
+			matchIdx = sIdx
+			pIdx++
+		} else if starIdx != -1 {
+			pIdx = starIdx + 1
+			matchIdx++
+			sIdx = matchIdx
+		} else {
+			return false
+		}
+	}
+
+	for pIdx < len(pattern) && pattern[pIdx] == '*' {
+		pIdx++
+	}
+
+	return pIdx == len(pattern)
+}
--- a/auth/bucket_policy_actions.go
+++ b/auth/bucket_policy_actions.go
@@ -22,108 +22,181 @@ import (
 type Action string

 const (
-	GetBucketAclAction                     Action = "s3:GetBucketAcl"
-	CreateBucketAction                     Action = "s3:CreateBucket"
-	PutBucketAclAction                     Action = "s3:PutBucketAcl"
-	DeleteBucketAction                     Action = "s3:DeleteBucket"
-	PutBucketVersioningAction              Action = "s3:PutBucketVersioning"
-	GetBucketVersioningAction              Action = "s3:GetBucketVersioning"
-	PutBucketPolicyAction                  Action = "s3:PutBucketPolicy"
-	GetBucketPolicyAction                  Action = "s3:GetBucketPolicy"
-	DeleteBucketPolicyAction               Action = "s3:DeleteBucketPolicy"
-	AbortMultipartUploadAction             Action = "s3:AbortMultipartUpload"
-	ListMultipartUploadPartsAction         Action = "s3:ListMultipartUploadParts"
-	ListBucketMultipartUploadsAction       Action = "s3:ListBucketMultipartUploads"
-	PutObjectAction                        Action = "s3:PutObject"
-	GetObjectAction                        Action = "s3:GetObject"
-	GetObjectVersionAction                 Action = "s3:GetObjectVersion"
-	DeleteObjectAction                     Action = "s3:DeleteObject"
-	GetObjectAclAction                     Action = "s3:GetObjectAcl"
-	GetObjectAttributesAction              Action = "s3:GetObjectAttributes"
-	PutObjectAclAction                     Action = "s3:PutObjectAcl"
-	RestoreObjectAction                    Action = "s3:RestoreObject"
-	GetBucketTaggingAction                 Action = "s3:GetBucketTagging"
-	PutBucketTaggingAction                 Action = "s3:PutBucketTagging"
-	GetObjectTaggingAction                 Action = "s3:GetObjectTagging"
-	PutObjectTaggingAction                 Action = "s3:PutObjectTagging"
-	DeleteObjectTaggingAction              Action = "s3:DeleteObjectTagging"
-	ListBucketVersionsAction               Action = "s3:ListBucketVersions"
-	ListBucketAction                       Action = "s3:ListBucket"
-	GetBucketObjectLockConfigurationAction Action = "s3:GetBucketObjectLockConfiguration"
-	PutBucketObjectLockConfigurationAction Action = "s3:PutBucketObjectLockConfiguration"
-	GetObjectLegalHoldAction               Action = "s3:GetObjectLegalHold"
-	PutObjectLegalHoldAction               Action = "s3:PutObjectLegalHold"
-	GetObjectRetentionAction               Action = "s3:GetObjectRetention"
-	PutObjectRetentionAction               Action = "s3:PutObjectRetention"
-	BypassGovernanceRetentionAction        Action = "s3:BypassGovernanceRetention"
-	PutBucketOwnershipControlsAction       Action = "s3:PutBucketOwnershipControls"
-	GetBucketOwnershipControlsAction       Action = "s3:GetBucketOwnershipControls"
-	PutBucketCorsAction                    Action = "s3:PutBucketCORS"
-	GetBucketCorsAction                    Action = "s3:GetBucketCORS"
-	AllActions                             Action = "s3:*"
+	GetBucketAclAction                       Action = "s3:GetBucketAcl"
+	CreateBucketAction                       Action = "s3:CreateBucket"
+	PutBucketAclAction                       Action = "s3:PutBucketAcl"
+	DeleteBucketAction                       Action = "s3:DeleteBucket"
+	PutBucketVersioningAction                Action = "s3:PutBucketVersioning"
+	GetBucketVersioningAction                Action = "s3:GetBucketVersioning"
+	PutBucketPolicyAction                    Action = "s3:PutBucketPolicy"
+	GetBucketPolicyAction                    Action = "s3:GetBucketPolicy"
+	DeleteBucketPolicyAction                 Action = "s3:DeleteBucketPolicy"
+	AbortMultipartUploadAction               Action = "s3:AbortMultipartUpload"
+	ListMultipartUploadPartsAction           Action = "s3:ListMultipartUploadParts"
+	ListBucketMultipartUploadsAction         Action = "s3:ListBucketMultipartUploads"
+	PutObjectAction                          Action = "s3:PutObject"
+	GetObjectAction                          Action = "s3:GetObject"
+	GetObjectVersionAction                   Action = "s3:GetObjectVersion"
+	DeleteObjectAction                       Action = "s3:DeleteObject"
+	DeleteObjectVersionAction                Action = "s3:DeleteObjectVersion"
+	GetObjectAclAction                       Action = "s3:GetObjectAcl"
+	GetObjectAttributesAction                Action = "s3:GetObjectAttributes"
+	GetObjectVersionAttributesAction         Action = "s3:GetObjectVersionAttributes"
+	PutObjectAclAction                       Action = "s3:PutObjectAcl"
+	RestoreObjectAction                      Action = "s3:RestoreObject"
+	GetBucketTaggingAction                   Action = "s3:GetBucketTagging"
+	PutBucketTaggingAction                   Action = "s3:PutBucketTagging"
+	GetObjectTaggingAction                   Action = "s3:GetObjectTagging"
+	GetObjectVersionTaggingAction            Action = "s3:GetObjectVersionTagging"
+	PutObjectTaggingAction                   Action = "s3:PutObjectTagging"
+	PutObjectVersionTaggingAction            Action = "s3:PutObjectVersionTagging"
+	DeleteObjectTaggingAction                Action = "s3:DeleteObjectTagging"
+	DeleteObjectVersionTaggingAction         Action = "s3:DeleteObjectVersionTagging"
+	ListBucketVersionsAction                 Action = "s3:ListBucketVersions"
+	ListBucketAction                         Action = "s3:ListBucket"
+	GetBucketObjectLockConfigurationAction   Action = "s3:GetBucketObjectLockConfiguration"
+	PutBucketObjectLockConfigurationAction   Action = "s3:PutBucketObjectLockConfiguration"
+	GetObjectLegalHoldAction                 Action = "s3:GetObjectLegalHold"
+	PutObjectLegalHoldAction                 Action = "s3:PutObjectLegalHold"
+	GetObjectRetentionAction                 Action = "s3:GetObjectRetention"
+	PutObjectRetentionAction                 Action = "s3:PutObjectRetention"
+	BypassGovernanceRetentionAction          Action = "s3:BypassGovernanceRetention"
+	PutBucketOwnershipControlsAction         Action = "s3:PutBucketOwnershipControls"
+	GetBucketOwnershipControlsAction         Action = "s3:GetBucketOwnershipControls"
+	PutBucketCorsAction                      Action = "s3:PutBucketCORS"
+	GetBucketCorsAction                      Action = "s3:GetBucketCORS"
+	PutAnalyticsConfigurationAction          Action = "s3:PutAnalyticsConfiguration"
+	GetAnalyticsConfigurationAction          Action = "s3:GetAnalyticsConfiguration"
+	PutEncryptionConfigurationAction         Action = "s3:PutEncryptionConfiguration"
+	GetEncryptionConfigurationAction         Action = "s3:GetEncryptionConfiguration"
+	PutIntelligentTieringConfigurationAction Action = "s3:PutIntelligentTieringConfiguration"
+	GetIntelligentTieringConfigurationAction Action = "s3:GetIntelligentTieringConfiguration"
+	PutInventoryConfigurationAction          Action = "s3:PutInventoryConfiguration"
+	GetInventoryConfigurationAction          Action = "s3:GetInventoryConfiguration"
+	PutLifecycleConfigurationAction          Action = "s3:PutLifecycleConfiguration"
+	GetLifecycleConfigurationAction          Action = "s3:GetLifecycleConfiguration"
+	PutBucketLoggingAction                   Action = "s3:PutBucketLogging"
+	GetBucketLoggingAction                   Action = "s3:GetBucketLogging"
+	PutBucketRequestPaymentAction            Action = "s3:PutBucketRequestPayment"
+	GetBucketRequestPaymentAction            Action = "s3:GetBucketRequestPayment"
+	PutMetricsConfigurationAction            Action = "s3:PutMetricsConfiguration"
+	GetMetricsConfigurationAction            Action = "s3:GetMetricsConfiguration"
+	PutReplicationConfigurationAction        Action = "s3:PutReplicationConfiguration"
+	GetReplicationConfigurationAction        Action = "s3:GetReplicationConfiguration"
+	PutBucketPublicAccessBlockAction         Action = "s3:PutBucketPublicAccessBlock"
+	GetBucketPublicAccessBlockAction         Action = "s3:GetBucketPublicAccessBlock"
+	PutBucketNotificationAction              Action = "s3:PutBucketNotification"
+	GetBucketNotificationAction              Action = "s3:GetBucketNotification"
+	PutAccelerateConfigurationAction         Action = "s3:PutAccelerateConfiguration"
+	GetAccelerateConfigurationAction         Action = "s3:GetAccelerateConfiguration"
+	PutBucketWebsiteAction                   Action = "s3:PutBucketWebsite"
+	GetBucketWebsiteAction                   Action = "s3:GetBucketWebsite"
+	GetBucketPolicyStatusAction              Action = "s3:GetBucketPolicyStatus"
+	GetBucketLocationAction                  Action = "s3:GetBucketLocation"
+
+	AllActions Action = "s3:*"
 )

 var supportedActionList = map[Action]struct{}{
-	GetBucketAclAction:                     {},
-	CreateBucketAction:                     {},
-	PutBucketAclAction:                     {},
-	DeleteBucketAction:                     {},
-	PutBucketVersioningAction:              {},
-	GetBucketVersioningAction:              {},
-	PutBucketPolicyAction:                  {},
-	GetBucketPolicyAction:                  {},
-	DeleteBucketPolicyAction:               {},
-	AbortMultipartUploadAction:             {},
-	ListMultipartUploadPartsAction:         {},
-	ListBucketMultipartUploadsAction:       {},
-	PutObjectAction:                        {},
-	GetObjectAction:                        {},
-	GetObjectVersionAction:                 {},
-	DeleteObjectAction:                     {},
-	GetObjectAclAction:                     {},
-	GetObjectAttributesAction:              {},
-	PutObjectAclAction:                     {},
-	RestoreObjectAction:                    {},
-	GetBucketTaggingAction:                 {},
-	PutBucketTaggingAction:                 {},
-	GetObjectTaggingAction:                 {},
-	PutObjectTaggingAction:                 {},
-	DeleteObjectTaggingAction:              {},
-	ListBucketVersionsAction:               {},
-	ListBucketAction:                       {},
-	PutBucketObjectLockConfigurationAction: {},
-	GetObjectLegalHoldAction:               {},
-	PutObjectLegalHoldAction:               {},
-	GetObjectRetentionAction:               {},
-	PutObjectRetentionAction:               {},
-	BypassGovernanceRetentionAction:        {},
-	PutBucketOwnershipControlsAction:       {},
-	GetBucketOwnershipControlsAction:       {},
-	PutBucketCorsAction:                    {},
-	GetBucketCorsAction:                    {},
-	AllActions:                             {},
+	GetBucketAclAction:                       {},
+	CreateBucketAction:                       {},
+	PutBucketAclAction:                       {},
+	DeleteBucketAction:                       {},
+	PutBucketVersioningAction:                {},
+	GetBucketVersioningAction:                {},
+	PutBucketPolicyAction:                    {},
+	GetBucketPolicyAction:                    {},
+	DeleteBucketPolicyAction:                 {},
+	AbortMultipartUploadAction:               {},
+	ListMultipartUploadPartsAction:           {},
+	ListBucketMultipartUploadsAction:         {},
+	PutObjectAction:                          {},
+	GetObjectAction:                          {},
+	GetObjectVersionAction:                   {},
+	DeleteObjectAction:                       {},
+	DeleteObjectVersionAction:                {},
+	GetObjectAclAction:                       {},
+	GetObjectAttributesAction:                {},
+	GetObjectVersionAttributesAction:         {},
+	PutObjectAclAction:                       {},
+	RestoreObjectAction:                      {},
+	GetBucketTaggingAction:                   {},
+	PutBucketTaggingAction:                   {},
+	GetObjectTaggingAction:                   {},
+	GetObjectVersionTaggingAction:            {},
+	PutObjectTaggingAction:                   {},
+	PutObjectVersionTaggingAction:            {},
+	DeleteObjectTaggingAction:                {},
+	DeleteObjectVersionTaggingAction:         {},
+	ListBucketVersionsAction:                 {},
+	ListBucketAction:                         {},
+	GetBucketObjectLockConfigurationAction:   {},
+	PutBucketObjectLockConfigurationAction:   {},
+	GetObjectLegalHoldAction:                 {},
+	PutObjectLegalHoldAction:                 {},
+	GetObjectRetentionAction:                 {},
+	PutObjectRetentionAction:                 {},
+	BypassGovernanceRetentionAction:          {},
+	PutBucketOwnershipControlsAction:         {},
+	GetBucketOwnershipControlsAction:         {},
+	PutBucketCorsAction:                      {},
+	GetBucketCorsAction:                      {},
+	PutAnalyticsConfigurationAction:          {},
+	GetAnalyticsConfigurationAction:          {},
+	PutEncryptionConfigurationAction:         {},
+	GetEncryptionConfigurationAction:         {},
+	PutIntelligentTieringConfigurationAction: {},
+	GetIntelligentTieringConfigurationAction: {},
+	PutInventoryConfigurationAction:          {},
+	GetInventoryConfigurationAction:          {},
+	PutLifecycleConfigurationAction:          {},
+	GetLifecycleConfigurationAction:          {},
+	PutBucketLoggingAction:                   {},
+	GetBucketLoggingAction:                   {},
+	PutBucketRequestPaymentAction:            {},
+	GetBucketRequestPaymentAction:            {},
+	PutMetricsConfigurationAction:            {},
+	GetMetricsConfigurationAction:            {},
+	PutReplicationConfigurationAction:        {},
+	GetReplicationConfigurationAction:        {},
+	PutBucketPublicAccessBlockAction:         {},
+	GetBucketPublicAccessBlockAction:         {},
+	PutBucketNotificationAction:              {},
+	GetBucketNotificationAction:              {},
+	PutAccelerateConfigurationAction:         {},
+	GetAccelerateConfigurationAction:         {},
+	PutBucketWebsiteAction:                   {},
+	GetBucketWebsiteAction:                   {},
+	GetBucketPolicyStatusAction:              {},
+	GetBucketLocationAction:                  {},
+	AllActions:                               {},
 }

 var supportedObjectActionList = map[Action]struct{}{
-	AbortMultipartUploadAction:      {},
-	ListMultipartUploadPartsAction:  {},
-	PutObjectAction:                 {},
-	GetObjectAction:                 {},
-	GetObjectVersionAction:          {},
-	DeleteObjectAction:              {},
-	GetObjectAclAction:              {},
-	GetObjectAttributesAction:       {},
-	PutObjectAclAction:              {},
-	RestoreObjectAction:             {},
-	GetObjectTaggingAction:          {},
-	PutObjectTaggingAction:          {},
-	DeleteObjectTaggingAction:       {},
-	GetObjectLegalHoldAction:        {},
-	PutObjectLegalHoldAction:        {},
-	GetObjectRetentionAction:        {},
-	PutObjectRetentionAction:        {},
-	BypassGovernanceRetentionAction: {},
-	AllActions:                      {},
+	AbortMultipartUploadAction:       {},
+	ListMultipartUploadPartsAction:   {},
+	PutObjectAction:                  {},
+	GetObjectAction:                  {},
+	GetObjectVersionAction:           {},
+	DeleteObjectAction:               {},
+	DeleteObjectVersionAction:        {},
+	GetObjectAclAction:               {},
+	GetObjectAttributesAction:        {},
+	GetObjectVersionAttributesAction: {},
+	PutObjectAclAction:               {},
+	RestoreObjectAction:              {},
+	GetObjectTaggingAction:           {},
+	GetObjectVersionTaggingAction:    {},
+	PutObjectTaggingAction:           {},
+	PutObjectVersionTaggingAction:    {},
+	DeleteObjectTaggingAction:        {},
+	DeleteObjectVersionTaggingAction: {},
+	GetObjectLegalHoldAction:         {},
+	PutObjectLegalHoldAction:         {},
+	GetObjectRetentionAction:         {},
+	PutObjectRetentionAction:         {},
+	BypassGovernanceRetentionAction:  {},
+	AllActions:                       {},
 }

 // Validates Action: it should either wildcard match with supported actions list or be in it
@@ -136,55 +209,54 @@ func (a Action) IsValid() error {
 		return nil
 	}

-	if a[len(a)-1] == '*' {
-		pattern := strings.TrimSuffix(string(a), "*")
-		for act := range supportedActionList {
-			if strings.HasPrefix(string(act), pattern) {
-				return nil
-			}
+	// first check for an exact match
+	if _, ok := supportedActionList[a]; ok {
+		return nil
+	}
+
+	// walk through the supported actions and try wildcard match
+	for action := range supportedActionList {
+		if action.Match(a) {
+			return nil
 		}
-
-		return policyErrInvalidAction
 	}

-	_, found := supportedActionList[a]
-	if !found {
-		return policyErrInvalidAction
-	}
-	return nil
+	return policyErrInvalidAction
 }

 func getBoolPtr(bl bool) *bool {
 	return &bl
 }

+// String converts the action to string
+func (a Action) String() string {
+	return string(a)
+}
+
+// Match wildcard matches the given pattern to the action
+func (a Action) Match(pattern Action) bool {
+	return matchPattern(pattern.String(), a.String())
+}
+
 // Checks if the action is object action
 // nil points to 's3:*'
 func (a Action) IsObjectAction() *bool {
 	if a == AllActions {
 		return nil
 	}
-	if a[len(a)-1] == '*' {
-		pattern := strings.TrimSuffix(string(a), "*")
-		for act := range supportedObjectActionList {
-			if strings.HasPrefix(string(act), pattern) {
-				return getBoolPtr(true)
-			}
+
+	// first find an exact match
+	if _, ok := supportedObjectActionList[a]; ok {
+		return &ok
+	}
+
+	for action := range supportedObjectActionList {
+		if action.Match(a) {
+			return getBoolPtr(true)
 		}
-
-		return getBoolPtr(false)
 	}

-	_, found := supportedObjectActionList[a]
-	return &found
-}
-
-func (a Action) WildCardMatch(act Action) bool {
-	if strings.HasSuffix(string(a), "*") {
-		pattern := strings.TrimSuffix(string(a), "*")
-		return strings.HasPrefix(string(act), pattern)
-	}
-	return false
+	return getBoolPtr(false)
 }

 type Actions map[Action]struct{}
@@ -233,6 +305,7 @@ func (a Actions) Add(str string) error {
 	return nil
 }

+// FindMatch tries to match the given action to the actions list
 func (a Actions) FindMatch(action Action) bool {
 	_, ok := a[AllActions]
 	if ok {
@@ -244,8 +317,9 @@ func (a Actions) FindMatch(action Action) bool {
 		return true
 	}

+	// search for a wildcard match
 	for act := range a {
-		if strings.HasSuffix(string(act), "*") && act.WildCardMatch(action) {
+		if action.Match(act) {
 			return true
 		}
 	}
--- a/auth/bucket_policy_actions_test.go
+++ b/auth/bucket_policy_actions_test.go
@@ -0,0 +1,175 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package auth
+
+import (
+	"encoding/json"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestAction_IsValid(t *testing.T) {
+	tests := []struct {
+		name    string
+		action  Action
+		wantErr bool
+	}{
+		{"valid exact action", GetObjectAction, false},
+		{"valid all actions", AllActions, false},
+		{"invalid prefix", "invalid:Action", true},
+		{"unsupported action 1", "s3:Unsupported", true},
+		{"unsupported action 2", "s3:HeadObject", true},
+		{"valid wildcard match 1", "s3:Get*", false},
+		{"valid wildcard match 2", "s3:*Object*", false},
+		{"valid wildcard match 3", "s3:*Multipart*", false},
+		{"any char match 1", "s3:Get?bject", false},
+		{"any char match 2", "s3:Get??bject", true},
+		{"any char match 3", "s3:???", true},
+		{"mixed match 1", "s3:Get?*", false},
+		{"mixed match 2", "s3:*Object?????", true},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := tt.action.IsValid()
+			if tt.wantErr {
+				assert.EqualValues(t, policyErrInvalidAction, err)
+			} else {
+				assert.NoError(t, err)
+			}
+		})
+	}
+}
+
+func TestAction_String(t *testing.T) {
+	a := Action("s3:TestAction")
+	assert.Equal(t, "s3:TestAction", a.String())
+}
+
+func TestAction_Match(t *testing.T) {
+	tests := []struct {
+		name    string
+		action  Action
+		pattern Action
+		want    bool
+	}{
+		{"exact match", "s3:GetObject", "s3:GetObject", true},
+		{"wildcard match", "s3:GetObject", "s3:Get*", true},
+		{"wildcard mismatch", "s3:PutObject", "s3:Get*", false},
+		{"any character match", "s3:Get1", "s3:Get?", true},
+		{"any character mismatch", "s3:Get12", "s3:Get?", false},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := tt.action.Match(tt.pattern)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
+
+func TestAction_IsObjectAction(t *testing.T) {
+	tests := []struct {
+		name   string
+		action Action
+		want   *bool
+	}{
+		{"all actions", AllActions, nil},
+		{"object action exact", GetObjectAction, getBoolPtr(true)},
+		{"object action wildcard", "s3:Get*", getBoolPtr(true)},
+		{"non object action", GetBucketAclAction, getBoolPtr(false)},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := tt.action.IsObjectAction()
+			if tt.want == nil {
+				assert.Nil(t, got)
+			} else {
+				assert.NotNil(t, got)
+				assert.Equal(t, *tt.want, *got)
+			}
+		})
+	}
+}
+
+func TestActions_UnmarshalJSON(t *testing.T) {
+	tests := []struct {
+		name    string
+		input   string
+		wantErr bool
+	}{
+		{"valid slice", `["s3:GetObject","s3:PutObject"]`, false},
+		{"empty slice", `[]`, true},
+		{"invalid action in slice", `["s3:Invalid"]`, true},
+		{"valid string", `"s3:GetObject"`, false},
+		{"empty string", `""`, true},
+		{"invalid string", `"s3:Invalid"`, true},
+		{"invalid json", `{}`, true},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			var a Actions
+			err := json.Unmarshal([]byte(tt.input), &a)
+			if tt.wantErr {
+				assert.Error(t, err)
+			} else {
+				assert.NoError(t, err)
+			}
+		})
+	}
+}
+
+func TestActions_Add(t *testing.T) {
+	tests := []struct {
+		name    string
+		action  string
+		wantErr bool
+	}{
+		{"valid add", "s3:GetObject", false},
+		{"invalid add", "s3:InvalidAction", true},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			a := make(Actions)
+			err := a.Add(tt.action)
+			if tt.wantErr {
+				assert.Error(t, err)
+			} else {
+				assert.NoError(t, err)
+				_, ok := a[Action(tt.action)]
+				assert.True(t, ok)
+			}
+		})
+	}
+}
+
+func TestActions_FindMatch(t *testing.T) {
+	tests := []struct {
+		name    string
+		actions Actions
+		check   Action
+		want    bool
+	}{
+		{"all actions present", Actions{AllActions: {}}, GetObjectAction, true},
+		{"exact match", Actions{GetObjectAction: {}}, GetObjectAction, true},
+		{"wildcard match", Actions{"s3:Get*": {}}, GetObjectAction, true},
+		{"no match", Actions{"s3:Put*": {}}, GetObjectAction, false},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := tt.actions.FindMatch(tt.check)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
--- a/auth/bucket_policy_effect_test.go
+++ b/auth/bucket_policy_effect_test.go
@@ -0,0 +1,57 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package auth
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestBucketPolicyAccessType_Validate(t *testing.T) {
+	tests := []struct {
+		name    string
+		input   BucketPolicyAccessType
+		wantErr bool
+		errMsg  string
+	}{
+		{
+			name:    "valid allow",
+			input:   BucketPolicyAccessTypeAllow,
+			wantErr: false,
+		},
+		{
+			name:    "valid deny",
+			input:   BucketPolicyAccessTypeDeny,
+			wantErr: false,
+		},
+		{
+			name:    "invalid type",
+			input:   BucketPolicyAccessType("InvalidValue"),
+			wantErr: true,
+			errMsg:  "Invalid effect: InvalidValue",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := tt.input.Validate()
+			if tt.wantErr {
+				assert.EqualError(t, err, tt.errMsg)
+			} else {
+				assert.NoError(t, err)
+			}
+		})
+	}
+}
--- a/auth/bucket_policy_principals.go
+++ b/auth/bucket_policy_principals.go
@@ -121,3 +121,10 @@ func (p Principals) Contains(userAccess string) bool {
 	_, found := p[userAccess]
 	return found
 }
+
+// Bucket policy grants public access, if it contains
+// a wildcard match to all the users
+func (p Principals) isPublic() bool {
+	_, ok := p["*"]
+	return ok
+}
--- a/auth/bucket_policy_principals_test.go
+++ b/auth/bucket_policy_principals_test.go
@@ -0,0 +1,106 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package auth
+
+import (
+	"encoding/json"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestPrincipals_Add(t *testing.T) {
+	p := make(Principals)
+	p.Add("user1")
+	_, ok := p["user1"]
+	assert.True(t, ok)
+}
+
+func TestPrincipals_UnmarshalJSON(t *testing.T) {
+	tests := []struct {
+		name    string
+		input   string
+		want    Principals
+		wantErr bool
+	}{
+		{"valid slice", `["user1","user2"]`, Principals{"user1": {}, "user2": {}}, false},
+		{"empty slice", `[]`, nil, true},
+		{"valid string", `"user1"`, Principals{"user1": {}}, false},
+		{"empty string", `""`, nil, true},
+		{"valid AWS object", `{"AWS":"user1"}`, Principals{"user1": {}}, false},
+		{"empty AWS object", `{"AWS":""}`, nil, true},
+		{"valid AWS array", `{"AWS":["user1","user2"]}`, Principals{"user1": {}, "user2": {}}, false},
+		{"empty AWS array", `{"AWS":[]}`, nil, true},
+		{"invalid json", `{invalid}`, nil, true},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			var p Principals
+			err := json.Unmarshal([]byte(tt.input), &p)
+			if tt.wantErr {
+				assert.Error(t, err)
+			} else {
+				assert.NoError(t, err)
+				assert.Equal(t, tt.want, p)
+			}
+		})
+	}
+}
+
+func TestPrincipals_ToSlice(t *testing.T) {
+	p := Principals{"user1": {}, "user2": {}, "*": {}}
+	got := p.ToSlice()
+	assert.Contains(t, got, "user1")
+	assert.Contains(t, got, "user2")
+	assert.NotContains(t, got, "*")
+}
+
+func TestPrincipals_Validate(t *testing.T) {
+	iamSingle := NewIAMServiceSingle(Account{
+		Access: "user1",
+	})
+	tests := []struct {
+		name       string
+		principals Principals
+		mockIAM    IAMService
+		err        error
+	}{
+		{"only wildcard", Principals{"*": {}}, iamSingle, nil},
+		{"wildcard and user", Principals{"*": {}, "user1": {}}, iamSingle, policyErrInvalidPrincipal},
+		{"accounts exist returns err", Principals{"user2": {}, "user3": {}}, iamSingle, policyErrInvalidPrincipal},
+		{"accounts exist non-empty", Principals{"user1": {}}, iamSingle, nil},
+		{"accounts valid", Principals{"user1": {}}, iamSingle, nil},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := tt.principals.Validate(tt.mockIAM)
+			assert.EqualValues(t, tt.err, err)
+		})
+	}
+}
+
+func TestPrincipals_Contains(t *testing.T) {
+	p := Principals{"user1": {}}
+	assert.True(t, p.Contains("user1"))
+	assert.False(t, p.Contains("user2"))
+
+	p = Principals{"*": {}}
+	assert.True(t, p.Contains("anyuser"))
+}
+
+func TestPrincipals_isPublic(t *testing.T) {
+	assert.True(t, Principals{"*": {}}.isPublic())
+	assert.False(t, Principals{"user1": {}}.isPublic())
+}
--- a/auth/bucket_policy_resources.go
+++ b/auth/bucket_policy_resources.go
@@ -110,35 +110,9 @@ func (r Resources) FindMatch(resource string) bool {
 	return false
 }

-// Match checks if the input string matches the given pattern with wildcards (`*`, `?`).
-// - `?` matches exactly one occurrence of any character.
-// - `*` matches arbitrary many (including zero) occurrences of any character.
+// Match matches the given input resource with the pattern
 func (r Resources) Match(pattern, input string) bool {
-	pIdx, sIdx := 0, 0
-	starIdx, matchIdx := -1, 0
-
-	for sIdx < len(input) {
-		if pIdx < len(pattern) && (pattern[pIdx] == '?' || pattern[pIdx] == input[sIdx]) {
-			sIdx++
-			pIdx++
-		} else if pIdx < len(pattern) && pattern[pIdx] == '*' {
-			starIdx = pIdx
-			matchIdx = sIdx
-			pIdx++
-		} else if starIdx != -1 {
-			pIdx = starIdx + 1
-			matchIdx++
-			sIdx = matchIdx
-		} else {
-			return false
-		}
-	}
-
-	for pIdx < len(pattern) && pattern[pIdx] == '*' {
-		pIdx++
-	}
-
-	return pIdx == len(pattern)
+	return matchPattern(pattern, input)
 }

 // Checks the resource to have arn prefix and not starting with /
--- a/auth/bucket_policy_version.go
+++ b/auth/bucket_policy_version.go
@@ -0,0 +1,32 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package auth
+
+type PolicyVersion string
+
+const (
+	PolicyVersion2008 PolicyVersion = "2008-10-17"
+	PolicyVersion2012 PolicyVersion = "2012-10-17"
+)
+
+// isValid checks if the policy version is valid or not
+func (pv PolicyVersion) isValid() bool {
+	switch pv {
+	case PolicyVersion2008, PolicyVersion2012:
+		return true
+	default:
+		return false
+	}
+}
--- a/auth/bucket_policy_version_test.go
+++ b/auth/bucket_policy_version_test.go
@@ -0,0 +1,54 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package auth
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestPolicyVersion_isValid(t *testing.T) {
+	tests := []struct {
+		name  string // description of this test case
+		value string
+		want  bool
+	}{
+		{"valid 2008", "2008-10-17", true},
+		{"valid 2012", "2012-10-17", true},
+		{"invalid empty", "", false},
+		{"invalid 1", "invalid", false},
+		{"invalid 2", "2010-10-17", false},
+		{"invalid 3", "2006-00-12", false},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := PolicyVersion(tt.value).isValid()
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
--- a/auth/iam.go
+++ b/auth/iam.go
@@ -45,11 +45,12 @@ func (r Role) IsValid() bool {

 // Account is a gateway IAM account
 type Account struct {
-	Access  string `json:"access"`
-	Secret  string `json:"secret"`
-	Role    Role   `json:"role"`
-	UserID  int    `json:"userID"`
-	GroupID int    `json:"groupID"`
+	Access    string `json:"access"`
+	Secret    string `json:"secret"`
+	Role      Role   `json:"role"`
+	UserID    int    `json:"userID"`
+	GroupID   int    `json:"groupID"`
+	ProjectID int    `json:"projectID"`
 }

 type ListUserAccountsResult struct {
@@ -58,10 +59,11 @@ type ListUserAccountsResult struct {

 // Mutable props, which could be changed when updating an IAM account
 type MutableProps struct {
-	Secret  *string `json:"secret"`
-	Role    Role    `json:"role"`
-	UserID  *int    `json:"userID"`
-	GroupID *int    `json:"groupID"`
+	Secret    *string `json:"secret"`
+	Role      Role    `json:"role"`
+	UserID    *int    `json:"userID"`
+	GroupID   *int    `json:"groupID"`
+	ProjectID *int    `json:"projectID"`
 }

 func (m MutableProps) Validate() error {
@@ -82,6 +84,9 @@ func updateAcc(acc *Account, props MutableProps) {
 	if props.UserID != nil {
 		acc.UserID = *props.UserID
 	}
+	if props.ProjectID != nil {
+		acc.ProjectID = *props.ProjectID
+	}
 	if props.Role != "" {
 		acc.Role = props.Role
 	}
@@ -107,43 +112,47 @@ var (
 )

 type Opts struct {
-	RootAccount            Account
-	Dir                    string
-	LDAPServerURL          string
-	LDAPBindDN             string
-	LDAPPassword           string
-	LDAPQueryBase          string
-	LDAPObjClasses         string
-	LDAPAccessAtr          string
-	LDAPSecretAtr          string
-	LDAPRoleAtr            string
-	LDAPUserIdAtr          string
-	LDAPGroupIdAtr         string
-	VaultEndpointURL       string
-	VaultSecretStoragePath string
-	VaultMountPath         string
-	VaultRootToken         string
-	VaultRoleId            string
-	VaultRoleSecret        string
-	VaultServerCert        string
-	VaultClientCert        string
-	VaultClientCertKey     string
-	S3Access               string
-	S3Secret               string
-	S3Region               string
-	S3Bucket               string
-	S3Endpoint             string
-	S3DisableSSlVerfiy     bool
-	S3Debug                bool
-	CacheDisable           bool
-	CacheTTL               int
-	CachePrune             int
-	IpaHost                string
-	IpaVaultName           string
-	IpaUser                string
-	IpaPassword            string
-	IpaInsecure            bool
-	IpaDebug               bool
+	RootAccount                 Account
+	Dir                         string
+	LDAPServerURL               string
+	LDAPBindDN                  string
+	LDAPPassword                string
+	LDAPQueryBase               string
+	LDAPObjClasses              string
+	LDAPAccessAtr               string
+	LDAPSecretAtr               string
+	LDAPRoleAtr                 string
+	LDAPUserIdAtr               string
+	LDAPGroupIdAtr              string
+	LDAPProjectIdAtr            string
+	LDAPTLSSkipVerify           bool
+	VaultEndpointURL            string
+	VaultNamespace              string
+	VaultSecretStoragePath      string
+	VaultSecretStorageNamespace string
+	VaultAuthMethod             string
+	VaultAuthNamespace          string
+	VaultMountPath              string
+	VaultRootToken              string
+	VaultRoleId                 string
+	VaultRoleSecret             string
+	VaultServerCert             string
+	VaultClientCert             string
+	VaultClientCertKey          string
+	S3Access                    string
+	S3Secret                    string
+	S3Region                    string
+	S3Bucket                    string
+	S3Endpoint                  string
+	S3DisableSSlVerfiy          bool
+	CacheDisable                bool
+	CacheTTL                    int
+	CachePrune                  int
+	IpaHost                     string
+	IpaVaultName                string
+	IpaUser                     string
+	IpaPassword                 string
+	IpaInsecure                 bool
 }

 func New(o *Opts) (IAMService, error) {
@@ -157,20 +166,20 @@ func New(o *Opts) (IAMService, error) {
 	case o.LDAPServerURL != "":
 		svc, err = NewLDAPService(o.RootAccount, o.LDAPServerURL, o.LDAPBindDN, o.LDAPPassword,
 			o.LDAPQueryBase, o.LDAPAccessAtr, o.LDAPSecretAtr, o.LDAPRoleAtr, o.LDAPUserIdAtr,
-			o.LDAPGroupIdAtr, o.LDAPObjClasses)
+			o.LDAPGroupIdAtr, o.LDAPProjectIdAtr, o.LDAPObjClasses, o.LDAPTLSSkipVerify)
 		fmt.Printf("initializing LDAP IAM with %q\n", o.LDAPServerURL)
 	case o.S3Endpoint != "":
 		svc, err = NewS3(o.RootAccount, o.S3Access, o.S3Secret, o.S3Region, o.S3Bucket,
-			o.S3Endpoint, o.S3DisableSSlVerfiy, o.S3Debug)
+			o.S3Endpoint, o.S3DisableSSlVerfiy)
 		fmt.Printf("initializing S3 IAM with '%v/%v'\n",
 			o.S3Endpoint, o.S3Bucket)
 	case o.VaultEndpointURL != "":
-		svc, err = NewVaultIAMService(o.RootAccount, o.VaultEndpointURL, o.VaultSecretStoragePath,
-			o.VaultMountPath, o.VaultRootToken, o.VaultRoleId, o.VaultRoleSecret,
+		svc, err = NewVaultIAMService(o.RootAccount, o.VaultEndpointURL, o.VaultNamespace, o.VaultSecretStoragePath, o.VaultSecretStorageNamespace,
+			o.VaultAuthMethod, o.VaultAuthNamespace, o.VaultMountPath, o.VaultRootToken, o.VaultRoleId, o.VaultRoleSecret,
 			o.VaultServerCert, o.VaultClientCert, o.VaultClientCertKey)
 		fmt.Printf("initializing Vault IAM with %q\n", o.VaultEndpointURL)
 	case o.IpaHost != "":
-		svc, err = NewIpaIAMService(o.RootAccount, o.IpaHost, o.IpaVaultName, o.IpaUser, o.IpaPassword, o.IpaInsecure, o.IpaDebug)
+		svc, err = NewIpaIAMService(o.RootAccount, o.IpaHost, o.IpaVaultName, o.IpaUser, o.IpaPassword, o.IpaInsecure)
 		fmt.Printf("initializing IPA IAM with %q\n", o.IpaHost)
 	default:
 		// if no iam options selected, default to the single user mode
--- a/auth/iam_internal.go
+++ b/auth/iam_internal.go
@@ -194,11 +194,12 @@ func (s *IAMServiceInternal) ListUserAccounts() ([]Account, error) {
 	var accs []Account
 	for _, k := range keys {
 		accs = append(accs, Account{
-			Access:  k,
-			Secret:  conf.AccessAccounts[k].Secret,
-			Role:    conf.AccessAccounts[k].Role,
-			UserID:  conf.AccessAccounts[k].UserID,
-			GroupID: conf.AccessAccounts[k].GroupID,
+			Access:    k,
+			Secret:    conf.AccessAccounts[k].Secret,
+			Role:      conf.AccessAccounts[k].Role,
+			UserID:    conf.AccessAccounts[k].UserID,
+			GroupID:   conf.AccessAccounts[k].GroupID,
+			ProjectID: conf.AccessAccounts[k].ProjectID,
 		})
 	}

--- a/auth/iam_ipa.go
+++ b/auth/iam_ipa.go
@@ -26,13 +26,17 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"log"
+	"net"
 	"net/http"
 	"net/http/cookiejar"
 	"net/url"
 	"slices"
 	"strconv"
 	"strings"
+	"syscall"
+	"time"
+
+	"github.com/versity/versitygw/debuglogger"
 )

 const IpaVersion = "2.254"
@@ -46,13 +50,12 @@ type IpaIAMService struct {
 	username        string
 	password        string
 	kraTransportKey *rsa.PublicKey
-	debug           bool
 	rootAcc         Account
 }

 var _ IAMService = &IpaIAMService{}

-func NewIpaIAMService(rootAcc Account, host, vaultName, username, password string, isInsecure, debug bool) (*IpaIAMService, error) {
+func NewIpaIAMService(rootAcc Account, host, vaultName, username, password string, isInsecure bool) (*IpaIAMService, error) {
 	ipa := IpaIAMService{
 		id:        0,
 		version:   IpaVersion,
@@ -60,7 +63,6 @@ func NewIpaIAMService(rootAcc Account, host, vaultName, username, password strin
 		vaultName: vaultName,
 		username:  username,
 		password:  password,
-		debug:     debug,
 		rootAcc:   rootAcc,
 	}
 	jar, err := cookiejar.New(nil)
@@ -130,6 +132,7 @@ func (ipa *IpaIAMService) GetUserAccount(access string) (Account, error) {
 	userResult := struct {
 		Gidnumber []string
 		Uidnumber []string
+		PidNumber []string
 	}{}

 	err = ipa.rpc(req, &userResult)
@@ -137,20 +140,25 @@ func (ipa *IpaIAMService) GetUserAccount(access string) (Account, error) {
 		return Account{}, err
 	}

-	uid, err := strconv.Atoi(userResult.Uidnumber[0])
+	uid, err := parseToInt(userResult.Uidnumber, "userID")
 	if err != nil {
-		return Account{}, fmt.Errorf("ipa uid invalid: %w", err)
+		return Account{}, err
 	}
-	gid, err := strconv.Atoi(userResult.Gidnumber[0])
+	gid, err := parseToInt(userResult.Gidnumber, "groupID")
 	if err != nil {
-		return Account{}, fmt.Errorf("ipa gid invalid: %w", err)
+		return Account{}, err
+	}
+	pId, err := parseToInt(userResult.PidNumber, "projectID")
+	if err != nil {
+		return Account{}, err
 	}

 	account := Account{
-		Access:  access,
-		Role:    RoleUser,
-		UserID:  uid,
-		GroupID: gid,
+		Access:    access,
+		Role:      RoleUser,
+		UserID:    uid,
+		GroupID:   gid,
+		ProjectID: pId,
 	}

 	session_key := make([]byte, 16)
@@ -221,6 +229,8 @@ func (ipa *IpaIAMService) Shutdown() error {

 // Implementation

+const requestRetries = 3
+
 func (ipa *IpaIAMService) login() error {
 	form := url.Values{}
 	form.Set("user", ipa.username)
@@ -237,17 +247,33 @@ func (ipa *IpaIAMService) login() error {
 	req.Header.Set("referer", fmt.Sprintf("%s/ipa", ipa.host))
 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")

-	resp, err := ipa.client.Do(req)
-	if err != nil {
-		return err
+	var resp *http.Response
+	for i := range requestRetries {
+		resp, err = ipa.client.Do(req)
+		if err == nil {
+			break
+		}
+		// Check for transient network errors
+		if isRetryable(err) {
+			time.Sleep(time.Second * time.Duration(i+1))
+			continue
+		}
+		return fmt.Errorf("login POST to %s failed: %w", req.URL, err)
 	}
+	if err != nil {
+		return fmt.Errorf("login POST to %s failed after retries: %w",
+			req.URL, err)
+	}
+
+	defer resp.Body.Close()

 	if resp.StatusCode == 401 {
 		return errors.New("cannot login to FreeIPA: invalid credentials")
 	}

 	if resp.StatusCode != 200 {
-		return fmt.Errorf("cannot login to FreeIPA: status code %d", resp.StatusCode)
+		return fmt.Errorf("cannot login to FreeIPA: status code %d",
+			resp.StatusCode)
 	}

 	return nil
@@ -290,17 +316,34 @@ func (ipa *IpaIAMService) rpcInternal(req rpcRequest) (rpcResponse, error) {
 		return rpcResponse{}, err
 	}

-	ipa.log(fmt.Sprintf("%v", req))
+	debuglogger.IAMLogf("IPA request: %v", req)
 	httpReq.Header.Set("referer", fmt.Sprintf("%s/ipa", ipa.host))
 	httpReq.Header.Set("Content-Type", "application/json")

-	httpResp, err := ipa.client.Do(httpReq)
+	var httpResp *http.Response
+	for i := range requestRetries {
+		httpResp, err = ipa.client.Do(httpReq)
+		if err == nil {
+			break
+		}
+		// Check for transient network errors
+		if isRetryable(err) {
+			time.Sleep(time.Second * time.Duration(i+1))
+			continue
+		}
+		return rpcResponse{}, fmt.Errorf("ipa request to %s failed: %w",
+			httpReq.URL, err)
+	}
 	if err != nil {
-		return rpcResponse{}, err
+		return rpcResponse{},
+			fmt.Errorf("ipa request to %s failed after retries: %w",
+				httpReq.URL, err)
 	}

+	defer httpResp.Body.Close()
+
 	bytes, err := io.ReadAll(httpResp.Body)
-	ipa.log(string(bytes))
+	debuglogger.IAMLogf("IPA response (%v): %v", err, string(bytes))
 	if err != nil {
 		return rpcResponse{}, err
 	}
@@ -333,6 +376,30 @@ func (ipa *IpaIAMService) rpcInternal(req rpcRequest) (rpcResponse, error) {
 	}, nil
 }

+func isRetryable(err error) bool {
+	if err == nil {
+		return false
+	}
+
+	if errors.Is(err, io.EOF) {
+		return true
+	}
+
+	if err, ok := err.(net.Error); ok && err.Timeout() {
+		return true
+	}
+
+	if opErr, ok := err.(*net.OpError); ok {
+		if sysErr, ok := opErr.Err.(*syscall.Errno); ok {
+			if *sysErr == syscall.ECONNRESET {
+				return true
+			}
+		}
+	}
+
+	return false
+}
+
 func (ipa *IpaIAMService) newRequest(method string, args []string, dict map[string]any) (rpcRequest, error) {

 	id := ipa.id
@@ -434,8 +501,19 @@ func (b *Base64Encoded) UnmarshalJSON(data []byte) error {
 	return err
 }

-func (ipa *IpaIAMService) log(msg string) {
-	if ipa.debug {
-		log.Println(msg)
+// parseToInt parses the first argument of input string slice
+// to an integer. If slice is empty, it defaults to 0
+func parseToInt(input []string, argName string) (int, error) {
+	if len(input) == 0 {
+		debuglogger.IAMLogf("empty %s slice: defaulting to 0", argName)
+		return 0, nil
 	}
+
+	id, err := strconv.Atoi(input[0])
+	if err != nil {
+		debuglogger.IAMLogf("failed to parse %s: %v", argName, err)
+		return 0, fmt.Errorf("invalid %s: %w", argName, err)
+	}
+
+	return id, nil
 }
--- a/auth/iam_ldap.go
+++ b/auth/iam_ldap.go
@@ -15,54 +15,124 @@
 package auth

 import (
+	"crypto/tls"
 	"fmt"
+	"net/url"
 	"strconv"
 	"strings"
+	"sync"

+	"github.com/davecgh/go-spew/spew"
 	"github.com/go-ldap/ldap/v3"
+	"github.com/versity/versitygw/debuglogger"
 )

 type LdapIAMService struct {
-	conn       *ldap.Conn
-	queryBase  string
-	objClasses []string
-	accessAtr  string
-	secretAtr  string
-	roleAtr    string
-	groupIdAtr string
-	userIdAtr  string
-	rootAcc    Account
+	conn          *ldap.Conn
+	queryBase     string
+	objClasses    []string
+	accessAtr     string
+	secretAtr     string
+	roleAtr       string
+	groupIdAtr    string
+	userIdAtr     string
+	projectIdAtr  string
+	rootAcc       Account
+	url           string
+	bindDN        string
+	pass          string
+	tlsSkipVerify bool
+	mu            sync.Mutex
 }

 var _ IAMService = &LdapIAMService{}

-func NewLDAPService(rootAcc Account, url, bindDN, pass, queryBase, accAtr, secAtr, roleAtr, userIdAtr, groupIdAtr, objClasses string) (IAMService, error) {
-	if url == "" || bindDN == "" || pass == "" || queryBase == "" || accAtr == "" ||
-		secAtr == "" || roleAtr == "" || userIdAtr == "" || groupIdAtr == "" || objClasses == "" {
+func NewLDAPService(rootAcc Account, ldapURL, bindDN, pass, queryBase, accAtr, secAtr, roleAtr, userIdAtr, groupIdAtr, projectIdAtr, objClasses string, tlsSkipVerify bool) (IAMService, error) {
+	if ldapURL == "" || bindDN == "" || pass == "" || queryBase == "" || accAtr == "" ||
+		secAtr == "" || roleAtr == "" || userIdAtr == "" || groupIdAtr == "" || projectIdAtr == "" || objClasses == "" {
 		return nil, fmt.Errorf("required parameters list not fully provided")
 	}
-	conn, err := ldap.DialURL(url)
+
+	conn, err := dialLDAP(ldapURL, tlsSkipVerify)
 	if err != nil {
 		return nil, fmt.Errorf("failed to connect to LDAP server: %w", err)
 	}

 	err = conn.Bind(bindDN, pass)
 	if err != nil {
+		conn.Close()
 		return nil, fmt.Errorf("failed to bind to LDAP server %w", err)
 	}
 	return &LdapIAMService{
-		conn:       conn,
-		queryBase:  queryBase,
-		objClasses: strings.Split(objClasses, ","),
-		accessAtr:  accAtr,
-		secretAtr:  secAtr,
-		roleAtr:    roleAtr,
-		userIdAtr:  userIdAtr,
-		groupIdAtr: groupIdAtr,
-		rootAcc:    rootAcc,
+		conn:          conn,
+		queryBase:     queryBase,
+		objClasses:    strings.Split(objClasses, ","),
+		accessAtr:     accAtr,
+		secretAtr:     secAtr,
+		roleAtr:       roleAtr,
+		userIdAtr:     userIdAtr,
+		groupIdAtr:    groupIdAtr,
+		projectIdAtr:  projectIdAtr,
+		rootAcc:       rootAcc,
+		url:           ldapURL,
+		bindDN:        bindDN,
+		pass:          pass,
+		tlsSkipVerify: tlsSkipVerify,
 	}, nil
 }

+// dialLDAP establishes an LDAP connection with optional TLS configuration
+func dialLDAP(ldapURL string, tlsSkipVerify bool) (*ldap.Conn, error) {
+	u, err := url.Parse(ldapURL)
+	if err != nil {
+		return nil, fmt.Errorf("invalid LDAP URL: %w", err)
+	}
+
+	// For ldaps:// URLs, use DialURL with custom TLS config if needed
+	if u.Scheme == "ldaps" && tlsSkipVerify {
+		tlsConfig := &tls.Config{
+			InsecureSkipVerify: tlsSkipVerify,
+		}
+		return ldap.DialURL(ldapURL, ldap.DialWithTLSConfig(tlsConfig))
+	}
+
+	// For ldap:// or when TLS verification is enabled, use standard DialURL
+	return ldap.DialURL(ldapURL)
+}
+
+func (ld *LdapIAMService) reconnect() error {
+	ld.conn.Close()
+
+	conn, err := dialLDAP(ld.url, ld.tlsSkipVerify)
+	if err != nil {
+		return fmt.Errorf("failed to reconnect to LDAP server: %w", err)
+	}
+
+	err = conn.Bind(ld.bindDN, ld.pass)
+	if err != nil {
+		conn.Close()
+		return fmt.Errorf("failed to bind to LDAP server on reconnect: %w", err)
+	}
+	ld.conn = conn
+	return nil
+}
+
+func (ld *LdapIAMService) execute(f func(*ldap.Conn) error) error {
+	ld.mu.Lock()
+	defer ld.mu.Unlock()
+
+	err := f(ld.conn)
+	if err != nil {
+		if e, ok := err.(*ldap.Error); ok && e.ResultCode == ldap.ErrorNetwork {
+			if reconnErr := ld.reconnect(); reconnErr != nil {
+				return reconnErr
+			}
+			return f(ld.conn)
+		}
+	}
+	return err
+}
+
 func (ld *LdapIAMService) CreateAccount(account Account) error {
 	if ld.rootAcc.Access == account.Access {
 		return ErrUserExists
@@ -74,8 +144,11 @@ func (ld *LdapIAMService) CreateAccount(account Account) error {
 	userEntry.Attribute(ld.roleAtr, []string{string(account.Role)})
 	userEntry.Attribute(ld.groupIdAtr, []string{fmt.Sprint(account.GroupID)})
 	userEntry.Attribute(ld.userIdAtr, []string{fmt.Sprint(account.UserID)})
+	userEntry.Attribute(ld.projectIdAtr, []string{fmt.Sprint(account.ProjectID)})

-	err := ld.conn.Add(userEntry)
+	err := ld.execute(func(c *ldap.Conn) error {
+		return c.Add(userEntry)
+	})
 	if err != nil {
 		return fmt.Errorf("error adding an entry: %w", err)
 	}
@@ -83,10 +156,22 @@ func (ld *LdapIAMService) CreateAccount(account Account) error {
 	return nil
 }

+func (ld *LdapIAMService) buildSearchFilter(access string) string {
+	var searchFilter strings.Builder
+	for _, el := range ld.objClasses {
+		searchFilter.WriteString(fmt.Sprintf("(objectClass=%v)", el))
+	}
+	if access != "" {
+		searchFilter.WriteString(fmt.Sprintf("(%v=%v)", ld.accessAtr, access))
+	}
+	return fmt.Sprintf("(&%v)", searchFilter.String())
+}
+
 func (ld *LdapIAMService) GetUserAccount(access string) (Account, error) {
 	if access == ld.rootAcc.Access {
 		return ld.rootAcc, nil
 	}
+	var result *ldap.SearchResult
 	searchRequest := ldap.NewSearchRequest(
 		ld.queryBase,
 		ldap.ScopeWholeSubtree,
@@ -94,12 +179,27 @@ func (ld *LdapIAMService) GetUserAccount(access string) (Account, error) {
 		0,
 		0,
 		false,
-		fmt.Sprintf("(%v=%v)", ld.accessAtr, access),
-		[]string{ld.accessAtr, ld.secretAtr, ld.roleAtr, ld.userIdAtr, ld.groupIdAtr},
+		ld.buildSearchFilter(access),
+		[]string{ld.accessAtr, ld.secretAtr, ld.roleAtr, ld.userIdAtr, ld.groupIdAtr, ld.projectIdAtr},
 		nil,
 	)

-	result, err := ld.conn.Search(searchRequest)
+	if debuglogger.IsIAMDebugEnabled() {
+		debuglogger.IAMLogf("LDAP Search Request")
+		debuglogger.IAMLogf(spew.Sdump(searchRequest))
+	}
+
+	err := ld.execute(func(c *ldap.Conn) error {
+		var err error
+		result, err = c.Search(searchRequest)
+		return err
+	})
+
+	if debuglogger.IsIAMDebugEnabled() {
+		debuglogger.IAMLogf("LDAP Search Result")
+		debuglogger.IAMLogf(spew.Sdump(result))
+	}
+
 	if err != nil {
 		return Account{}, err
 	}
@@ -119,12 +219,19 @@ func (ld *LdapIAMService) GetUserAccount(access string) (Account, error) {
 		return Account{}, fmt.Errorf("invalid entry value for user-id %q: %w",
 			entry.GetAttributeValue(ld.userIdAtr), err)
 	}
+	projectID, err := strconv.Atoi(entry.GetAttributeValue(ld.projectIdAtr))
+	if err != nil {
+		return Account{}, fmt.Errorf("invalid entry value for project-id %q: %w",
+			entry.GetAttributeValue(ld.projectIdAtr), err)
+	}
+
 	return Account{
-		Access:  entry.GetAttributeValue(ld.accessAtr),
-		Secret:  entry.GetAttributeValue(ld.secretAtr),
-		Role:    Role(entry.GetAttributeValue(ld.roleAtr)),
-		GroupID: groupId,
-		UserID:  userId,
+		Access:    entry.GetAttributeValue(ld.accessAtr),
+		Secret:    entry.GetAttributeValue(ld.secretAtr),
+		Role:      Role(entry.GetAttributeValue(ld.roleAtr)),
+		GroupID:   groupId,
+		UserID:    userId,
+		ProjectID: projectID,
 	}, nil
 }

@@ -139,11 +246,16 @@ func (ld *LdapIAMService) UpdateUserAccount(access string, props MutableProps) e
 	if props.UserID != nil {
 		req.Replace(ld.userIdAtr, []string{fmt.Sprint(*props.UserID)})
 	}
+	if props.ProjectID != nil {
+		req.Replace(ld.projectIdAtr, []string{fmt.Sprint(*props.ProjectID)})
+	}
 	if props.Role != "" {
 		req.Replace(ld.roleAtr, []string{string(props.Role)})
 	}

-	err := ld.conn.Modify(req)
+	err := ld.execute(func(c *ldap.Conn) error {
+		return c.Modify(req)
+	})
 	//TODO: Handle non existing user case
 	if err != nil {
 		return err
@@ -154,7 +266,9 @@ func (ld *LdapIAMService) UpdateUserAccount(access string, props MutableProps) e
 func (ld *LdapIAMService) DeleteUserAccount(access string) error {
 	delReq := ldap.NewDelRequest(fmt.Sprintf("%v=%v, %v", ld.accessAtr, access, ld.queryBase), nil)

-	err := ld.conn.Del(delReq)
+	err := ld.execute(func(c *ldap.Conn) error {
+		return c.Del(delReq)
+	})
 	if err != nil {
 		return err
 	}
@@ -163,10 +277,7 @@ func (ld *LdapIAMService) DeleteUserAccount(access string) error {
 }

 func (ld *LdapIAMService) ListUserAccounts() ([]Account, error) {
-	searchFilter := ""
-	for _, el := range ld.objClasses {
-		searchFilter += fmt.Sprintf("(objectClass=%v)", el)
-	}
+	var resp *ldap.SearchResult
 	searchRequest := ldap.NewSearchRequest(
 		ld.queryBase,
 		ldap.ScopeWholeSubtree,
@@ -174,12 +285,16 @@ func (ld *LdapIAMService) ListUserAccounts() ([]Account, error) {
 		0,
 		0,
 		false,
-		fmt.Sprintf("(&%v)", searchFilter),
-		[]string{ld.accessAtr, ld.secretAtr, ld.roleAtr, ld.groupIdAtr, ld.userIdAtr},
+		ld.buildSearchFilter(""),
+		[]string{ld.accessAtr, ld.secretAtr, ld.roleAtr, ld.groupIdAtr, ld.projectIdAtr, ld.userIdAtr},
 		nil,
 	)

-	resp, err := ld.conn.Search(searchRequest)
+	err := ld.execute(func(c *ldap.Conn) error {
+		var err error
+		resp, err = c.Search(searchRequest)
+		return err
+	})
 	if err != nil {
 		return nil, err
 	}
@@ -196,12 +311,19 @@ func (ld *LdapIAMService) ListUserAccounts() ([]Account, error) {
 			return nil, fmt.Errorf("invalid entry value for user-id %q: %w",
 				el.GetAttributeValue(ld.userIdAtr), err)
 		}
+		projectID, err := strconv.Atoi(el.GetAttributeValue(ld.projectIdAtr))
+		if err != nil {
+			return nil, fmt.Errorf("invalid entry value for project-id %q: %w",
+				el.GetAttributeValue(ld.groupIdAtr), err)
+		}
+
 		result = append(result, Account{
-			Access:  el.GetAttributeValue(ld.accessAtr),
-			Secret:  el.GetAttributeValue(ld.secretAtr),
-			Role:    Role(el.GetAttributeValue(ld.roleAtr)),
-			GroupID: groupId,
-			UserID:  userId,
+			Access:    el.GetAttributeValue(ld.accessAtr),
+			Secret:    el.GetAttributeValue(ld.secretAtr),
+			Role:      Role(el.GetAttributeValue(ld.roleAtr)),
+			GroupID:   groupId,
+			ProjectID: projectID,
+			UserID:    userId,
 		})
 	}

@@ -210,5 +332,7 @@ func (ld *LdapIAMService) ListUserAccounts() ([]Account, error) {

 // Shutdown graceful termination of service
 func (ld *LdapIAMService) Shutdown() error {
+	ld.mu.Lock()
+	defer ld.mu.Unlock()
 	return ld.conn.Close()
 }
--- a/auth/iam_ldap_test.go
+++ b/auth/iam_ldap_test.go
@@ -0,0 +1,56 @@
+package auth
+
+import "testing"
+
+func TestLdapIAMService_BuildSearchFilter(t *testing.T) {
+	tests := []struct {
+		name       string
+		objClasses []string
+		accessAtr  string
+		access     string
+		expected   string
+	}{
+		{
+			name:       "single object class with access",
+			objClasses: []string{"inetOrgPerson"},
+			accessAtr:  "uid",
+			access:     "testuser",
+			expected:   "(&(objectClass=inetOrgPerson)(uid=testuser))",
+		},
+		{
+			name:       "single object class without access",
+			objClasses: []string{"inetOrgPerson"},
+			accessAtr:  "uid",
+			access:     "",
+			expected:   "(&(objectClass=inetOrgPerson))",
+		},
+		{
+			name:       "multiple object classes with access",
+			objClasses: []string{"inetOrgPerson", "organizationalPerson"},
+			accessAtr:  "cn",
+			access:     "john.doe",
+			expected:   "(&(objectClass=inetOrgPerson)(objectClass=organizationalPerson)(cn=john.doe))",
+		},
+		{
+			name:       "multiple object classes without access",
+			objClasses: []string{"inetOrgPerson", "organizationalPerson", "person"},
+			accessAtr:  "cn",
+			access:     "",
+			expected:   "(&(objectClass=inetOrgPerson)(objectClass=organizationalPerson)(objectClass=person))",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			ld := &LdapIAMService{
+				objClasses: tt.objClasses,
+				accessAtr:  tt.accessAtr,
+			}
+
+			result := ld.buildSearchFilter(tt.access)
+			if result != tt.expected {
+				t.Errorf("BuildSearchFilter() = %v, want %v", result, tt.expected)
+			}
+		})
+	}
+}
--- a/auth/iam_s3_object.go
+++ b/auth/iam_s3_object.go
@@ -33,6 +33,7 @@ import (
 	"github.com/aws/aws-sdk-go-v2/service/s3"
 	"github.com/aws/aws-sdk-go-v2/service/s3/types"
 	"github.com/aws/smithy-go"
+	"github.com/versity/versitygw/debuglogger"
 )

 // IAMServiceS3 stores user accounts in an S3 object
@@ -56,14 +57,13 @@ type IAMServiceS3 struct {
 	bucket        string
 	endpoint      string
 	sslSkipVerify bool
-	debug         bool
 	rootAcc       Account
 	client        *s3.Client
 }

 var _ IAMService = &IAMServiceS3{}

-func NewS3(rootAcc Account, access, secret, region, bucket, endpoint string, sslSkipVerify, debug bool) (*IAMServiceS3, error) {
+func NewS3(rootAcc Account, access, secret, region, bucket, endpoint string, sslSkipVerify bool) (*IAMServiceS3, error) {
 	if access == "" {
 		return nil, fmt.Errorf("must provide s3 IAM service access key")
 	}
@@ -87,7 +87,6 @@ func NewS3(rootAcc Account, access, secret, region, bucket, endpoint string, ssl
 		bucket:        bucket,
 		endpoint:      endpoint,
 		sslSkipVerify: sslSkipVerify,
-		debug:         debug,
 		rootAcc:       rootAcc,
 	}

@@ -206,11 +205,12 @@ func (s *IAMServiceS3) ListUserAccounts() ([]Account, error) {
 	var accs []Account
 	for _, k := range keys {
 		accs = append(accs, Account{
-			Access:  k,
-			Secret:  conf.AccessAccounts[k].Secret,
-			Role:    conf.AccessAccounts[k].Role,
-			UserID:  conf.AccessAccounts[k].UserID,
-			GroupID: conf.AccessAccounts[k].GroupID,
+			Access:    k,
+			Secret:    conf.AccessAccounts[k].Secret,
+			Role:      conf.AccessAccounts[k].Role,
+			UserID:    conf.AccessAccounts[k].UserID,
+			GroupID:   conf.AccessAccounts[k].GroupID,
+			ProjectID: conf.AccessAccounts[k].ProjectID,
 		})
 	}

@@ -235,7 +235,7 @@ func (s *IAMServiceS3) getConfig() (aws.Config, error) {
 		config.WithHTTPClient(client),
 	}

-	if s.debug {
+	if debuglogger.IsIAMDebugEnabled() {
 		opts = append(opts,
 			config.WithClientLogMode(aws.LogSigning|aws.LogRetries|aws.LogRequest|aws.LogResponse|aws.LogRequestEventMessage|aws.LogResponseEventMessage))
 	}
--- a/auth/iam_vault.go
+++ b/auth/iam_vault.go
@@ -19,6 +19,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"net/http"
 	"strings"
 	"time"

@@ -26,21 +27,50 @@ import (
 	"github.com/hashicorp/vault-client-go/schema"
 )

+const requestTimeout = 10 * time.Second
+
 type VaultIAMService struct {
 	client            *vault.Client
-	reqOpts           []vault.RequestOption
+	authReqOpts       []vault.RequestOption
+	kvReqOpts         []vault.RequestOption
 	secretStoragePath string
 	rootAcc           Account
+	creds             schema.AppRoleLoginRequest
+}
+
+type VaultIAMNamespace struct {
+	Auth          string
+	SecretStorage string
+}
+
+// Resolve empty specific namespaces to the fallback.
+// Empty result means root namespace.
+func resolveVaultNamespaces(authNamespace, secretStorageNamespace, fallback string) VaultIAMNamespace {
+	ns := VaultIAMNamespace{
+		Auth:          authNamespace,
+		SecretStorage: secretStorageNamespace,
+	}
+
+	if ns.Auth == "" {
+		ns.Auth = fallback
+	}
+	if ns.SecretStorage == "" {
+		ns.SecretStorage = fallback
+	}
+
+	return ns
 }

 var _ IAMService = &VaultIAMService{}

-func NewVaultIAMService(rootAcc Account, endpoint, secretStoragePath, mountPath, rootToken, roleID, roleSecret, serverCert, clientCert, clientCertKey string) (IAMService, error) {
+func NewVaultIAMService(rootAcc Account, endpoint, namespace, secretStoragePath, secretStorageNamespace,
+	authMethod, authNamespace, mountPath, rootToken, roleID, roleSecret, serverCert,
+	clientCert, clientCertKey string) (IAMService, error) {
 	opts := []vault.ClientOption{
 		vault.WithAddress(endpoint),
-		// set request timeout to 10 secs
-		vault.WithRequestTimeout(10 * time.Second),
+		vault.WithRequestTimeout(requestTimeout),
 	}
+
 	if serverCert != "" {
 		tls := vault.TLSConfiguration{}

@@ -62,10 +92,43 @@ func NewVaultIAMService(rootAcc Account, endpoint, secretStoragePath, mountPath,
 		return nil, fmt.Errorf("init vault client: %w", err)
 	}

-	reqOpts := []vault.RequestOption{}
-	// if mount path is not specified, it defaults to "approle"
+	authReqOpts := []vault.RequestOption{}
+	// if auth method path is not specified, it defaults to "approle"
+	if authMethod != "" {
+		authReqOpts = append(authReqOpts, vault.WithMountPath(authMethod))
+	}
+
+	kvReqOpts := []vault.RequestOption{}
+	// if mount path is not specified, it defaults to "kv-v2"
 	if mountPath != "" {
-		reqOpts = append(reqOpts, vault.WithMountPath(mountPath))
+		kvReqOpts = append(kvReqOpts, vault.WithMountPath(mountPath))
+	}
+
+	// Resolve namespaces using optional generic fallback "namespace"
+	ns := resolveVaultNamespaces(authNamespace, secretStorageNamespace, namespace)
+
+	// Guard: AppRole tokens are namespace scoped. If using AppRole and namespaces differ, error early.
+	// Root token can span namespaces because each request carries X-Vault-Namespace.
+	if rootToken == "" && ns.Auth != "" && ns.SecretStorage != "" && ns.Auth != ns.SecretStorage {
+		return nil, fmt.Errorf(
+			"approle tokens are namespace scoped. auth namespace %q and secret storage namespace %q differ. "+
+				"use the same namespace or authenticate with a root token",
+			ns.Auth, ns.SecretStorage,
+		)
+	}
+
+	// Apply namespaces to the correct request option sets.
+	// For root token we do not need an auth namespace since we are not logging in via auth.
+	if rootToken == "" && ns.Auth != "" {
+		authReqOpts = append(authReqOpts, vault.WithNamespace(ns.Auth))
+	}
+	if ns.SecretStorage != "" {
+		kvReqOpts = append(kvReqOpts, vault.WithNamespace(ns.SecretStorage))
+	}
+
+	creds := schema.AppRoleLoginRequest{
+		RoleId:   roleID,
+		SecretId: roleSecret,
 	}

 	// Authentication
@@ -80,12 +143,8 @@ func NewVaultIAMService(rootAcc Account, endpoint, secretStoragePath, mountPath,
 			return nil, fmt.Errorf("role id and role secret must both be specified")
 		}

-		ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
-		resp, err := client.Auth.AppRoleLogin(ctx, schema.AppRoleLoginRequest{
-			RoleId:   roleID,
-			SecretId: roleSecret,
-		}, reqOpts...)
-		cancel()
+		resp, err := client.Auth.AppRoleLogin(context.Background(),
+			creds, authReqOpts...)
 		if err != nil {
 			return nil, fmt.Errorf("approle authentication failure: %w", err)
 		}
@@ -99,33 +158,81 @@ func NewVaultIAMService(rootAcc Account, endpoint, secretStoragePath, mountPath,

 	return &VaultIAMService{
 		client:            client,
-		reqOpts:           reqOpts,
+		authReqOpts:       authReqOpts,
+		kvReqOpts:         kvReqOpts,
 		secretStoragePath: secretStoragePath,
 		rootAcc:           rootAcc,
+		creds:             creds,
 	}, nil
 }

+func (vt *VaultIAMService) reAuthIfNeeded(err error) error {
+	if err == nil {
+		return nil
+	}
+
+	// Vault returns 403 for expired/revoked tokens
+	// pass all other errors back unchanged
+	if !vault.IsErrorStatus(err, http.StatusForbidden) {
+		return err
+	}
+
+	resp, authErr := vt.client.Auth.AppRoleLogin(context.Background(),
+		vt.creds, vt.authReqOpts...)
+	if authErr != nil {
+		return fmt.Errorf("vault re-authentication failure: %w", authErr)
+	}
+	if err := vt.client.SetToken(resp.Auth.ClientToken); err != nil {
+		return fmt.Errorf("vault re-authentication set token failure: %w", err)
+	}
+
+	return nil
+}
+
 func (vt *VaultIAMService) CreateAccount(account Account) error {
 	if vt.rootAcc.Access == account.Access {
 		return ErrUserExists
 	}
-	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
-	_, err := vt.client.Secrets.KvV2Write(ctx, vt.secretStoragePath+"/"+account.Access, schema.KvV2WriteRequest{
-		Data: map[string]any{
-			account.Access: account,
-		},
-		Options: map[string]interface{}{
-			"cas": 0,
-		},
-	}, vt.reqOpts...)
-	cancel()
+	_, err := vt.client.Secrets.KvV2Write(context.Background(),
+		vt.secretStoragePath+"/"+account.Access, schema.KvV2WriteRequest{
+			Data: map[string]any{
+				account.Access: account,
+			},
+			Options: map[string]any{
+				"cas": 0,
+			},
+		}, vt.kvReqOpts...)
 	if err != nil {
 		if strings.Contains(err.Error(), "check-and-set") {
 			return ErrUserExists
 		}
-		return err
-	}

+		reauthErr := vt.reAuthIfNeeded(err)
+		if reauthErr != nil {
+			return reauthErr
+		}
+		// retry once after re-auth
+		_, err = vt.client.Secrets.KvV2Write(context.Background(),
+			vt.secretStoragePath+"/"+account.Access, schema.KvV2WriteRequest{
+				Data: map[string]any{
+					account.Access: account,
+				},
+				Options: map[string]any{
+					"cas": 0,
+				},
+			}, vt.kvReqOpts...)
+		if err != nil {
+			if strings.Contains(err.Error(), "check-and-set") {
+				return ErrUserExists
+			}
+			if vault.IsErrorStatus(err, http.StatusForbidden) {
+				return fmt.Errorf("vault 403 permission denied on path %q. check KV mount path and policy. original: %w",
+					vt.secretStoragePath+"/"+account.Access, err)
+			}
+			return err
+		}
+		return nil
+	}
 	return nil
 }

@@ -133,66 +240,84 @@ func (vt *VaultIAMService) GetUserAccount(access string) (Account, error) {
 	if vt.rootAcc.Access == access {
 		return vt.rootAcc, nil
 	}
-	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
-	resp, err := vt.client.Secrets.KvV2Read(ctx, vt.secretStoragePath+"/"+access, vt.reqOpts...)
-	cancel()
+	resp, err := vt.client.Secrets.KvV2Read(context.Background(),
+		vt.secretStoragePath+"/"+access, vt.kvReqOpts...)
 	if err != nil {
-		return Account{}, err
+		reauthErr := vt.reAuthIfNeeded(err)
+		if reauthErr != nil {
+			return Account{}, reauthErr
+		}
+		// retry once after re-auth
+		resp, err = vt.client.Secrets.KvV2Read(context.Background(),
+			vt.secretStoragePath+"/"+access, vt.kvReqOpts...)
+		if err != nil {
+			return Account{}, err
+		}
 	}
-
 	acc, err := parseVaultUserAccount(resp.Data.Data, access)
 	if err != nil {
 		return Account{}, err
 	}
-
 	return acc, nil
 }

 func (vt *VaultIAMService) UpdateUserAccount(access string, props MutableProps) error {
-	//TODO: We need something like a transaction here ?
 	acc, err := vt.GetUserAccount(access)
 	if err != nil {
 		return err
 	}
-
 	updateAcc(&acc, props)
-
 	err = vt.DeleteUserAccount(access)
 	if err != nil {
 		return err
 	}
-
 	err = vt.CreateAccount(acc)
 	if err != nil {
 		return err
 	}
-
 	return nil
 }

 func (vt *VaultIAMService) DeleteUserAccount(access string) error {
-	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
-	_, err := vt.client.Secrets.KvV2DeleteMetadataAndAllVersions(ctx, vt.secretStoragePath+"/"+access, vt.reqOpts...)
-	cancel()
+	_, err := vt.client.Secrets.KvV2DeleteMetadataAndAllVersions(context.Background(),
+		vt.secretStoragePath+"/"+access, vt.kvReqOpts...)
 	if err != nil {
-		return err
+		reauthErr := vt.reAuthIfNeeded(err)
+		if reauthErr != nil {
+			return reauthErr
+		}
+		// retry once after re-auth
+		_, err = vt.client.Secrets.KvV2DeleteMetadataAndAllVersions(context.Background(),
+			vt.secretStoragePath+"/"+access, vt.kvReqOpts...)
+		if err != nil {
+			return err
+		}
 	}
 	return nil
 }

 func (vt *VaultIAMService) ListUserAccounts() ([]Account, error) {
-	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
-	resp, err := vt.client.Secrets.KvV2List(ctx, vt.secretStoragePath, vt.reqOpts...)
-	cancel()
+	resp, err := vt.client.Secrets.KvV2List(context.Background(),
+		vt.secretStoragePath, vt.kvReqOpts...)
 	if err != nil {
-		if vault.IsErrorStatus(err, 404) {
-			return []Account{}, nil
+		reauthErr := vt.reAuthIfNeeded(err)
+		if reauthErr != nil {
+			if vault.IsErrorStatus(err, http.StatusNotFound) {
+				return []Account{}, nil
+			}
+			return nil, reauthErr
+		}
+		// retry once after re-auth
+		resp, err = vt.client.Secrets.KvV2List(context.Background(),
+			vt.secretStoragePath, vt.kvReqOpts...)
+		if err != nil {
+			if vault.IsErrorStatus(err, http.StatusNotFound) {
+				return []Account{}, nil
+			}
+			return nil, err
 		}
-		return nil, err
 	}
-
 	accs := []Account{}
-
 	for _, acss := range resp.Data.Keys {
 		acc, err := vt.GetUserAccount(acss)
 		if err != nil {
@@ -200,7 +325,6 @@ func (vt *VaultIAMService) ListUserAccounts() ([]Account, error) {
 		}
 		accs = append(accs, acc)
 	}
-
 	return accs, nil
 }

@@ -211,8 +335,8 @@ func (vt *VaultIAMService) Shutdown() error {

 var errInvalidUser error = errors.New("invalid user account entry in secrets engine")

-func parseVaultUserAccount(data map[string]interface{}, access string) (acc Account, err error) {
-	usrAcc, ok := data[access].(map[string]interface{})
+func parseVaultUserAccount(data map[string]any, access string) (acc Account, err error) {
+	usrAcc, ok := data[access].(map[string]any)
 	if !ok {
 		return acc, errInvalidUser
 	}
@@ -245,12 +369,21 @@ func parseVaultUserAccount(data map[string]interface{}, access string) (acc Acco
 	if err != nil {
 		return acc, errInvalidUser
 	}
+	projectIdJson, ok := usrAcc["projectID"].(json.Number)
+	if !ok {
+		return acc, errInvalidUser
+	}
+	projectID, err := projectIdJson.Int64()
+	if err != nil {
+		return acc, errInvalidUser
+	}

 	return Account{
-		Access:  acss,
-		Secret:  secret,
-		Role:    Role(role),
-		UserID:  int(userId),
-		GroupID: int(groupId),
+		Access:    acss,
+		Secret:    secret,
+		Role:      Role(role),
+		UserID:    int(userId),
+		GroupID:   int(groupId),
+		ProjectID: int(projectID),
 	}, nil
 }
--- a/auth/object_lock.go
+++ b/auth/object_lock.go
@@ -24,6 +24,7 @@ import (

 	"github.com/aws/aws-sdk-go-v2/service/s3/types"
 	"github.com/versity/versitygw/backend"
+	"github.com/versity/versitygw/debuglogger"
 	"github.com/versity/versitygw/s3err"
 	"github.com/versity/versitygw/s3response"
 )
@@ -40,7 +41,7 @@ func ParseBucketLockConfigurationInput(input []byte) ([]byte, error) {
 		return nil, s3err.GetAPIError(s3err.ErrMalformedXML)
 	}

-	if lockConfig.ObjectLockEnabled != "" && lockConfig.ObjectLockEnabled != types.ObjectLockEnabledEnabled {
+	if lockConfig.ObjectLockEnabled != types.ObjectLockEnabledEnabled {
 		return nil, s3err.GetAPIError(s3err.ErrMalformedXML)
 	}

@@ -92,28 +93,101 @@ func ParseBucketLockConfigurationOutput(input []byte) (*types.ObjectLockConfigur
 	return result, nil
 }

-func ParseObjectLockRetentionInput(input []byte) ([]byte, error) {
+func ParseObjectLockRetentionInput(input []byte) (*s3response.PutObjectRetentionInput, error) {
 	var retention s3response.PutObjectRetentionInput
 	if err := xml.Unmarshal(input, &retention); err != nil {
+		debuglogger.Logf("invalid object lock retention request body: %v", err)
 		return nil, s3err.GetAPIError(s3err.ErrMalformedXML)
 	}

 	if retention.RetainUntilDate.Before(time.Now()) {
+		debuglogger.Logf("object lock retain until date must be in the future")
 		return nil, s3err.GetAPIError(s3err.ErrPastObjectLockRetainDate)
 	}
 	switch retention.Mode {
 	case types.ObjectLockRetentionModeCompliance:
 	case types.ObjectLockRetentionModeGovernance:
 	default:
+		debuglogger.Logf("invalid object lock retention mode: %s", retention.Mode)
 		return nil, s3err.GetAPIError(s3err.ErrMalformedXML)
 	}

-	return json.Marshal(retention)
+	return &retention, nil
+}
+
+func ParseObjectLockRetentionInputToJSON(input *s3response.PutObjectRetentionInput) ([]byte, error) {
+	data, err := json.Marshal(input)
+	if err != nil {
+		debuglogger.Logf("parse object lock retention to JSON: %v", err)
+		return nil, fmt.Errorf("parse object lock retention: %w", err)
+	}
+
+	return data, nil
+}
+
+// IsObjectLockRetentionPutAllowed checks if the object lock retention PUT request
+// is allowed against the current state of the object lock
+func IsObjectLockRetentionPutAllowed(ctx context.Context, be backend.Backend, bucket, object, versionId, userAccess string, input *s3response.PutObjectRetentionInput, bypass bool) error {
+	ret, err := be.GetObjectRetention(ctx, bucket, object, versionId)
+	if errors.Is(err, s3err.GetAPIError(s3err.ErrNoSuchObjectLockConfiguration)) {
+		// if object lock configuration is not set
+		// allow the retention modification without any checks
+		return nil
+	}
+	if err != nil {
+		debuglogger.Logf("failed to get object retention: %v", err)
+		return err
+	}
+
+	retention, err := ParseObjectLockRetentionOutput(ret)
+	if err != nil {
+		return err
+	}
+
+	if retention.Mode == input.Mode {
+		// if retention mode is the same
+		// the operation is allowed
+		return nil
+	}
+
+	if retention.Mode == types.ObjectLockRetentionModeCompliance {
+		// COMPLIANCE mode is by definition not allowed to modify
+		debuglogger.Logf("object lock retention change request from 'COMPLIANCE' to 'GOVERNANCE' is not allowed")
+		return s3err.GetAPIError(s3err.ErrObjectLocked)
+	}
+
+	if !bypass {
+		// if x-amz-bypass-governance-retention is not provided
+		// return error: object is locked
+		debuglogger.Logf("object lock retention mode change is not allowed and bypass governence is not forced")
+		return s3err.GetAPIError(s3err.ErrObjectLocked)
+	}
+
+	// the last case left, when user tries to chenge
+	// from 'GOVERNANCE' to 'COMPLIANCE' with
+	// 'x-amz-bypass-governance-retention' header
+	// first we need to check if user has 's3:BypassGovernanceRetention'
+	policy, err := be.GetBucketPolicy(ctx, bucket)
+	if err != nil {
+		// if it fails to get the policy, return object is locked
+		debuglogger.Logf("failed to get the bucket policy: %v", err)
+		return s3err.GetAPIError(s3err.ErrObjectLocked)
+	}
+	err = VerifyBucketPolicy(policy, userAccess, bucket, object, BypassGovernanceRetentionAction)
+	if err != nil {
+		// if user doesn't have "s3:BypassGovernanceRetention" permission
+		// return object is locked
+		debuglogger.Logf("the user is missing 's3:BypassGovernanceRetention' permission")
+		return s3err.GetAPIError(s3err.ErrObjectLocked)
+	}
+
+	return nil
 }

 func ParseObjectLockRetentionOutput(input []byte) (*types.ObjectLockRetention, error) {
 	var retention types.ObjectLockRetention
 	if err := json.Unmarshal(input, &retention); err != nil {
+		debuglogger.Logf("parse object lock retention output: %v", err)
 		return nil, fmt.Errorf("parse object lock retention: %w", err)
 	}

@@ -136,7 +210,16 @@ func ParseObjectLegalHoldOutput(status *bool) *s3response.GetObjectLegalHoldResu
 	}
 }

-func CheckObjectAccess(ctx context.Context, bucket, userAccess string, objects []types.ObjectIdentifier, bypass bool, be backend.Backend) error {
+func CheckObjectAccess(ctx context.Context, bucket, userAccess string, objects []types.ObjectIdentifier, bypass, isBucketPublic bool, be backend.Backend, isOverwrite bool) error {
+	if isOverwrite {
+		// if bucket versioning is enabled, any overwrite request
+		// should be enabled, as it leads to a new object version
+		// creation
+		res, err := be.GetBucketVersioning(ctx, bucket)
+		if err == nil && res.Status != nil && *res.Status == types.BucketVersioningStatusEnabled {
+			return nil
+		}
+	}
 	data, err := be.GetObjectLockConfiguration(ctx, bucket)
 	if err != nil {
 		if errors.Is(err, s3err.GetAPIError(s3err.ErrObjectLockConfigurationNotFound)) {
@@ -171,6 +254,12 @@ func CheckObjectAccess(ctx context.Context, bucket, userAccess string, objects [
 		}
 	}

+	var versioningEnabled bool
+	vers, err := be.GetBucketVersioning(ctx, bucket)
+	if err == nil && vers.Status != nil {
+		versioningEnabled = *vers.Status == types.BucketVersioningStatusEnabled
+	}
+
 	for _, obj := range objects {
 		var key, versionId string
 		if obj.Key != nil {
@@ -179,11 +268,21 @@ func CheckObjectAccess(ctx context.Context, bucket, userAccess string, objects [
 		if obj.VersionId != nil {
 			versionId = *obj.VersionId
 		}
+		// if bucket versioning is enabled and versionId isn't provided
+		// no lock check is needed, as it leads to a new delete marker creation
+		if versioningEnabled && versionId == "" {
+			continue
+		}
 		checkRetention := true
 		retentionData, err := be.GetObjectRetention(ctx, bucket, key, versionId)
 		if errors.Is(err, s3err.GetAPIError(s3err.ErrNoSuchKey)) {
 			continue
 		}
+		// the object is a delete marker, if a `MethodNotAllowed` error is returned
+		// no object lock check is needed
+		if errors.Is(err, s3err.GetAPIError(s3err.ErrMethodNotAllowed)) {
+			continue
+		}
 		if errors.Is(err, s3err.GetAPIError(s3err.ErrNoSuchObjectLockConfiguration)) {
 			checkRetention = false
 		}
@@ -198,27 +297,35 @@ func CheckObjectAccess(ctx context.Context, bucket, userAccess string, objects [
 			}

 			if retention.Mode != "" && retention.RetainUntilDate != nil {
-				if retention.RetainUntilDate.After(time.Now()) {
-					switch retention.Mode {
-					case types.ObjectLockRetentionModeGovernance:
-						if !bypass {
-							return s3err.GetAPIError(s3err.ErrObjectLocked)
-						} else {
-							policy, err := be.GetBucketPolicy(ctx, bucket)
-							if errors.Is(err, s3err.GetAPIError(s3err.ErrNoSuchBucketPolicy)) {
-								return s3err.GetAPIError(s3err.ErrObjectLocked)
-							}
-							if err != nil {
-								return err
-							}
-							err = VerifyBucketPolicy(policy, userAccess, bucket, key, BypassGovernanceRetentionAction)
-							if err != nil {
-								return s3err.GetAPIError(s3err.ErrObjectLocked)
-							}
-						}
-					case types.ObjectLockRetentionModeCompliance:
+				if retention.RetainUntilDate.Before(time.Now()) {
+					// if the object retention is expired, the object
+					// is allowed for write operations(delete, modify)
+					return nil
+				}
+
+				switch retention.Mode {
+				case types.ObjectLockRetentionModeGovernance:
+					if !bypass {
 						return s3err.GetAPIError(s3err.ErrObjectLocked)
+					} else {
+						policy, err := be.GetBucketPolicy(ctx, bucket)
+						if errors.Is(err, s3err.GetAPIError(s3err.ErrNoSuchBucketPolicy)) {
+							return s3err.GetAPIError(s3err.ErrObjectLocked)
+						}
+						if err != nil {
+							return err
+						}
+						if isBucketPublic {
+							err = VerifyPublicBucketPolicy(policy, bucket, key, BypassGovernanceRetentionAction)
+						} else {
+							err = VerifyBucketPolicy(policy, userAccess, bucket, key, BypassGovernanceRetentionAction)
+						}
+						if err != nil {
+							return s3err.GetAPIError(s3err.ErrObjectLocked)
+						}
 					}
+				case types.ObjectLockRetentionModeCompliance:
+					return s3err.GetAPIError(s3err.ErrObjectLocked)
 				}
 			}
 		}
@@ -254,7 +361,11 @@ func CheckObjectAccess(ctx context.Context, bucket, userAccess string, objects [
 					if err != nil {
 						return err
 					}
-					err = VerifyBucketPolicy(policy, userAccess, bucket, key, BypassGovernanceRetentionAction)
+					if isBucketPublic {
+						err = VerifyPublicBucketPolicy(policy, bucket, key, BypassGovernanceRetentionAction)
+					} else {
+						err = VerifyBucketPolicy(policy, userAccess, bucket, key, BypassGovernanceRetentionAction)
+					}
 					if err != nil {
 						return s3err.GetAPIError(s3err.ErrObjectLocked)
 					}
--- a/aws/signer/internal/v4/headers.go
+++ b/aws/signer/internal/v4/headers.go
@@ -8,7 +8,8 @@ var IgnoredHeaders = Rules{
 			// some clients use user-agent in signed headers
 			// "User-Agent":      struct{}{},
 			"X-Amzn-Trace-Id": struct{}{},
-			"Expect":          struct{}{},
+			// Expect might appear in signed headers
+			// "Expect":          struct{}{},
 		},
 	},
 }
--- a/aws/signer/internal/v4/headers_test.go
+++ b/aws/signer/internal/v4/headers_test.go
@@ -41,7 +41,7 @@ func TestIgnoredHeaders(t *testing.T) {
 	}{
 		"expect": {
 			Header:        "Expect",
-			ExpectIgnored: true,
+			ExpectIgnored: false,
 		},
 		"authorization": {
 			Header:        "Authorization",
--- a/backend/azure/azure.go
+++ b/backend/azure/azure.go
@@ -60,6 +60,7 @@ const (
 	keyOwnership           key = "Ownership"
 	keyTags                key = "Tags"
 	keyPolicy              key = "Policy"
+	keyCors                key = "Cors"
 	keyBucketLock          key = "Bucketlock"
 	keyObjRetention        key = "Objectretention"
 	keyObjLegalHold        key = "Objectlegalhold"
@@ -67,6 +68,8 @@ const (
 	onameAttr              key = "Objname"
 	onameAttrLower         key = "objname"
 	metaTmpMultipartPrefix key = ".sgwtmp" + "/multipart"
+
+	defaultListingMaxKeys = 1000
 )

 func (key) Table() map[string]struct{} {
@@ -154,7 +157,7 @@ func (az *Azure) CreateBucket(ctx context.Context, input *s3.CreateBucketInput,
 		string(keyOwnership):  backend.GetPtrFromString(encodeBytes([]byte(input.ObjectOwnership))),
 	}

-	acct, ok := ctx.Value("account").(auth.Account)
+	acct, ok := ctx.Value("bucket-owner").(auth.Account)
 	if !ok {
 		acct = auth.Account{}
 	}
@@ -174,7 +177,21 @@ func (az *Azure) CreateBucket(ctx context.Context, input *s3.CreateBucketInput,
 		meta[string(keyBucketLock)] = backend.GetPtrFromString(encodeBytes(defaultLockParsed))
 	}

-	_, err := az.client.CreateContainer(ctx, *input.Bucket, &container.CreateOptions{Metadata: meta})
+	tagging, err := backend.ParseCreateBucketTags(input.CreateBucketConfiguration.Tags)
+	if err != nil {
+		return err
+	}
+
+	if tagging != nil {
+		tags, err := json.Marshal(tagging)
+		if err != nil {
+			return fmt.Errorf("marshal tags: %w", err)
+		}
+
+		meta[string(keyTags)] = backend.GetPtrFromString(encodeBytes(tags))
+	}
+
+	_, err = az.client.CreateContainer(ctx, *input.Bucket, &container.CreateOptions{Metadata: meta})
 	if errors.Is(s3err.GetAPIError(s3err.ErrBucketAlreadyExists), azureErrToS3Err(err)) {
 		aclBytes, err := az.getContainerMetaData(ctx, *input.Bucket, string(keyAclCapital))
 		if err != nil {
@@ -298,6 +315,11 @@ func (az *Azure) PutObject(ctx context.Context, po s3response.PutObjectInput) (s
 		return s3response.PutObjectOutput{}, err
 	}

+	err = az.evaluateWritePreconditions(ctx, po.Bucket, po.Key, po.IfMatch, po.IfNoneMatch)
+	if err != nil {
+		return s3response.PutObjectOutput{}, err
+	}
+
 	metadata := parseMetadata(po.Metadata)

 	// Store the "Expires" property in the object metadata
@@ -342,6 +364,9 @@ func (az *Azure) PutObject(ctx context.Context, po s3response.PutObjectInput) (s
 	if po.ObjectLockLegalHoldStatus == types.ObjectLockLegalHoldStatusOn {
 		err := az.PutObjectLegalHold(ctx, *po.Bucket, *po.Key, "", true)
 		if err != nil {
+			if errors.Is(err, s3err.GetAPIError(s3err.ErrMissingObjectLockConfiguration)) {
+				err = s3err.GetAPIError(s3err.ErrMissingObjectLockConfigurationNoSpaces)
+			}
 			return s3response.PutObjectOutput{}, err
 		}
 	}
@@ -356,14 +381,18 @@ func (az *Azure) PutObject(ctx context.Context, po s3response.PutObjectInput) (s
 		if err != nil {
 			return s3response.PutObjectOutput{}, fmt.Errorf("parse object lock retention: %w", err)
 		}
-		err = az.PutObjectRetention(ctx, *po.Bucket, *po.Key, "", true, retParsed)
+		err = az.PutObjectRetention(ctx, *po.Bucket, *po.Key, "", retParsed)
 		if err != nil {
+			if errors.Is(err, s3err.GetAPIError(s3err.ErrMissingObjectLockConfiguration)) {
+				err = s3err.GetAPIError(s3err.ErrMissingObjectLockConfigurationNoSpaces)
+			}
 			return s3response.PutObjectOutput{}, err
 		}
 	}

 	return s3response.PutObjectOutput{
-		ETag: string(*uploadResp.ETag),
+		ETag: convertAzureEtag(uploadResp.ETag),
+		Size: po.ContentLength,
 	}, nil
 }

@@ -404,6 +433,11 @@ func (az *Azure) DeleteBucketTagging(ctx context.Context, bucket string) error {
 }

 func (az *Azure) GetObject(ctx context.Context, input *s3.GetObjectInput) (*s3.GetObjectOutput, error) {
+	if input.PartNumber != nil {
+		// querying an object with part number is not supported
+		return nil, s3err.GetAPIError(s3err.ErrNotImplemented)
+	}
+
 	client, err := az.getBlobClient(*input.Bucket, *input.Key)
 	if err != nil {
 		return nil, err
@@ -414,6 +448,19 @@ func (az *Azure) GetObject(ctx context.Context, input *s3.GetObjectInput) (*s3.G
 		return nil, azureErrToS3Err(err)
 	}

+	if resp.ETag != nil && resp.LastModified != nil {
+		err = backend.EvaluatePreconditions(convertAzureEtag(resp.ETag), *resp.LastModified,
+			backend.PreConditions{
+				IfMatch:       input.IfMatch,
+				IfNoneMatch:   input.IfNoneMatch,
+				IfModSince:    input.IfModifiedSince,
+				IfUnmodeSince: input.IfUnmodifiedSince,
+			})
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	var opts *azblob.DownloadStreamOptions
 	if *input.Range != "" {
 		offset, count, isValid, err := backend.ParseObjectRange(*resp.ContentLength, *input.Range)
@@ -453,7 +500,7 @@ func (az *Azure) GetObject(ctx context.Context, input *s3.GetObjectInput) (*s3.G
 		ContentLanguage:    blobDownloadResponse.ContentLanguage,
 		CacheControl:       blobDownloadResponse.CacheControl,
 		ExpiresString:      blobDownloadResponse.Metadata[string(keyExpires)],
-		ETag:               (*string)(blobDownloadResponse.ETag),
+		ETag:               backend.GetPtrFromString(convertAzureEtag(blobDownloadResponse.ETag)),
 		LastModified:       blobDownloadResponse.LastModified,
 		Metadata:           parseAndFilterAzMetadata(blobDownloadResponse.Metadata),
 		TagCount:           &tagcount,
@@ -465,35 +512,8 @@ func (az *Azure) GetObject(ctx context.Context, input *s3.GetObjectInput) (*s3.G

 func (az *Azure) HeadObject(ctx context.Context, input *s3.HeadObjectInput) (*s3.HeadObjectOutput, error) {
 	if input.PartNumber != nil {
-		client, err := az.getBlockBlobClient(*input.Bucket, *input.Key)
-		if err != nil {
-			return nil, err
-		}
-
-		res, err := client.GetBlockList(ctx, blockblob.BlockListTypeUncommitted, nil)
-		if err != nil {
-			return nil, azureErrToS3Err(err)
-		}
-
-		partsCount := int32(len(res.UncommittedBlocks))
-
-		for _, block := range res.UncommittedBlocks {
-			partNumber, err := decodeBlockId(*block.Name)
-			if err != nil {
-				return nil, err
-			}
-
-			if partNumber == int(*input.PartNumber) {
-				return &s3.HeadObjectOutput{
-					ContentLength: block.Size,
-					ETag:          block.Name,
-					PartsCount:    &partsCount,
-					StorageClass:  types.StorageClassStandard,
-				}, nil
-			}
-		}
-
-		return nil, s3err.GetAPIError(s3err.ErrNoSuchKey)
+		// querying an object with part number is not supported
+		return nil, s3err.GetAPIError(s3err.ErrNotImplemented)
 	}

 	client, err := az.getBlobClient(*input.Bucket, *input.Key)
@@ -505,6 +525,20 @@ func (az *Azure) HeadObject(ctx context.Context, input *s3.HeadObjectInput) (*s3
 	if err != nil {
 		return nil, azureErrToS3Err(err)
 	}
+
+	if resp.ETag != nil && resp.LastModified != nil {
+		err = backend.EvaluatePreconditions(convertAzureEtag(resp.ETag), *resp.LastModified,
+			backend.PreConditions{
+				IfMatch:       input.IfMatch,
+				IfNoneMatch:   input.IfNoneMatch,
+				IfModSince:    input.IfModifiedSince,
+				IfUnmodeSince: input.IfUnmodifiedSince,
+			})
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	var size int64
 	if resp.ContentLength != nil {
 		size = *resp.ContentLength
@@ -531,7 +565,7 @@ func (az *Azure) HeadObject(ctx context.Context, input *s3.HeadObjectInput) (*s3
 		ContentDisposition: resp.ContentDisposition,
 		CacheControl:       resp.CacheControl,
 		ExpiresString:      resp.Metadata[string(keyExpires)],
-		ETag:               (*string)(resp.ETag),
+		ETag:               backend.GetPtrFromString(convertAzureEtag(resp.ETag)),
 		LastModified:       resp.LastModified,
 		Metadata:           parseAndFilterAzMetadata(resp.Metadata),
 		StorageClass:       types.StorageClassStandard,
@@ -555,6 +589,11 @@ func (az *Azure) HeadObject(ctx context.Context, input *s3.HeadObjectInput) (*s3
 		}
 	}

+	if resp.TagCount != nil {
+		tagcount := int32(*resp.TagCount)
+		result.TagCount = &tagcount
+	}
+
 	return result, nil
 }

@@ -568,7 +607,7 @@ func (az *Azure) GetObjectAttributes(ctx context.Context, input *s3.GetObjectAtt
 	}

 	return s3response.GetObjectAttributesResponse{
-		ETag:         backend.TrimEtag(data.ETag),
+		ETag:         data.ETag,
 		ObjectSize:   data.ContentLength,
 		StorageClass: data.StorageClass,
 		LastModified: data.LastModified,
@@ -578,26 +617,6 @@ func (az *Azure) GetObjectAttributes(ctx context.Context, input *s3.GetObjectAtt
 }

 func (az *Azure) ListObjects(ctx context.Context, input *s3.ListObjectsInput) (s3response.ListObjectsResult, error) {
-	client, err := az.getContainerClient(*input.Bucket)
-	if err != nil {
-		return s3response.ListObjectsResult{}, nil
-	}
-	pager := client.NewListBlobsHierarchyPager(*input.Delimiter, &container.ListBlobsHierarchyOptions{
-		Marker:     input.Marker,
-		MaxResults: input.MaxKeys,
-		Prefix:     input.Prefix,
-	})
-
-	var objects []s3response.Object
-	var cPrefixes []types.CommonPrefix
-	var nextMarker *string
-	var isTruncated bool
-	var maxKeys int32 = math.MaxInt32
-
-	if input.MaxKeys != nil {
-		maxKeys = *input.MaxKeys
-	}
-
 	// Retrieve the bucket acl to get the bucket owner
 	// All the objects in the bucket are owner by the bucket owner
 	aclBytes, err := az.getContainerMetaData(ctx, *input.Bucket, string(keyAclCapital))
@@ -610,20 +629,50 @@ func (az *Azure) ListObjects(ctx context.Context, input *s3.ListObjectsInput) (s
 		return s3response.ListObjectsResult{}, err
 	}

-Pager:
-	for pager.More() {
+	client, err := az.getContainerClient(*input.Bucket)
+	if err != nil {
+		return s3response.ListObjectsResult{}, nil
+	}
+
+	var maxKeys int32 = defaultListingMaxKeys
+	if input.MaxKeys != nil {
+		maxKeys = *input.MaxKeys
+	}
+
+	pager := client.NewListBlobsHierarchyPager(*input.Delimiter, &container.ListBlobsHierarchyOptions{
+		MaxResults: &maxKeys,
+		Prefix:     input.Prefix,
+	})
+
+	var objects []s3response.Object
+	var cPrefixes []types.CommonPrefix
+	var nextMarker *string
+	var isTruncated bool
+
+	// Convert marker to filter criteria
+	var markerFilter string
+	if input.Marker != nil && *input.Marker != "" {
+		markerFilter = *input.Marker
+	}
+
+	// Loop through pages until we have enough objects or no more pages
+	objectsFound := int32(0)
+	for pager.More() && objectsFound < maxKeys {
 		resp, err := pager.NextPage(ctx)
 		if err != nil {
 			return s3response.ListObjectsResult{}, azureErrToS3Err(err)
 		}
+
+		// Process objects from this page
+		var pageObjects []s3response.Object
 		for _, v := range resp.Segment.BlobItems {
-			if len(objects)+len(cPrefixes) >= int(maxKeys) {
-				nextMarker = objects[len(objects)-1].Key
-				isTruncated = true
-				break Pager
+			// Skip objects that come before or equal to marker
+			if markerFilter != "" && *v.Name <= markerFilter {
+				continue
 			}
-			objects = append(objects, s3response.Object{
-				ETag:         backend.GetPtrFromString(fmt.Sprintf("%q", *v.Properties.ETag)),
+
+			pageObjects = append(pageObjects, s3response.Object{
+				ETag:         backend.GetPtrFromString(convertAzureEtag(v.Properties.ETag)),
 				Key:          v.Name,
 				LastModified: v.Properties.LastModified,
 				Size:         v.Properties.ContentLength,
@@ -632,20 +681,22 @@ Pager:
 					ID: &acl.Owner,
 				},
 			})
-		}
-		for _, v := range resp.Segment.BlobPrefixes {
-			if *v.Name <= *input.Marker {
-				continue
-			}
-			if len(objects)+len(cPrefixes) >= int(maxKeys) {
-				nextMarker = cPrefixes[len(cPrefixes)-1].Prefix
-				isTruncated = true
-				break Pager
-			}

-			marker := getString(input.Marker)
-			pfx := strings.TrimSuffix(*v.Name, getString(input.Delimiter))
-			if marker != "" && strings.HasPrefix(marker, pfx) {
+			objectsFound++
+			if objectsFound >= maxKeys {
+				// Set next marker to the current object name for pagination
+				nextMarker = v.Name
+				isTruncated = true
+				break
+			}
+		}
+
+		objects = append(objects, pageObjects...)
+
+		// Process common prefixes from this page
+		for _, v := range resp.Segment.BlobPrefixes {
+			// Skip prefixes that come before or equal to marker
+			if markerFilter != "" && *v.Name <= markerFilter {
 				continue
 			}

@@ -653,6 +704,16 @@ Pager:
 				Prefix: v.Name,
 			})
 		}
+
+		// If we've reached maxKeys, break
+		if objectsFound >= maxKeys {
+			break
+		}
+
+		// If Azure indicates more pages but we need to continue for more objects
+		if resp.NextMarker != nil && *resp.NextMarker != "" && objectsFound < maxKeys {
+			continue
+		}
 	}

 	return s3response.ListObjectsResult{
@@ -669,98 +730,104 @@ Pager:
 }

 func (az *Azure) ListObjectsV2(ctx context.Context, input *s3.ListObjectsV2Input) (s3response.ListObjectsV2Result, error) {
-	marker := ""
-	if *input.ContinuationToken > *input.StartAfter {
-		marker = *input.ContinuationToken
-	} else {
-		marker = *input.StartAfter
+	// Retrieve the bucket acl to get the bucket owner
+	// All the objects in the bucket are owner by the bucket owner
+	aclBytes, err := az.getContainerMetaData(ctx, *input.Bucket, string(keyAclCapital))
+	if err != nil {
+		return s3response.ListObjectsV2Result{}, azureErrToS3Err(err)
 	}
+
+	acl, err := auth.ParseACL(aclBytes)
+	if err != nil {
+		return s3response.ListObjectsV2Result{}, err
+	}
+
 	client, err := az.getContainerClient(*input.Bucket)
 	if err != nil {
 		return s3response.ListObjectsV2Result{}, nil
 	}
+
+	var maxKeys int32 = defaultListingMaxKeys
+	if input.MaxKeys != nil {
+		maxKeys = *input.MaxKeys
+	}
+
 	pager := client.NewListBlobsHierarchyPager(*input.Delimiter, &container.ListBlobsHierarchyOptions{
-		Marker:     &marker,
-		MaxResults: input.MaxKeys,
+		Marker:     input.ContinuationToken,
+		MaxResults: &maxKeys,
 		Prefix:     input.Prefix,
 	})

 	var objects []s3response.Object
-	var cPrefixes []types.CommonPrefix
-	var nextMarker *string
-	var isTruncated bool
-	var maxKeys int32 = math.MaxInt32
-	var fetchOwner bool
+	var resp container.ListBlobsHierarchyResponse

-	if input.MaxKeys != nil {
-		maxKeys = *input.MaxKeys
-	}
-	if input.FetchOwner != nil {
-		fetchOwner = *input.FetchOwner
-	}
-
-	// Retrieve the bucket acl to get the bucket owner, if "fetchOwner" is true
-	// All the objects in the bucket are owner by the bucket owner
-	var acl auth.ACL
-	if fetchOwner {
-		aclBytes, err := az.getContainerMetaData(ctx, *input.Bucket, string(keyAclCapital))
+	// Loop through pages until we find objects or no more pages
+	for {
+		resp, err = pager.NextPage(ctx)
 		if err != nil {
 			return s3response.ListObjectsV2Result{}, azureErrToS3Err(err)
 		}

-		acl, err = auth.ParseACL(aclBytes)
-		if err != nil {
-			return s3response.ListObjectsV2Result{}, err
-		}
-	}
-
-Pager:
-	for pager.More() {
-		resp, err := pager.NextPage(ctx)
-		if err != nil {
-			return s3response.ListObjectsV2Result{}, azureErrToS3Err(err)
-		}
+		// Convert Azure objects to S3 objects
+		var pageObjects []s3response.Object
 		for _, v := range resp.Segment.BlobItems {
-			if len(objects)+len(cPrefixes) >= int(maxKeys) {
-				nextMarker = objects[len(objects)-1].Key
-				isTruncated = true
-				break Pager
-			}
-
-			obj := s3response.Object{
-				ETag:         backend.GetPtrFromString(fmt.Sprintf("%q", *v.Properties.ETag)),
+			pageObjects = append(pageObjects, s3response.Object{
+				ETag:         backend.GetPtrFromString(convertAzureEtag(v.Properties.ETag)),
 				Key:          v.Name,
 				LastModified: v.Properties.LastModified,
 				Size:         v.Properties.ContentLength,
 				StorageClass: types.ObjectStorageClassStandard,
-			}
-			if fetchOwner {
-				obj.Owner = &types.Owner{
+				Owner: &types.Owner{
 					ID: &acl.Owner,
-				}
-			}
-			objects = append(objects, obj)
-		}
-		for _, v := range resp.Segment.BlobPrefixes {
-			if *v.Name <= marker {
-				continue
-			}
-			if len(objects)+len(cPrefixes) >= int(maxKeys) {
-				nextMarker = cPrefixes[len(cPrefixes)-1].Prefix
-				isTruncated = true
-				break Pager
-			}
-
-			marker := getString(input.ContinuationToken)
-			pfx := strings.TrimSuffix(*v.Name, getString(input.Delimiter))
-			if marker != "" && strings.HasPrefix(marker, pfx) {
-				continue
-			}
-
-			cPrefixes = append(cPrefixes, types.CommonPrefix{
-				Prefix: v.Name,
+				},
 			})
 		}
+
+		// If StartAfter is specified, filter objects
+		if input.StartAfter != nil && *input.StartAfter != "" {
+			startAfter := *input.StartAfter
+			startIndex := -1
+			for i, obj := range pageObjects {
+				if *obj.Key > startAfter {
+					startIndex = i
+					break
+				}
+			}
+
+			if startIndex != -1 {
+				// Found objects after StartAfter in this page
+				objects = append(objects, pageObjects[startIndex:]...)
+				break
+			} else {
+				// No objects after StartAfter in this page
+				// Check if there are more pages to examine
+				if resp.NextMarker == nil || *resp.NextMarker == "" {
+					// No more pages, so no objects after StartAfter
+					break
+				}
+				// Continue to next page without adding any objects
+				continue
+			}
+		} else {
+			// No StartAfter specified, add all objects from this page
+			objects = append(objects, pageObjects...)
+			break
+		}
+	}
+
+	var cPrefixes []types.CommonPrefix
+	for _, v := range resp.Segment.BlobPrefixes {
+		cPrefixes = append(cPrefixes, types.CommonPrefix{
+			Prefix: v.Name,
+		})
+	}
+
+	var isTruncated bool
+	var nextMarker *string
+	// If Azure returned a NextMarker, set it for the next request
+	if resp.NextMarker != nil && *resp.NextMarker != "" {
+		nextMarker = resp.NextMarker
+		isTruncated = true
 	}

 	return s3response.ListObjectsV2Result{
@@ -778,6 +845,42 @@ Pager:
 }

 func (az *Azure) DeleteObject(ctx context.Context, input *s3.DeleteObjectInput) (*s3.DeleteObjectOutput, error) {
+	if input.IfMatch != nil || input.IfMatchLastModifiedTime != nil || input.IfMatchSize != nil {
+		// evaluate the preconditions before deleting the object
+		props, err := az.HeadObject(ctx, &s3.HeadObjectInput{
+			Bucket: input.Bucket,
+			Key:    input.Key,
+		})
+		if err != nil && !errors.Is(err, s3err.GetAPIError(s3err.ErrNoSuchKey)) {
+			// if object doesn't exist, skip preconditions
+			// if unexpected error shows up, return the error
+			return nil, err
+		}
+		if err == nil {
+			var etag string
+			if props.ETag != nil {
+				etag = *props.ETag
+			}
+			var lastMod time.Time
+			if props.LastModified != nil {
+				lastMod = *props.LastModified
+			}
+			var size int64
+			if props.ContentLength != nil {
+				size = *props.ContentLength
+			}
+			err := backend.EvaluateObjectDeletePreconditions(etag, lastMod, size,
+				backend.ObjectDeletePreconditions{
+					IfMatch:            input.IfMatch,
+					IfMatchLastModTime: input.IfMatchLastModifiedTime,
+					IfMatchSize:        input.IfMatchSize,
+				})
+			if err != nil {
+				return nil, err
+			}
+		}
+	}
+
 	_, err := az.client.DeleteBlob(ctx, *input.Bucket, *input.Key, nil)
 	if err != nil {
 		azerr, ok := err.(*azcore.ResponseError)
@@ -827,6 +930,26 @@ func (az *Azure) CopyObject(ctx context.Context, input s3response.CopyObjectInpu
 	if err != nil {
 		return s3response.CopyObjectOutput{}, err
 	}
+
+	srcBucket, srcObj, _, err := backend.ParseCopySource(*input.CopySource)
+	if err != nil {
+		return s3response.CopyObjectOutput{}, err
+	}
+
+	if !areNils(input.CopySourceIfMatch, input.CopySourceIfNoneMatch) || !areNils(input.CopySourceIfModifiedSince, input.CopySourceIfUnmodifiedSince) {
+		_, err = az.HeadObject(ctx, &s3.HeadObjectInput{
+			Bucket:            &srcBucket,
+			Key:               &srcObj,
+			IfMatch:           input.CopySourceIfMatch,
+			IfNoneMatch:       input.CopySourceIfNoneMatch,
+			IfModifiedSince:   input.CopySourceIfModifiedSince,
+			IfUnmodifiedSince: input.CopySourceIfUnmodifiedSince,
+		})
+		if err != nil {
+			return s3response.CopyObjectOutput{}, err
+		}
+	}
+
 	if strings.Join([]string{*input.Bucket, *input.Key}, "/") == *input.CopySource {
 		if input.MetadataDirective != types.MetadataDirectiveReplace {
 			return s3response.CopyObjectOutput{}, s3err.GetAPIError(s3err.ErrInvalidCopyDest)
@@ -863,6 +986,9 @@ func (az *Azure) CopyObject(ctx context.Context, input s3response.CopyObjectInpu
 		if input.ObjectLockLegalHoldStatus != "" {
 			err = az.PutObjectLegalHold(ctx, *input.Bucket, *input.Key, "", input.ObjectLockLegalHoldStatus == types.ObjectLockLegalHoldStatusOn)
 			if err != nil {
+				if errors.Is(err, s3err.GetAPIError(s3err.ErrMissingObjectLockConfiguration)) {
+					err = s3err.GetAPIError(s3err.ErrMissingObjectLockConfigurationNoSpaces)
+				}
 				return s3response.CopyObjectOutput{}, azureErrToS3Err(err)
 			}
 		}
@@ -879,8 +1005,11 @@ func (az *Azure) CopyObject(ctx context.Context, input s3response.CopyObjectInpu
 			if err != nil {
 				return s3response.CopyObjectOutput{}, fmt.Errorf("parse object retention: %w", err)
 			}
-			err = az.PutObjectRetention(ctx, *input.Bucket, *input.Key, "", true, retParsed)
+			err = az.PutObjectRetention(ctx, *input.Bucket, *input.Key, "", retParsed)
 			if err != nil {
+				if errors.Is(err, s3err.GetAPIError(s3err.ErrMissingObjectLockConfiguration)) {
+					err = s3err.GetAPIError(s3err.ErrMissingObjectLockConfigurationNoSpaces)
+				}
 				return s3response.CopyObjectOutput{}, azureErrToS3Err(err)
 			}
 		}
@@ -900,16 +1029,11 @@ func (az *Azure) CopyObject(ctx context.Context, input s3response.CopyObjectInpu
 		return s3response.CopyObjectOutput{
 			CopyObjectResult: &s3response.CopyObjectResult{
 				LastModified: res.LastModified,
-				ETag:         (*string)(res.ETag),
+				ETag:         backend.GetPtrFromString(convertAzureEtag(res.ETag)),
 			},
 		}, nil
 	}

-	srcBucket, srcObj, _, err := backend.ParseCopySource(*input.CopySource)
-	if err != nil {
-		return s3response.CopyObjectOutput{}, err
-	}
-
 	// Get the source object
 	downloadResp, err := az.client.DownloadStream(ctx, srcBucket, srcObj, nil)
 	if err != nil {
@@ -978,7 +1102,7 @@ func (az *Azure) CopyObject(ctx context.Context, input s3response.CopyObjectInpu
 	}, nil
 }

-func (az *Azure) PutObjectTagging(ctx context.Context, bucket, object string, tags map[string]string) error {
+func (az *Azure) PutObjectTagging(ctx context.Context, bucket, object, _ string, tags map[string]string) error {
 	client, err := az.getBlobClient(bucket, object)
 	if err != nil {
 		return err
@@ -992,7 +1116,7 @@ func (az *Azure) PutObjectTagging(ctx context.Context, bucket, object string, ta
 	return nil
 }

-func (az *Azure) GetObjectTagging(ctx context.Context, bucket, object string) (map[string]string, error) {
+func (az *Azure) GetObjectTagging(ctx context.Context, bucket, object, _ string) (map[string]string, error) {
 	client, err := az.getBlobClient(bucket, object)
 	if err != nil {
 		return nil, err
@@ -1006,7 +1130,7 @@ func (az *Azure) GetObjectTagging(ctx context.Context, bucket, object string) (m
 	return parseAzTags(tags.BlobTagSet), nil
 }

-func (az *Azure) DeleteObjectTagging(ctx context.Context, bucket, object string) error {
+func (az *Azure) DeleteObjectTagging(ctx context.Context, bucket, object, _ string) error {
 	client, err := az.getBlobClient(bucket, object)
 	if err != nil {
 		return err
@@ -1028,7 +1152,7 @@ func (az *Azure) CreateMultipartUpload(ctx context.Context, input s3response.Cre
 		}

 		if len(bucketLock) == 0 {
-			return s3response.InitiateMultipartUploadResult{}, s3err.GetAPIError(s3err.ErrInvalidBucketObjectLockConfiguration)
+			return s3response.InitiateMultipartUploadResult{}, s3err.GetAPIError(s3err.ErrMissingObjectLockConfigurationNoSpaces)
 		}

 		var bucketLockConfig auth.BucketLockConfig
@@ -1037,7 +1161,7 @@ func (az *Azure) CreateMultipartUpload(ctx context.Context, input s3response.Cre
 		}

 		if !bucketLockConfig.Enabled {
-			return s3response.InitiateMultipartUploadResult{}, s3err.GetAPIError(s3err.ErrInvalidBucketObjectLockConfiguration)
+			return s3response.InitiateMultipartUploadResult{}, s3err.GetAPIError(s3err.ErrMissingObjectLockConfigurationNoSpaces)
 		}
 	}

@@ -1138,7 +1262,7 @@ func (az *Azure) UploadPart(ctx context.Context, input *s3.UploadPartInput) (*s3
 func (az *Azure) UploadPartCopy(ctx context.Context, input *s3.UploadPartCopyInput) (s3response.CopyPartResult, error) {
 	client, err := az.getBlockBlobClient(*input.Bucket, *input.Key)
 	if err != nil {
-		return s3response.CopyPartResult{}, nil
+		return s3response.CopyPartResult{}, err
 	}

 	if err := az.checkIfMpExists(ctx, *input.Bucket, *input.Key, *input.UploadId); err != nil {
@@ -1341,6 +1465,22 @@ func (az *Azure) ListMultipartUploads(ctx context.Context, input *s3.ListMultipa
 // Cleans up the initiated multipart upload in .sgwtmp namespace
 func (az *Azure) AbortMultipartUpload(ctx context.Context, input *s3.AbortMultipartUploadInput) error {
 	tmpPath := createMetaTmpPath(*input.Key, *input.UploadId)
+
+	if input.IfMatchInitiatedTime != nil {
+		client, err := az.getBlobClient(*input.Bucket, tmpPath)
+		if err != nil {
+			return err
+		}
+
+		resp, err := client.GetProperties(ctx, nil)
+		if err != nil {
+			return azureErrToS3Err(err)
+		}
+
+		if resp.LastModified != nil && resp.LastModified.Unix() != input.IfMatchInitiatedTime.Unix() {
+			return s3err.GetAPIError(s3err.ErrPreconditionFailed)
+		}
+	}
 	_, err := az.client.DeleteBlob(ctx, *input.Bucket, tmpPath, nil)
 	if err != nil {
 		return parseMpError(err)
@@ -1368,6 +1508,11 @@ func (az *Azure) AbortMultipartUpload(ctx context.Context, input *s3.AbortMultip
 func (az *Azure) CompleteMultipartUpload(ctx context.Context, input *s3.CompleteMultipartUploadInput) (s3response.CompleteMultipartUploadResult, string, error) {
 	var res s3response.CompleteMultipartUploadResult

+	err := az.evaluateWritePreconditions(ctx, input.Bucket, input.Key, input.IfMatch, input.IfNoneMatch)
+	if err != nil {
+		return s3response.CompleteMultipartUploadResult{}, "", err
+	}
+
 	tmpPath := createMetaTmpPath(*input.Key, *input.UploadId)
 	blobClient, err := az.getBlobClient(*input.Bucket, tmpPath)
 	if err != nil {
@@ -1471,7 +1616,7 @@ func (az *Azure) CompleteMultipartUpload(ctx context.Context, input *s3.Complete
 	return s3response.CompleteMultipartUploadResult{
 		Bucket: input.Bucket,
 		Key:    input.Key,
-		ETag:   (*string)(resp.ETag),
+		ETag:   backend.GetPtrFromString(convertAzureEtag(resp.ETag)),
 	}, "", nil
 }

@@ -1506,25 +1651,30 @@ func (az *Azure) DeleteBucketPolicy(ctx context.Context, bucket string) error {
 	return az.PutBucketPolicy(ctx, bucket, nil)
 }

-func (az *Azure) PutObjectLockConfiguration(ctx context.Context, bucket string, config []byte) error {
-	cfg, err := az.getContainerMetaData(ctx, bucket, string(keyBucketLock))
+func (az *Azure) PutBucketCors(ctx context.Context, bucket string, cors []byte) error {
+	if cors == nil {
+		return az.deleteContainerMetaData(ctx, bucket, string(keyCors))
+	}
+
+	return az.setContainerMetaData(ctx, bucket, string(keyCors), cors)
+}
+
+func (az *Azure) GetBucketCors(ctx context.Context, bucket string) ([]byte, error) {
+	p, err := az.getContainerMetaData(ctx, bucket, string(keyCors))
 	if err != nil {
-		return err
+		return nil, err
 	}
-
-	if len(cfg) == 0 {
-		return s3err.GetAPIError(s3err.ErrObjectLockConfigurationNotAllowed)
+	if len(p) == 0 {
+		return nil, s3err.GetAPIError(s3err.ErrNoSuchCORSConfiguration)
 	}
+	return p, nil
+}

-	var bucketLockCfg auth.BucketLockConfig
-	if err := json.Unmarshal(cfg, &bucketLockCfg); err != nil {
-		return fmt.Errorf("unmarshal object lock config: %w", err)
-	}
-
-	if !bucketLockCfg.Enabled {
-		return s3err.GetAPIError(s3err.ErrObjectLockConfigurationNotAllowed)
-	}
+func (az *Azure) DeleteBucketCors(ctx context.Context, bucket string) error {
+	return az.PutBucketCors(ctx, bucket, nil)
+}

+func (az *Azure) PutObjectLockConfiguration(ctx context.Context, bucket string, config []byte) error {
 	return az.setContainerMetaData(ctx, bucket, string(keyBucketLock), config)
 }

@@ -1541,7 +1691,7 @@ func (az *Azure) GetObjectLockConfiguration(ctx context.Context, bucket string)
 	return cfg, nil
 }

-func (az *Azure) PutObjectRetention(ctx context.Context, bucket, object, versionId string, bypass bool, retention []byte) error {
+func (az *Azure) PutObjectRetention(ctx context.Context, bucket, object, versionId string, retention []byte) error {
 	err := az.isBucketObjectLockEnabled(ctx, bucket)
 	if err != nil {
 		return err
@@ -1563,28 +1713,7 @@ func (az *Azure) PutObjectRetention(ctx context.Context, bucket, object, version
 			string(keyObjRetention): backend.GetPtrFromString(string(retention)),
 		}
 	} else {
-		objLockCfg, ok := meta[string(keyObjRetention)]
-		if !ok {
-			meta[string(keyObjRetention)] = backend.GetPtrFromString(string(retention))
-		} else {
-			var lockCfg types.ObjectLockRetention
-			if err := json.Unmarshal([]byte(*objLockCfg), &lockCfg); err != nil {
-				return fmt.Errorf("unmarshal object lock config: %w", err)
-			}
-
-			switch lockCfg.Mode {
-			// Compliance mode can't be overridden
-			case types.ObjectLockRetentionModeCompliance:
-				return s3err.GetAPIError(s3err.ErrMethodNotAllowed)
-			// To override governance mode user should have "s3:BypassGovernanceRetention" permission
-			case types.ObjectLockRetentionModeGovernance:
-				if !bypass {
-					return s3err.GetAPIError(s3err.ErrMethodNotAllowed)
-				}
-			}
-
-			meta[string(keyObjRetention)] = backend.GetPtrFromString(string(retention))
-		}
+		meta[string(keyObjRetention)] = backend.GetPtrFromString(string(retention))
 	}

 	_, err = blobClient.SetMetadata(ctx, meta, nil)
@@ -1683,8 +1812,8 @@ func (az *Azure) GetObjectLegalHold(ctx context.Context, bucket, object, version
 	return &status, nil
 }

-func (az *Azure) ChangeBucketOwner(ctx context.Context, bucket string, acl []byte) error {
-	return az.PutBucketAcl(ctx, bucket, acl)
+func (az *Azure) ChangeBucketOwner(ctx context.Context, bucket, owner string) error {
+	return auth.UpdateBucketACLOwner(ctx, az, bucket, owner)
 }

 // The action actually returns the containers owned by the user, who initialized the gateway
@@ -1722,7 +1851,7 @@ func (az *Azure) isBucketObjectLockEnabled(ctx context.Context, bucket string) e
 	}

 	if len(cfg) == 0 {
-		return s3err.GetAPIError(s3err.ErrInvalidBucketObjectLockConfiguration)
+		return s3err.GetAPIError(s3err.ErrMissingObjectLockConfiguration)
 	}

 	var bucketLockConfig auth.BucketLockConfig
@@ -1731,7 +1860,7 @@ func (az *Azure) isBucketObjectLockEnabled(ctx context.Context, bucket string) e
 	}

 	if !bucketLockConfig.Enabled {
-		return s3err.GetAPIError(s3err.ErrInvalidBucketObjectLockConfiguration)
+		return s3err.GetAPIError(s3err.ErrMissingObjectLockConfiguration)
 	}

 	return nil
@@ -1963,6 +2092,27 @@ func (az *Azure) deleteContainerMetaData(ctx context.Context, bucket, key string
 	return nil
 }

+func (az *Azure) evaluateWritePreconditions(ctx context.Context, bucket, object, ifMatch, ifNoneMatch *string) error {
+	if areNils(ifMatch, ifNoneMatch) {
+		return nil
+	}
+	// call HeadObject to evaluate preconditions
+	res, err := az.HeadObject(ctx, &s3.HeadObjectInput{
+		Bucket: bucket,
+		Key:    object,
+	})
+	if err != nil && !errors.Is(err, s3err.GetAPIError(s3err.ErrNoSuchKey)) {
+		return err
+	}
+
+	var etag string
+	if res != nil {
+		etag = backend.GetStringFromPtr(res.ETag)
+	}
+
+	return backend.EvaluateObjectPutPreconditions(etag, ifMatch, ifNoneMatch, !errors.Is(err, s3err.GetAPIError(s3err.ErrNoSuchKey)))
+}
+
 func getAclFromMetadata(meta map[string]*string, key key) (*auth.ACL, error) {
 	data, ok := meta[string(key)]
 	if !ok {
@@ -2002,3 +2152,21 @@ func (az *Azure) checkIfMpExists(ctx context.Context, bucket, obj, uploadId stri

 	return nil
 }
+
+func convertAzureEtag(etag *azcore.ETag) string {
+	// Azure ETag values are not S3 compatible,
+	// so append "-1" to avoid client SDK ETag validation issues.
+	str := (*string)(etag)
+
+	return *backend.TrimEtag(str) + "-1"
+}
+
+func areNils[T any](args ...*T) bool {
+	for _, arg := range args {
+		if arg != nil {
+			return false
+		}
+	}
+
+	return true
+}
--- a/backend/backend.go
+++ b/backend/backend.go
@@ -46,7 +46,7 @@ type Backend interface {
 	PutBucketOwnershipControls(_ context.Context, bucket string, ownership types.ObjectOwnership) error
 	GetBucketOwnershipControls(_ context.Context, bucket string) (types.ObjectOwnership, error)
 	DeleteBucketOwnershipControls(_ context.Context, bucket string) error
-	PutBucketCors(context.Context, []byte) error
+	PutBucketCors(_ context.Context, bucket string, cors []byte) error
 	GetBucketCors(_ context.Context, bucket string) ([]byte, error)
 	DeleteBucketCors(_ context.Context, bucket string) error

@@ -83,20 +83,20 @@ type Backend interface {
 	DeleteBucketTagging(_ context.Context, bucket string) error

 	// object tagging operations
-	GetObjectTagging(_ context.Context, bucket, object string) (map[string]string, error)
-	PutObjectTagging(_ context.Context, bucket, object string, tags map[string]string) error
-	DeleteObjectTagging(_ context.Context, bucket, object string) error
+	GetObjectTagging(_ context.Context, bucket, object, versionId string) (map[string]string, error)
+	PutObjectTagging(_ context.Context, bucket, object, versionId string, tags map[string]string) error
+	DeleteObjectTagging(_ context.Context, bucket, object, versionId string) error

 	// object lock operations
 	PutObjectLockConfiguration(_ context.Context, bucket string, config []byte) error
 	GetObjectLockConfiguration(_ context.Context, bucket string) ([]byte, error)
-	PutObjectRetention(_ context.Context, bucket, object, versionId string, bypass bool, retention []byte) error
+	PutObjectRetention(_ context.Context, bucket, object, versionId string, retention []byte) error
 	GetObjectRetention(_ context.Context, bucket, object, versionId string) ([]byte, error)
 	PutObjectLegalHold(_ context.Context, bucket, object, versionId string, status bool) error
 	GetObjectLegalHold(_ context.Context, bucket, object, versionId string) (*bool, error)

 	// non AWS actions
-	ChangeBucketOwner(_ context.Context, bucket string, acl []byte) error
+	ChangeBucketOwner(_ context.Context, bucket, owner string) error
 	ListBucketsAndOwners(context.Context) ([]s3response.Bucket, error)
 }

@@ -153,7 +153,7 @@ func (BackendUnsupported) GetBucketOwnershipControls(_ context.Context, bucket s
 func (BackendUnsupported) DeleteBucketOwnershipControls(_ context.Context, bucket string) error {
 	return s3err.GetAPIError(s3err.ErrNotImplemented)
 }
-func (BackendUnsupported) PutBucketCors(context.Context, []byte) error {
+func (BackendUnsupported) PutBucketCors(context.Context, string, []byte) error {
 	return s3err.GetAPIError(s3err.ErrNotImplemented)
 }
 func (BackendUnsupported) GetBucketCors(_ context.Context, bucket string) ([]byte, error) {
@@ -251,13 +251,13 @@ func (BackendUnsupported) DeleteBucketTagging(_ context.Context, bucket string)
 	return s3err.GetAPIError(s3err.ErrNotImplemented)
 }

-func (BackendUnsupported) GetObjectTagging(_ context.Context, bucket, object string) (map[string]string, error) {
+func (BackendUnsupported) GetObjectTagging(_ context.Context, bucket, object, versionId string) (map[string]string, error) {
 	return nil, s3err.GetAPIError(s3err.ErrNotImplemented)
 }
-func (BackendUnsupported) PutObjectTagging(_ context.Context, bucket, object string, tags map[string]string) error {
+func (BackendUnsupported) PutObjectTagging(_ context.Context, bucket, object, versionId string, tags map[string]string) error {
 	return s3err.GetAPIError(s3err.ErrNotImplemented)
 }
-func (BackendUnsupported) DeleteObjectTagging(_ context.Context, bucket, object string) error {
+func (BackendUnsupported) DeleteObjectTagging(_ context.Context, bucket, object, versionId string) error {
 	return s3err.GetAPIError(s3err.ErrNotImplemented)
 }

@@ -267,7 +267,7 @@ func (BackendUnsupported) PutObjectLockConfiguration(_ context.Context, bucket s
 func (BackendUnsupported) GetObjectLockConfiguration(_ context.Context, bucket string) ([]byte, error) {
 	return nil, s3err.GetAPIError(s3err.ErrNotImplemented)
 }
-func (BackendUnsupported) PutObjectRetention(_ context.Context, bucket, object, versionId string, bypass bool, retention []byte) error {
+func (BackendUnsupported) PutObjectRetention(_ context.Context, bucket, object, versionId string, retention []byte) error {
 	return s3err.GetAPIError(s3err.ErrNotImplemented)
 }
 func (BackendUnsupported) GetObjectRetention(_ context.Context, bucket, object, versionId string) ([]byte, error) {
@@ -280,7 +280,7 @@ func (BackendUnsupported) GetObjectLegalHold(_ context.Context, bucket, object,
 	return nil, s3err.GetAPIError(s3err.ErrNotImplemented)
 }

-func (BackendUnsupported) ChangeBucketOwner(_ context.Context, bucket string, acl []byte) error {
+func (BackendUnsupported) ChangeBucketOwner(_ context.Context, bucket, owner string) error {
 	return s3err.GetAPIError(s3err.ErrNotImplemented)
 }
 func (BackendUnsupported) ListBucketsAndOwners(context.Context) ([]s3response.Bucket, error) {
--- a/backend/common.go
+++ b/backend/common.go
@@ -22,6 +22,7 @@ import (
 	"hash"
 	"io"
 	"io/fs"
+	"math"
 	"net/url"
 	"os"
 	"regexp"
@@ -87,6 +88,8 @@ func TrimEtag(etag *string) *string {
 var (
 	errInvalidRange           = s3err.GetAPIError(s3err.ErrInvalidRange)
 	errInvalidCopySourceRange = s3err.GetAPIError(s3err.ErrInvalidCopySourceRange)
+	errPreconditionFailed     = s3err.GetAPIError(s3err.ErrPreconditionFailed)
+	errNotModified            = s3err.GetAPIError(s3err.ErrNotModified)
 )

 // ParseObjectRange parses input range header and returns startoffset, length, isValid
@@ -94,63 +97,81 @@ var (
 // for invalid inputs, it returns no error, but isValid=false
 // `InvalidRange` error is returnd, only if startoffset is greater than the object size
 func ParseObjectRange(size int64, acceptRange string) (int64, int64, bool, error) {
+	// Return full object (invalid range, no error) if header empty
 	if acceptRange == "" {
 		return 0, size, false, nil
 	}

 	rangeKv := strings.Split(acceptRange, "=")
-
 	if len(rangeKv) != 2 {
 		return 0, size, false, nil
 	}
-
-	if rangeKv[0] != "bytes" {
+	if rangeKv[0] != "bytes" { // unsupported unit -> ignore
 		return 0, size, false, nil
 	}

 	bRange := strings.Split(rangeKv[1], "-")
-	if len(bRange) != 2 {
+	if len(bRange) != 2 { // malformed / multi-range
 		return 0, size, false, nil
 	}

-	startOffset, err := strconv.ParseInt(bRange[0], 10, 64)
-	if err != nil && bRange[0] != "" {
+	// Parse start; empty start indicates a suffix-byte-range-spec (e.g. bytes=-100)
+	startOffset, err := strconv.ParseInt(bRange[0], 10, strconv.IntSize)
+	if startOffset > int64(math.MaxInt) || startOffset < int64(math.MinInt) {
+		return 0, size, false, errInvalidRange
+	}
+	if err != nil && bRange[0] != "" { // invalid numeric start (non-empty) -> ignore range
 		return 0, size, false, nil
 	}

+	// If end part missing (e.g. bytes=100-)
 	if bRange[1] == "" {
-		if bRange[0] == "" {
+		if bRange[0] == "" { // bytes=- (meaningless) -> ignore
 			return 0, size, false, nil
 		}
+		// start beyond or at size is unsatisfiable -> error (RequestedRangeNotSatisfiable)
 		if startOffset >= size {
 			return 0, 0, false, errInvalidRange
 		}
+		// bytes=100- => from start to end
 		return startOffset, size - startOffset, true, nil
 	}

-	endOffset, err := strconv.ParseInt(bRange[1], 10, 64)
-	if err != nil {
+	endOffset, err := strconv.ParseInt(bRange[1], 10, strconv.IntSize)
+	if endOffset > int64(math.MaxInt) {
+		return 0, size, false, errInvalidRange
+	}
+	if err != nil { // invalid numeric end -> ignore range
 		return 0, size, false, nil
 	}

-	if startOffset > endOffset {
-		return 0, size, false, nil
-	}
-
-	// for ranges like 'bytes=-100' return the last bytes specified with 'endOffset'
+	// Suffix range handling (bRange[0] == "")
 	if bRange[0] == "" {
+		// Disallow -0 (always unsatisfiable)
+		if endOffset == 0 {
+			return 0, 0, false, errInvalidRange
+		}
+		// For zero-sized objects any positive suffix is treated as invalid (ignored, no error)
+		if size == 0 {
+			return 0, size, false, nil
+		}
+		// Clamp to object size (request more bytes than exist -> entire object)
 		endOffset = min(endOffset, size)
 		return size - endOffset, endOffset, true, nil
 	}

+	// Normal range (start-end)
+	if startOffset > endOffset { // start > end -> ignore
+		return 0, size, false, nil
+	}
+	// Start beyond or at end of object -> error
 	if startOffset >= size {
 		return 0, 0, false, errInvalidRange
 	}
-
+	// Adjust end beyond object size (trim)
 	if endOffset >= size {
 		endOffset = size - 1
 	}
-
 	return startOffset, endOffset - startOffset + 1, true, nil
 }

@@ -223,7 +244,7 @@ func ParseCopySource(copySourceHeader string) (string, string, string, error) {

 	srcBucket, srcObject, ok := strings.Cut(copySource, "/")
 	if !ok {
-		return "", "", "", s3err.GetAPIError(s3err.ErrInvalidCopySource)
+		return "", "", "", s3err.GetAPIError(s3err.ErrInvalidCopySourceBucket)
 	}

 	return srcBucket, srcObject, versionId, nil
@@ -296,14 +317,60 @@ func ParseObjectTags(tagging string) (map[string]string, error) {
 	return tagSet, nil
 }

-var validTagComponent = regexp.MustCompile(`^[a-zA-Z0-9:/_.\-+ ]+$`)
-
-// isValidTagComponent matches strings which contain letters, decimal digits,
-// and special chars: '/', '_', '-', '+', '.', ' ' (space)
-func isValidTagComponent(str string) bool {
-	if str == "" {
-		return true
+// ParseCreateBucketTags parses and validates the bucket
+// tagging from CreateBucket input
+func ParseCreateBucketTags(tagging []types.Tag) (map[string]string, error) {
+	if len(tagging) == 0 {
+		return nil, nil
 	}
+
+	tagset := make(map[string]string, len(tagging))
+
+	if len(tagging) > 50 {
+		return nil, s3err.GetAPIError(s3err.ErrBucketTaggingLimited)
+	}
+
+	for _, tag := range tagging {
+		// validate tag key length
+		key := GetStringFromPtr(tag.Key)
+		if len(key) == 0 || len(key) > 128 {
+			return nil, s3err.GetAPIError(s3err.ErrInvalidTagKey)
+		}
+
+		// validate tag key string chars
+		if !isValidTagComponent(key) {
+			return nil, s3err.GetAPIError(s3err.ErrInvalidTagKey)
+		}
+
+		// validate tag value length
+		value := GetStringFromPtr(tag.Value)
+		if len(value) > 256 {
+			return nil, s3err.GetAPIError(s3err.ErrInvalidTagValue)
+		}
+
+		// validate tag value string chars
+		if !isValidTagComponent(value) {
+			return nil, s3err.GetAPIError(s3err.ErrInvalidTagValue)
+		}
+
+		// make sure there are no duplicate keys
+		_, ok := tagset[key]
+		if ok {
+			return nil, s3err.GetAPIError(s3err.ErrDuplicateTagKey)
+		}
+
+		tagset[key] = value
+	}
+
+	return tagset, nil
+}
+
+// tag component (key/value) name rule regexp
+// https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_Tag.html
+var validTagComponent = regexp.MustCompile(`^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`)
+
+// isValidTagComponent validates the tag component(key/value) name
+func isValidTagComponent(str string) bool {
 	return validTagComponent.Match([]byte(str))
 }

@@ -403,3 +470,200 @@ func GenerateEtag(h hash.Hash) string {
 func AreEtagsSame(e1, e2 string) bool {
 	return strings.Trim(e1, `"`) == strings.Trim(e2, `"`)
 }
+
+func getBoolPtr(b bool) *bool {
+	return &b
+}
+
+type PreConditions struct {
+	IfMatch       *string
+	IfNoneMatch   *string
+	IfModSince    *time.Time
+	IfUnmodeSince *time.Time
+}
+
+// EvaluatePreconditions takes the object ETag, the last modified time and
+// evaluates the read preconditions:
+// - if-match,
+// - if-none-match
+// - if-modified-since
+// - if-unmodified-since
+// if-match and if-none-match are ETag comparisions
+// if-modified-since and if-unmodified-since are last modifed time comparisons
+func EvaluatePreconditions(etag string, modTime time.Time, preconditions PreConditions) error {
+	if preconditions.IfMatch == nil && preconditions.IfNoneMatch == nil && preconditions.IfModSince == nil && preconditions.IfUnmodeSince == nil {
+		return nil
+	}
+
+	etag = strings.Trim(etag, `"`)
+
+	// convert all conditions to *bool to evaluate the conditions
+	var ifMatch, ifNoneMatch, ifModSince, ifUnmodeSince *bool
+	if preconditions.IfMatch != nil {
+		ifMatch = getBoolPtr(*preconditions.IfMatch == etag)
+	}
+	if preconditions.IfNoneMatch != nil {
+		ifNoneMatch = getBoolPtr(*preconditions.IfNoneMatch != etag)
+	}
+	if preconditions.IfModSince != nil {
+		ifModSince = getBoolPtr(preconditions.IfModSince.UTC().Before(modTime.UTC()))
+	}
+	if preconditions.IfUnmodeSince != nil {
+		ifUnmodeSince = getBoolPtr(preconditions.IfUnmodeSince.UTC().After(modTime.UTC()))
+	}
+
+	if ifMatch != nil {
+		// if `if-match` doesn't matches, return PreconditionFailed
+		if !*ifMatch {
+			return errPreconditionFailed
+		}
+
+		// if-match matches
+		if *ifMatch {
+			if ifNoneMatch != nil {
+				// if `if-none-match` doesn't match return NotModified
+				if !*ifNoneMatch {
+					return errNotModified
+				}
+
+				// if both `if-match` and `if-none-match` match, return no error
+				return nil
+			}
+
+			// if `if-match` matches but `if-modified-since` is false return NotModified
+			if ifModSince != nil && !*ifModSince {
+				return errNotModified
+			}
+
+			// ignore `if-unmodified-since` as `if-match` is true
+			return nil
+		}
+	}
+
+	if ifNoneMatch != nil {
+		if *ifNoneMatch {
+			// if `if-none-match` is true, but `if-unmodified-since` is false
+			// return PreconditionFailed
+			if ifUnmodeSince != nil && !*ifUnmodeSince {
+				return errPreconditionFailed
+			}
+
+			// ignore `if-modified-since` as `if-none-match` is true
+			return nil
+		} else {
+			// if `if-none-match` is false and `if-unmodified-since` is false
+			// return PreconditionFailed
+			if ifUnmodeSince != nil && !*ifUnmodeSince {
+				return errPreconditionFailed
+			}
+
+			// in all other cases when `if-none-match` is false return NotModified
+			return errNotModified
+		}
+	}
+
+	if ifModSince != nil && !*ifModSince {
+		// if both `if-modified-since` and `if-unmodified-since` are false
+		// return PreconditionFailed
+		if ifUnmodeSince != nil && !*ifUnmodeSince {
+			return errPreconditionFailed
+		}
+
+		// if only `if-modified-since` is false, return NotModified
+		return errNotModified
+	}
+
+	// if `if-unmodified-since` is false return PreconditionFailed
+	if ifUnmodeSince != nil && !*ifUnmodeSince {
+		return errPreconditionFailed
+	}
+
+	return nil
+}
+
+// EvaluateMatchPreconditions evaluates if-match and if-none-match preconditions
+func EvaluateMatchPreconditions(etag string, ifMatch, ifNoneMatch *string) error {
+	etag = strings.Trim(etag, `"`)
+	if ifMatch != nil && *ifMatch != etag {
+		return errPreconditionFailed
+	}
+	if ifNoneMatch != nil && *ifNoneMatch == etag {
+		return errPreconditionFailed
+	}
+
+	return nil
+}
+
+// EvaluateObjectPutPreconditions evaluates if-match and if-none-match preconditions
+// for object PUT(PutObject, CompleteMultipartUpload) actions
+func EvaluateObjectPutPreconditions(etag string, ifMatch, ifNoneMatch *string, objExists bool) error {
+	if ifMatch == nil && ifNoneMatch == nil {
+		return nil
+	}
+
+	if ifNoneMatch != nil && *ifNoneMatch != "*" {
+		return s3err.GetAPIError(s3err.ErrNotImplemented)
+	}
+
+	if ifNoneMatch != nil && ifMatch != nil {
+		return s3err.GetAPIError(s3err.ErrNotImplemented)
+	}
+
+	if ifNoneMatch != nil && objExists {
+		return s3err.GetAPIError(s3err.ErrPreconditionFailed)
+	}
+
+	if ifMatch != nil && !objExists {
+		return s3err.GetAPIError(s3err.ErrNoSuchKey)
+	}
+
+	etag = strings.Trim(etag, `"`)
+
+	if ifMatch != nil && *ifMatch != etag {
+		return s3err.GetAPIError(s3err.ErrPreconditionFailed)
+	}
+
+	return nil
+}
+
+type ObjectDeletePreconditions struct {
+	IfMatch            *string
+	IfMatchLastModTime *time.Time
+	IfMatchSize        *int64
+}
+
+// EvaluateObjectDeletePreconditions evaluates preconditions for DeleteObject
+func EvaluateObjectDeletePreconditions(etag string, modTime time.Time, size int64, preconditions ObjectDeletePreconditions) error {
+	ifMatch := preconditions.IfMatch
+	if ifMatch != nil && *ifMatch != etag {
+		return errPreconditionFailed
+	}
+
+	ifMatchTime := preconditions.IfMatchLastModTime
+	if ifMatchTime != nil && ifMatchTime.Unix() != modTime.Unix() {
+		return errPreconditionFailed
+	}
+
+	ifMatchSize := preconditions.IfMatchSize
+	if ifMatchSize != nil && *ifMatchSize != size {
+		return errPreconditionFailed
+	}
+
+	return nil
+}
+
+// IsValidDirectoryName returns true if the string is a valid name
+// for a directory
+func IsValidDirectoryName(name string) bool {
+	// directories may not contain a path separator
+	if strings.ContainsRune(name, '/') {
+		return false
+	}
+
+	// directories may not contain null character
+	if strings.ContainsRune(name, 0) {
+		return false
+	}
+
+	return true
+}
--- a/backend/meta/sidecar.go
+++ b/backend/meta/sidecar.go
@@ -17,6 +17,7 @@ package meta
 import (
 	"errors"
 	"fmt"
+	"io"
 	"os"
 	"path/filepath"
 )
@@ -98,6 +99,8 @@ func (s SideCar) DeleteAttribute(bucket, object, attribute string) error {
 		return fmt.Errorf("failed to remove attribute: %v", err)
 	}

+	s.cleanupEmptyDirs(metadir, bucket, object)
+
 	return nil
 }

@@ -135,5 +138,60 @@ func (s SideCar) DeleteAttributes(bucket, object string) error {
 	if err != nil && !errors.Is(err, os.ErrNotExist) {
 		return fmt.Errorf("failed to remove attributes: %v", err)
 	}
+	s.cleanupEmptyDirs(metadir, bucket, object)
 	return nil
 }
+
+func (s SideCar) cleanupEmptyDirs(metadir, bucket, object string) {
+	removeIfEmpty(metadir)
+	if bucket == "" {
+		return
+	}
+	bucketDir := filepath.Join(s.dir, bucket)
+	if object != "" {
+		removeEmptyParents(filepath.Dir(metadir), bucketDir)
+	}
+	removeIfEmpty(bucketDir)
+}
+
+func removeIfEmpty(dir string) {
+	empty, err := isDirEmpty(dir)
+	if err != nil || !empty {
+		return
+	}
+	_ = os.Remove(dir)
+}
+
+func removeEmptyParents(dir, stopDir string) {
+	for {
+		if dir == stopDir || dir == "." || dir == string(filepath.Separator) {
+			return
+		}
+		empty, err := isDirEmpty(dir)
+		if err != nil || !empty {
+			return
+		}
+		err = os.Remove(dir)
+		if err != nil {
+			return
+		}
+		dir = filepath.Dir(dir)
+	}
+}
+
+func isDirEmpty(dir string) (bool, error) {
+	f, err := os.Open(dir)
+	if err != nil {
+		return false, err
+	}
+	defer f.Close()
+
+	ents, err := f.Readdirnames(1)
+	if err == io.EOF {
+		return true, nil
+	}
+	if err != nil {
+		return false, err
+	}
+	return len(ents) == 0, nil
+}
--- a/backend/meta/xattr.go
+++ b/backend/meta/xattr.go
@@ -26,10 +26,6 @@ import (
 	"github.com/versity/versitygw/s3err"
 )

-const (
-	xattrPrefix = "user."
-)
-
 var (
 	// ErrNoSuchKey is returned when the key does not exist.
 	ErrNoSuchKey = errors.New("no such key")
--- a/backend/meta/xattr_freebsd.go
+++ b/backend/meta/xattr_freebsd.go
@@ -1,4 +1,4 @@
-// Copyright 2023 Versity Software
+// Copyright 2026 Versity Software
 // This file is licensed under the Apache License, Version 2.0
 // (the "License"); you may not use this file except in compliance
 // with the License.  You may obtain a copy of the License at
@@ -12,14 +12,8 @@
 // specific language governing permissions and limitations
 // under the License.

-package scoutfs
+//go:build freebsd

-type stat struct {
-	Meta_seq       uint64
-	Data_seq       uint64
-	Data_version   uint64
-	Online_blocks  uint64
-	Offline_blocks uint64
-	Crtime_sec     uint64
-	Crtime_nsec    uint32
-}
+package meta
+
+const xattrPrefix = ""
--- a/backend/meta/xattr_other.go
+++ b/backend/meta/xattr_other.go
@@ -0,0 +1,19 @@
+// Copyright 2026 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+//go:build !freebsd
+
+package meta
+
+const xattrPrefix = "user."
--- a/backend/posix/posix.go
+++ b/backend/posix/posix.go
--- a/backend/posix/with_otmpfile.go
+++ b/backend/posix/with_otmpfile.go
@@ -26,6 +26,7 @@ import (
 	"path/filepath"
 	"strconv"
 	"syscall"
+	"time"

 	"github.com/versity/versitygw/auth"
 	"github.com/versity/versitygw/backend"
@@ -165,14 +166,10 @@ func (tmp *tmpfile) link() error {
 	// of last upload completed wins and is not some combination of writes
 	// from simultaneous uploads.
 	objPath := filepath.Join(tmp.bucket, tmp.objname)
-	err := os.Remove(objPath)
-	if err != nil && !errors.Is(err, fs.ErrNotExist) {
-		return fmt.Errorf("remove stale path: %w", err)
-	}

 	dir := filepath.Dir(objPath)

-	err = backend.MkdirAll(dir, tmp.uid, tmp.gid, tmp.needsChown, tmp.newDirPerm)
+	err := backend.MkdirAll(dir, tmp.uid, tmp.gid, tmp.needsChown, tmp.newDirPerm)
 	if err != nil {
 		return fmt.Errorf("make parent dir: %w", err)
 	}
@@ -194,21 +191,33 @@ func (tmp *tmpfile) link() error {
 	}
 	defer dirf.Close()

-	for {
-		err = unix.Linkat(int(procdir.Fd()), filepath.Base(tmp.f.Name()),
-			int(dirf.Fd()), filepath.Base(objPath), unix.AT_SYMLINK_FOLLOW)
-		if errors.Is(err, syscall.EEXIST) {
-			err := os.Remove(objPath)
-			if err != nil && !errors.Is(err, fs.ErrNotExist) {
-				return fmt.Errorf("remove stale path: %w", err)
+	err = unix.Linkat(int(procdir.Fd()), filepath.Base(tmp.f.Name()),
+		int(dirf.Fd()), filepath.Base(objPath), unix.AT_SYMLINK_FOLLOW)
+	if errors.Is(err, syscall.EEXIST) {
+		// Linkat cannot overwrite files; we will allocate a temporary file, Linkat to it and then Renameat it
+		// to avoid potential race condition
+		retries := 1
+		for {
+			tmpName := fmt.Sprintf(".%s.sgwtmp.%d", filepath.Base(objPath), time.Now().UnixNano())
+			err := unix.Linkat(int(procdir.Fd()), filepath.Base(tmp.f.Name()),
+				int(dirf.Fd()), tmpName, unix.AT_SYMLINK_FOLLOW)
+			if errors.Is(err, syscall.EEXIST) && retries < 3 {
+				retries += 1
+				continue
 			}
-			continue
+			if err != nil {
+				return fmt.Errorf("cannot find free temporary file: %w", err)
+			}
+
+			err = unix.Renameat(int(dirf.Fd()), tmpName, int(dirf.Fd()), filepath.Base(objPath))
+			if err != nil {
+				return fmt.Errorf("overwriting renameat failed: %w", err)
+			}
+			break
 		}
-		if err != nil {
-			return fmt.Errorf("link tmpfile (fd %q as %q): %w",
-				filepath.Base(tmp.f.Name()), objPath, err)
-		}
-		break
+	} else if err != nil {
+		return fmt.Errorf("link tmpfile (fd %q as %q): %w",
+			filepath.Base(tmp.f.Name()), objPath, err)
 	}

 	err = tmp.f.Close()
--- a/backend/s3proxy/client.go
+++ b/backend/s3proxy/client.go
@@ -37,6 +37,10 @@ func (s *S3Proxy) getClientWithCtx(ctx context.Context) (*s3.Client, error) {
 		return s3.NewFromConfig(cfg, func(o *s3.Options) {
 			o.BaseEndpoint = &s.endpoint
 			o.UsePathStyle = s.usePathStyle
+			// The http body stream is not seekable, so most operations cannot
+			// be retried. The error returned to the original client may be
+			// retried by the client.
+			o.Retryer = aws.NopRetryer{}
 		}), nil
 	}

--- a/backend/s3proxy/s3.go
+++ b/backend/s3proxy/s3.go
@@ -17,17 +17,12 @@ package s3proxy
 import (
 	"bytes"
 	"context"
-	"crypto/sha256"
-	"encoding/hex"
-	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
-	"net/http"
 	"strconv"
 	"time"

-	"github.com/aws/aws-sdk-go-v2/aws"
 	v4 "github.com/aws/aws-sdk-go-v2/aws/signer/v4"
 	awshttp "github.com/aws/aws-sdk-go-v2/aws/transport/http"
 	"github.com/aws/aws-sdk-go-v2/service/s3"
@@ -44,6 +39,7 @@ type metaPrefix string
 const (
 	metaPrefixAcl    metaPrefix = "vgw-meta-acl-"
 	metaPrefixPolicy metaPrefix = "vgw-meta-policy-"
+	metaPrefixCors   metaPrefix = "vgw-meta-cors-"
 )

 type S3Proxy struct {
@@ -122,7 +118,7 @@ func (s *S3Proxy) ListBuckets(ctx context.Context, input s3response.ListBucketsI
 			continue
 		}

-		data, err := s.getMetaBucketObjData(ctx, *b.Name, metaPrefixAcl)
+		data, err := s.getMetaBucketObjData(ctx, *b.Name, metaPrefixAcl, false)
 		if err != nil {
 			return s3response.ListAllMyBucketsResult{}, handleError(err)
 		}
@@ -186,7 +182,7 @@ func (s *S3Proxy) CreateBucket(ctx context.Context, input *s3.CreateBucketInput,
 	}

 	if s.metaBucket != "" {
-		data, err := s.getMetaBucketObjData(ctx, *input.Bucket, metaPrefixAcl)
+		data, err := s.getMetaBucketObjData(ctx, *input.Bucket, metaPrefixAcl, true)
 		if err == nil {
 			acl, err := auth.ParseACL(data)
 			if err != nil {
@@ -289,11 +285,14 @@ func (s *S3Proxy) GetBucketVersioning(ctx context.Context, bucket string) (s3res
 	out, err := s.client.GetBucketVersioning(ctx, &s3.GetBucketVersioningInput{
 		Bucket: &bucket,
 	})
+	if err != nil {
+		return s3response.GetBucketVersioningOutput{}, handleError(err)
+	}

 	return s3response.GetBucketVersioningOutput{
 		Status:    &out.Status,
 		MFADelete: &out.MFADelete,
-	}, handleError(err)
+	}, nil
 }

 func (s *S3Proxy) ListObjectVersions(ctx context.Context, input *s3.ListObjectVersionsInput) (s3response.ListVersionsResult, error) {
@@ -380,7 +379,7 @@ func (s *S3Proxy) CreateMultipartUpload(ctx context.Context, input s3response.Cr
 	if input.ExpectedBucketOwner != nil && *input.ExpectedBucketOwner == "" {
 		input.ExpectedBucketOwner = nil
 	}
-	if input.ObjectLockRetainUntilDate != nil && *input.ObjectLockRetainUntilDate == defTime {
+	if input.ObjectLockRetainUntilDate != nil && (*input.ObjectLockRetainUntilDate).Equal(defTime) {
 		input.ObjectLockRetainUntilDate = nil
 	}
 	if input.SSECustomerAlgorithm != nil && *input.SSECustomerAlgorithm == "" {
@@ -530,7 +529,7 @@ func (s *S3Proxy) AbortMultipartUpload(ctx context.Context, input *s3.AbortMulti
 	if input.ExpectedBucketOwner != nil && *input.ExpectedBucketOwner == "" {
 		input.ExpectedBucketOwner = nil
 	}
-	if input.IfMatchInitiatedTime != nil && *input.IfMatchInitiatedTime == defTime {
+	if input.IfMatchInitiatedTime != nil && (*input.IfMatchInitiatedTime).Equal(defTime) {
 		input.IfMatchInitiatedTime = nil
 	}
 	_, err := s.client.AbortMultipartUpload(ctx, input)
@@ -735,13 +734,13 @@ func (s *S3Proxy) UploadPartCopy(ctx context.Context, input *s3.UploadPartCopyIn
 	if input.CopySourceIfMatch != nil && *input.CopySourceIfMatch == "" {
 		input.CopySourceIfMatch = nil
 	}
-	if input.CopySourceIfModifiedSince != nil && *input.CopySourceIfModifiedSince == defTime {
+	if input.CopySourceIfModifiedSince != nil && (*input.CopySourceIfModifiedSince).Equal(defTime) {
 		input.CopySourceIfModifiedSince = nil
 	}
 	if input.CopySourceIfNoneMatch != nil && *input.CopySourceIfNoneMatch == "" {
 		input.CopySourceIfNoneMatch = nil
 	}
-	if input.CopySourceIfUnmodifiedSince != nil && *input.CopySourceIfUnmodifiedSince == defTime {
+	if input.CopySourceIfUnmodifiedSince != nil && (*input.CopySourceIfUnmodifiedSince).Equal(defTime) {
 		input.CopySourceIfUnmodifiedSince = nil
 	}
 	if input.CopySourceRange != nil && *input.CopySourceRange == "" {
@@ -942,6 +941,7 @@ func (s *S3Proxy) PutObject(ctx context.Context, input s3response.PutObjectInput
 		ChecksumCRC64NVME: output.ChecksumCRC64NVME,
 		ChecksumSHA1:      output.ChecksumSHA1,
 		ChecksumSHA256:    output.ChecksumSHA256,
+		Size:              output.Size,
 	}, nil
 }

@@ -955,13 +955,13 @@ func (s *S3Proxy) HeadObject(ctx context.Context, input *s3.HeadObjectInput) (*s
 	if input.IfMatch != nil && *input.IfMatch == "" {
 		input.IfMatch = nil
 	}
-	if input.IfModifiedSince != nil && *input.IfModifiedSince == defTime {
+	if input.IfModifiedSince != nil && (*input.IfModifiedSince).Equal(defTime) {
 		input.IfModifiedSince = nil
 	}
 	if input.IfNoneMatch != nil && *input.IfNoneMatch == "" {
 		input.IfNoneMatch = nil
 	}
-	if input.IfUnmodifiedSince != nil && *input.IfUnmodifiedSince == defTime {
+	if input.IfUnmodifiedSince != nil && (*input.IfUnmodifiedSince).Equal(defTime) {
 		input.IfUnmodifiedSince = nil
 	}
 	if input.PartNumber != nil && *input.PartNumber == 0 {
@@ -985,7 +985,7 @@ func (s *S3Proxy) HeadObject(ctx context.Context, input *s3.HeadObjectInput) (*s
 	if input.ResponseContentType != nil && *input.ResponseContentType == "" {
 		input.ResponseContentType = nil
 	}
-	if input.ResponseExpires != nil && *input.ResponseExpires == defTime {
+	if input.ResponseExpires != nil && (*input.ResponseExpires).Equal(defTime) {
 		input.ResponseExpires = nil
 	}
 	if input.SSECustomerAlgorithm != nil && *input.SSECustomerAlgorithm == "" {
@@ -1015,13 +1015,13 @@ func (s *S3Proxy) GetObject(ctx context.Context, input *s3.GetObjectInput) (*s3.
 	if input.IfMatch != nil && *input.IfMatch == "" {
 		input.IfMatch = nil
 	}
-	if input.IfModifiedSince != nil && *input.IfModifiedSince == defTime {
+	if input.IfModifiedSince != nil && (*input.IfModifiedSince).Equal(defTime) {
 		input.IfModifiedSince = nil
 	}
 	if input.IfNoneMatch != nil && *input.IfNoneMatch == "" {
 		input.IfNoneMatch = nil
 	}
-	if input.IfUnmodifiedSince != nil && *input.IfUnmodifiedSince == defTime {
+	if input.IfUnmodifiedSince != nil && (*input.IfUnmodifiedSince).Equal(defTime) {
 		input.IfUnmodifiedSince = nil
 	}
 	if input.PartNumber != nil && *input.PartNumber == 0 {
@@ -1045,7 +1045,7 @@ func (s *S3Proxy) GetObject(ctx context.Context, input *s3.GetObjectInput) (*s3.
 	if input.ResponseContentType != nil && *input.ResponseContentType == "" {
 		input.ResponseContentType = nil
 	}
-	if input.ResponseExpires != nil && *input.ResponseExpires == defTime {
+	if input.ResponseExpires != nil && (*input.ResponseExpires).Equal(defTime) {
 		input.ResponseExpires = nil
 	}
 	if input.SSECustomerAlgorithm != nil && *input.SSECustomerAlgorithm == "" {
@@ -1096,6 +1096,9 @@ func (s *S3Proxy) GetObjectAttributes(ctx context.Context, input *s3.GetObjectAt
 	}

 	out, err := s.client.GetObjectAttributes(ctx, input)
+	if err != nil {
+		return s3response.GetObjectAttributesResponse{}, handleError(err)
+	}

 	parts := s3response.ObjectParts{}
 	objParts := out.ObjectParts
@@ -1128,7 +1131,7 @@ func (s *S3Proxy) GetObjectAttributes(ctx context.Context, input *s3.GetObjectAt
 		StorageClass: out.StorageClass,
 		ObjectParts:  &parts,
 		Checksum:     out.Checksum,
-	}, handleError(err)
+	}, nil
 }

 func (s *S3Proxy) CopyObject(ctx context.Context, input s3response.CopyObjectInput) (s3response.CopyObjectOutput, error) {
@@ -1153,13 +1156,13 @@ func (s *S3Proxy) CopyObject(ctx context.Context, input s3response.CopyObjectInp
 	if input.CopySourceIfMatch != nil && *input.CopySourceIfMatch == "" {
 		input.CopySourceIfMatch = nil
 	}
-	if input.CopySourceIfModifiedSince != nil && *input.CopySourceIfModifiedSince == defTime {
+	if input.CopySourceIfModifiedSince != nil && (*input.CopySourceIfModifiedSince).Equal(defTime) {
 		input.CopySourceIfModifiedSince = nil
 	}
 	if input.CopySourceIfNoneMatch != nil && *input.CopySourceIfNoneMatch == "" {
 		input.CopySourceIfNoneMatch = nil
 	}
-	if input.CopySourceIfUnmodifiedSince != nil && *input.CopySourceIfUnmodifiedSince == defTime {
+	if input.CopySourceIfUnmodifiedSince != nil && (*input.CopySourceIfUnmodifiedSince).Equal(defTime) {
 		input.CopySourceIfUnmodifiedSince = nil
 	}
 	if input.CopySourceSSECustomerAlgorithm != nil && *input.CopySourceSSECustomerAlgorithm == "" {
@@ -1192,7 +1195,7 @@ func (s *S3Proxy) CopyObject(ctx context.Context, input s3response.CopyObjectInp
 	if input.GrantWriteACP != nil && *input.GrantWriteACP == "" {
 		input.GrantWriteACP = nil
 	}
-	if input.ObjectLockRetainUntilDate != nil && *input.ObjectLockRetainUntilDate == defTime {
+	if input.ObjectLockRetainUntilDate != nil && (*input.ObjectLockRetainUntilDate).Equal(defTime) {
 		input.ObjectLockRetainUntilDate = nil
 	}
 	if input.SSECustomerAlgorithm != nil && *input.SSECustomerAlgorithm == "" {
@@ -1392,7 +1395,7 @@ func (s *S3Proxy) DeleteObject(ctx context.Context, input *s3.DeleteObjectInput)
 	if input.IfMatch != nil && *input.IfMatch == "" {
 		input.IfMatch = nil
 	}
-	if input.IfMatchLastModifiedTime != nil && *input.IfMatchLastModifiedTime == defTime {
+	if input.IfMatchLastModifiedTime != nil && (*input.IfMatchLastModifiedTime).Equal(defTime) {
 		input.IfMatchLastModifiedTime = nil
 	}
 	if input.IfMatchSize != nil && *input.IfMatchSize == 0 {
@@ -1436,7 +1439,7 @@ func (s *S3Proxy) DeleteObjects(ctx context.Context, input *s3.DeleteObjectsInpu
 }

 func (s *S3Proxy) GetBucketAcl(ctx context.Context, input *s3.GetBucketAclInput) ([]byte, error) {
-	data, err := s.getMetaBucketObjData(ctx, *input.Bucket, metaPrefixAcl)
+	data, err := s.getMetaBucketObjData(ctx, *input.Bucket, metaPrefixAcl, false)
 	if err != nil {
 		return nil, handleError(err)
 	}
@@ -1448,7 +1451,7 @@ func (s *S3Proxy) PutBucketAcl(ctx context.Context, bucket string, data []byte)
 	return handleError(s.putMetaBucketObj(ctx, bucket, data, metaPrefixAcl))
 }

-func (s *S3Proxy) PutObjectTagging(ctx context.Context, bucket, object string, tags map[string]string) error {
+func (s *S3Proxy) PutObjectTagging(ctx context.Context, bucket, object, versionId string, tags map[string]string) error {
 	if bucket == s.metaBucket {
 		return s3err.GetAPIError(s3err.ErrAccessDenied)
 	}
@@ -1463,20 +1466,22 @@ func (s *S3Proxy) PutObjectTagging(ctx context.Context, bucket, object string, t
 	}

 	_, err := s.client.PutObjectTagging(ctx, &s3.PutObjectTaggingInput{
-		Bucket:  &bucket,
-		Key:     &object,
-		Tagging: tagging,
+		Bucket:    &bucket,
+		Key:       &object,
+		VersionId: &versionId,
+		Tagging:   tagging,
 	})
 	return handleError(err)
 }

-func (s *S3Proxy) GetObjectTagging(ctx context.Context, bucket, object string) (map[string]string, error) {
+func (s *S3Proxy) GetObjectTagging(ctx context.Context, bucket, object, versionId string) (map[string]string, error) {
 	if bucket == s.metaBucket {
 		return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
 	}
 	output, err := s.client.GetObjectTagging(ctx, &s3.GetObjectTaggingInput{
-		Bucket: &bucket,
-		Key:    &object,
+		Bucket:    &bucket,
+		Key:       &object,
+		VersionId: &versionId,
 	})
 	if err != nil {
 		return nil, handleError(err)
@@ -1490,23 +1495,50 @@ func (s *S3Proxy) GetObjectTagging(ctx context.Context, bucket, object string) (
 	return tags, nil
 }

-func (s *S3Proxy) DeleteObjectTagging(ctx context.Context, bucket, object string) error {
+func (s *S3Proxy) DeleteObjectTagging(ctx context.Context, bucket, object, versionId string) error {
 	if bucket == s.metaBucket {
 		return s3err.GetAPIError(s3err.ErrAccessDenied)
 	}
 	_, err := s.client.DeleteObjectTagging(ctx, &s3.DeleteObjectTaggingInput{
-		Bucket: &bucket,
-		Key:    &object,
+		Bucket:    &bucket,
+		Key:       &object,
+		VersionId: &versionId,
 	})
 	return handleError(err)
 }

+func (s *S3Proxy) PutBucketCors(ctx context.Context, bucket string, cors []byte) error {
+	return handleError(s.putMetaBucketObj(ctx, bucket, cors, metaPrefixCors))
+}
+
+func (s *S3Proxy) GetBucketCors(ctx context.Context, bucket string) ([]byte, error) {
+	data, err := s.getMetaBucketObjData(ctx, bucket, metaPrefixCors, false)
+	if err != nil {
+		return nil, handleError(err)
+	}
+
+	return data, nil
+}
+
+func (s *S3Proxy) DeleteBucketCors(ctx context.Context, bucket string) error {
+	key := getMetaKey(bucket, metaPrefixCors)
+	_, err := s.client.DeleteObject(ctx, &s3.DeleteObjectInput{
+		Bucket: &s.metaBucket,
+		Key:    &key,
+	})
+	if err != nil && !areErrSame(err, s3err.GetAPIError(s3err.ErrNoSuchKey)) {
+		return handleError(err)
+	}
+
+	return nil
+}
+
 func (s *S3Proxy) PutBucketPolicy(ctx context.Context, bucket string, policy []byte) error {
 	return handleError(s.putMetaBucketObj(ctx, bucket, policy, metaPrefixPolicy))
 }

 func (s *S3Proxy) GetBucketPolicy(ctx context.Context, bucket string) ([]byte, error) {
-	data, err := s.getMetaBucketObjData(ctx, bucket, metaPrefixPolicy)
+	data, err := s.getMetaBucketObjData(ctx, bucket, metaPrefixPolicy, false)
 	if err != nil {
 		return nil, handleError(err)
 	}
@@ -1535,7 +1567,7 @@ func (s *S3Proxy) GetObjectLockConfiguration(ctx context.Context, bucket string)
 	return nil, s3err.GetAPIError(s3err.ErrObjectLockConfigurationNotFound)
 }

-func (s *S3Proxy) PutObjectRetention(ctx context.Context, bucket, object, versionId string, bypass bool, retention []byte) error {
+func (s *S3Proxy) PutObjectRetention(ctx context.Context, bucket, object, versionId string, retention []byte) error {
 	return s3err.GetAPIError(s3err.ErrNotImplemented)
 }

@@ -1552,82 +1584,39 @@ func (s *S3Proxy) GetObjectLegalHold(ctx context.Context, bucket, object, versio
 	return nil, s3err.GetAPIError(s3err.ErrNotImplemented)
 }

-func (s *S3Proxy) ChangeBucketOwner(ctx context.Context, bucket string, acl []byte) error {
-	acll, err := auth.ParseACL(acl)
-	if err != nil {
-		return err
-	}
-
-	req, err := http.NewRequest(http.MethodPatch, fmt.Sprintf("%v/change-bucket-owner/?bucket=%v&owner=%v", s.endpoint, bucket, acll.Owner), nil)
-	if err != nil {
-		return fmt.Errorf("failed to send the request: %w", err)
-	}
-
-	signer := v4.NewSigner()
-
-	hashedPayload := sha256.Sum256([]byte{})
-	hexPayload := hex.EncodeToString(hashedPayload[:])
-
-	req.Header.Set("X-Amz-Content-Sha256", hexPayload)
-
-	signErr := signer.SignHTTP(req.Context(), aws.Credentials{AccessKeyID: s.access, SecretAccessKey: s.secret}, req, hexPayload, "s3", s.awsRegion, time.Now())
-	if signErr != nil {
-		return fmt.Errorf("failed to sign the request: %w", err)
-	}
-
-	client := http.Client{}
-
-	resp, err := client.Do(req)
-	if err != nil {
-		return fmt.Errorf("failed to send the request: %w", err)
-	}
-
-	if resp.StatusCode > 300 {
-		body, err := io.ReadAll(resp.Body)
-		if err != nil {
-			return err
-		}
-		defer resp.Body.Close()
-		return fmt.Errorf("%v", string(body))
-	}
-
-	return nil
+func (s *S3Proxy) ChangeBucketOwner(ctx context.Context, bucket, owner string) error {
+	return auth.UpdateBucketACLOwner(ctx, s, bucket, owner)
 }

 func (s *S3Proxy) ListBucketsAndOwners(ctx context.Context) ([]s3response.Bucket, error) {
-	req, err := http.NewRequest(http.MethodPatch, fmt.Sprintf("%v/list-buckets", s.endpoint), nil)
-	if err != nil {
-		return []s3response.Bucket{}, fmt.Errorf("failed to send the request: %w", err)
-	}
-
-	signer := v4.NewSigner()
-
-	hashedPayload := sha256.Sum256([]byte{})
-	hexPayload := hex.EncodeToString(hashedPayload[:])
-
-	req.Header.Set("X-Amz-Content-Sha256", hexPayload)
-
-	signErr := signer.SignHTTP(req.Context(), aws.Credentials{AccessKeyID: s.access, SecretAccessKey: s.secret}, req, hexPayload, "s3", s.awsRegion, time.Now())
-	if signErr != nil {
-		return []s3response.Bucket{}, fmt.Errorf("failed to sign the request: %w", err)
-	}
-
-	client := http.Client{}
-
-	resp, err := client.Do(req)
-	if err != nil {
-		return []s3response.Bucket{}, fmt.Errorf("failed to send the request: %w", err)
-	}
-
-	body, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return []s3response.Bucket{}, err
-	}
-	defer resp.Body.Close()
-
 	var buckets []s3response.Bucket
-	if err := json.Unmarshal(body, &buckets); err != nil {
-		return []s3response.Bucket{}, err
+
+	paginator := s3.NewListBucketsPaginator(s.client, &s3.ListBucketsInput{})
+
+	for paginator.HasMorePages() {
+		page, err := paginator.NextPage(ctx)
+		if err != nil {
+			return nil, handleError(err)
+		}
+		for _, bucket := range page.Buckets {
+			if *bucket.Name == s.metaBucket {
+				continue
+			}
+			aclJSON, err := s.getMetaBucketObjData(ctx, *bucket.Name, metaPrefixAcl, false)
+			if err != nil {
+				return nil, handleError(err)
+			}
+
+			acl, err := auth.ParseACL(aclJSON)
+			if err != nil {
+				return buckets, fmt.Errorf("parse acl tag: %w", err)
+			}
+
+			buckets = append(buckets, s3response.Bucket{
+				Name:  *bucket.Name,
+				Owner: acl.Owner,
+			})
+		}
 	}

 	return buckets, nil
@@ -1656,15 +1645,13 @@ func (s *S3Proxy) putMetaBucketObj(ctx context.Context, bucket string, data []by
 	return err
 }

-func (s *S3Proxy) getMetaBucketObjData(ctx context.Context, bucket string, prefix metaPrefix) ([]byte, error) {
+// set checkExists to true if using to check for existence of bucket, in
+// this case it will not return default acl/policy if the metadata does
+// not exist
+func (s *S3Proxy) getMetaBucketObjData(ctx context.Context, bucket string, prefix metaPrefix, checkExists bool) ([]byte, error) {
 	// return default bahviour of get bucket policy/acl, if meta bucket is not provided
 	if s.metaBucket == "" {
-		switch prefix {
-		case metaPrefixAcl:
-			return []byte{}, nil
-		case metaPrefixPolicy:
-			return nil, s3err.GetAPIError(s3err.ErrNoSuchBucketPolicy)
-		}
+		return handleMetaBucketObjectNotFoundErr(prefix)
 	}

 	key := getMetaKey(bucket, prefix)
@@ -1674,13 +1661,11 @@ func (s *S3Proxy) getMetaBucketObjData(ctx context.Context, bucket string, prefi
 		Key:    &key,
 	})
 	if areErrSame(err, s3err.GetAPIError(s3err.ErrNoSuchKey)) {
-		switch prefix {
-		case metaPrefixAcl:
-			// If bucket acl is not found, return default acl
-			return []byte{}, nil
-		case metaPrefixPolicy:
-			return nil, s3err.GetAPIError(s3err.ErrNoSuchBucketPolicy)
+		if checkExists {
+			return nil, err
 		}
+
+		return handleMetaBucketObjectNotFoundErr(prefix)
 	}
 	if err != nil {
 		return nil, err
@@ -1694,6 +1679,23 @@ func (s *S3Proxy) getMetaBucketObjData(ctx context.Context, bucket string, prefi
 	return data, nil
 }

+// handles the case when an object with the given metprefix
+// is not found in meta bucket. Aggregates the not found errors
+// for each meta prefix
+func handleMetaBucketObjectNotFoundErr(prefix metaPrefix) ([]byte, error) {
+	switch prefix {
+	case metaPrefixAcl:
+		// If bucket acl is not found, return default acl
+		return []byte{}, nil
+	case metaPrefixPolicy:
+		return nil, s3err.GetAPIError(s3err.ErrNoSuchBucketPolicy)
+	case metaPrefixCors:
+		return nil, s3err.GetAPIError(s3err.ErrNoSuchCORSConfiguration)
+	}
+
+	return []byte{}, nil
+}
+
 // Checks if the provided err is a type of smithy.APIError
 // and if the error code and message match with the provided apiErr
 func areErrSame(err error, apiErr s3err.APIError) bool {
--- a/backend/scoutfs/scoutfs.go
+++ b/backend/scoutfs/scoutfs.go
--- a/backend/scoutfs/scoutfs_compat.go
+++ b/backend/scoutfs/scoutfs_compat.go
@@ -17,32 +17,70 @@
 package scoutfs

 import (
+	"context"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"io/fs"
 	"os"
 	"path/filepath"
 	"strconv"
+	"strings"
 	"syscall"

-	"golang.org/x/sys/unix"
-
+	"github.com/aws/aws-sdk-go-v2/service/s3"
+	"github.com/aws/aws-sdk-go-v2/service/s3/types"
+	"github.com/pkg/xattr"
 	"github.com/versity/scoutfs-go"
 	"github.com/versity/versitygw/auth"
 	"github.com/versity/versitygw/backend"
 	"github.com/versity/versitygw/backend/meta"
 	"github.com/versity/versitygw/backend/posix"
+	"github.com/versity/versitygw/debuglogger"
 	"github.com/versity/versitygw/s3err"
+	"github.com/versity/versitygw/s3response"
 )

+type ScoutFS struct {
+	*posix.Posix
+	rootfd  *os.File
+	rootdir string
+
+	// glaciermode enables the following behavior:
+	// GET object:  if file offline, return invalid object state
+	// HEAD object: if file offline, set obj storage class to GLACIER
+	//              if file offline and staging, x-amz-restore: ongoing-request="true"
+	//              if file offline and not staging, x-amz-restore: ongoing-request="false"
+	//              if file online, x-amz-restore: ongoing-request="false", expiry-date="Fri, 2 Dec 2050 00:00:00 GMT"
+	//              note: this expiry-date is not used but provided for client glacier compatibility
+	// ListObjects: if file offline, set obj storage class to GLACIER
+	// RestoreObject: add batch stage request to file
+	glaciermode bool
+
+	// disableNoArchive is used to disable setting scoutam noarchive flag
+	// on multipart parts. This is enabled by default to prevent archive
+	// copies of temporary multipart parts.
+	disableNoArchive bool
+
+	// enable posix level bucket name validations, not needed if the
+	// frontend handlers are already validating bucket names
+	validateBucketName bool
+
+	// projectIDEnabled enables setting projectid of new buckets and objects
+	// to the account project id when non-0
+	projectIDEnabled bool
+}
+
 func New(rootdir string, opts ScoutfsOpts) (*ScoutFS, error) {
 	metastore := meta.XattrMeta{}

 	p, err := posix.New(rootdir, metastore, posix.PosixOpts{
-		ChownUID:    opts.ChownUID,
-		ChownGID:    opts.ChownGID,
-		BucketLinks: opts.BucketLinks,
-		NewDirPerm:  opts.NewDirPerm,
+		ChownUID:            opts.ChownUID,
+		ChownGID:            opts.ChownGID,
+		BucketLinks:         opts.BucketLinks,
+		NewDirPerm:          opts.NewDirPerm,
+		VersioningDir:       opts.VersioningDir,
+		ValidateBucketNames: opts.ValidateBucketNames,
 	})
 	if err != nil {
 		return nil, err
@@ -53,168 +91,491 @@ func New(rootdir string, opts ScoutfsOpts) (*ScoutFS, error) {
 		return nil, fmt.Errorf("open %v: %w", rootdir, err)
 	}

+	setProjectID := opts.SetProjectID
+	if opts.SetProjectID {
+		setProjectID = fGetFormatVersion(f).AtLeast(versionScoutFsV2)
+		if !setProjectID {
+			fmt.Println("WARNING:")
+			fmt.Println("Disabling ProjectIDs for unsupported FS format version")
+			fmt.Println("See documentation for format version upgrades")
+		}
+	}
+
 	return &ScoutFS{
 		Posix:            p,
 		rootfd:           f,
 		rootdir:          rootdir,
-		meta:             metastore,
-		chownuid:         opts.ChownUID,
-		chowngid:         opts.ChownGID,
 		glaciermode:      opts.GlacierMode,
-		newDirPerm:       opts.NewDirPerm,
 		disableNoArchive: opts.DisableNoArchive,
+		projectIDEnabled: setProjectID,
 	}, nil
 }

-const procfddir = "/proc/self/fd"
-
-type tmpfile struct {
-	f          *os.File
-	bucket     string
-	objname    string
-	size       int64
-	needsChown bool
-	uid        int
-	gid        int
-	newDirPerm fs.FileMode
-}
-
-var (
-	defaultFilePerm uint32 = 0644
+const (
+	stageComplete      = "ongoing-request=\"false\", expiry-date=\"Fri, 2 Dec 2050 00:00:00 GMT\""
+	stageInProgress    = "true"
+	stageNotInProgress = "false"
 )

-func (s *ScoutFS) openTmpFile(dir, bucket, obj string, size int64, acct auth.Account) (*tmpfile, error) {
-	uid, gid, doChown := s.getChownIDs(acct)
+const (
+	// ScoutFS special xattr types
+	systemPrefix = "scoutfs.hide."
+	flagskey     = systemPrefix + "sam_flags"
+)

-	// O_TMPFILE allows for a file handle to an unnamed file in the filesystem.
-	// This can help reduce contention within the namespace (parent directories),
-	// etc. And will auto cleanup the inode on close if we never link this
-	// file descriptor into the namespace.
-	fd, err := unix.Open(dir, unix.O_RDWR|unix.O_TMPFILE|unix.O_CLOEXEC, defaultFilePerm)
-	if err != nil {
-		if errors.Is(err, syscall.EROFS) {
-			return nil, s3err.GetAPIError(s3err.ErrMethodNotAllowed)
-		}
-		return nil, err
-	}
+const (
+	// ScoutAM Flags

-	// for O_TMPFILE, filename is /proc/self/fd/<fd> to be used
-	// later to link file into namespace
-	f := os.NewFile(uintptr(fd), filepath.Join(procfddir, strconv.Itoa(fd)))
+	// Staging - file requested stage
+	Staging uint64 = 1 << iota
+	// StageFail - all copies failed to stage
+	StageFail
+	// NoArchive - no archive copies of file should be made
+	NoArchive
+	// ExtCacheRequested means file policy requests Ext Cache
+	ExtCacheRequested
+	// ExtCacheDone means this file ext cache copy has been
+	// created already (and possibly pruned, so may not exist)
+	ExtCacheDone
+)

-	tmp := &tmpfile{
-		f:          f,
-		bucket:     bucket,
-		objname:    obj,
-		size:       size,
-		needsChown: doChown,
-		uid:        uid,
-		gid:        gid,
-		newDirPerm: s.newDirPerm,
-	}
-
-	if doChown {
-		err := f.Chown(uid, gid)
-		if err != nil {
-			return nil, fmt.Errorf("set temp file ownership: %w", err)
-		}
-	}
-
-	return tmp, nil
+func (s *ScoutFS) Shutdown() {
+	s.Posix.Shutdown()
+	s.rootfd.Close()
 }

-func (tmp *tmpfile) link() error {
-	// We use Linkat/Rename as the atomic operation for object puts. The
-	// upload is written to a temp (or unnamed/O_TMPFILE) file to not conflict
-	// with any other simultaneous uploads. The final operation is to move the
-	// temp file into place for the object. This ensures the object semantics
-	// of last upload completed wins and is not some combination of writes
-	// from simultaneous uploads.
-	objPath := filepath.Join(tmp.bucket, tmp.objname)
-	err := os.Remove(objPath)
-	if err != nil && !errors.Is(err, fs.ErrNotExist) {
-		return fmt.Errorf("remove stale path: %w", err)
-	}
+func (*ScoutFS) String() string {
+	return "ScoutFS Gateway"
+}

-	dir := filepath.Dir(objPath)
-
-	err = backend.MkdirAll(dir, tmp.uid, tmp.gid, tmp.needsChown, tmp.newDirPerm)
+func (s *ScoutFS) CreateBucket(ctx context.Context, input *s3.CreateBucketInput, acl []byte) error {
+	err := s.Posix.CreateBucket(ctx, input, acl)
 	if err != nil {
-		return fmt.Errorf("make parent dir: %w", err)
+		return err
 	}

-	procdir, err := os.Open(procfddir)
-	if err != nil {
-		return fmt.Errorf("open proc dir: %w", err)
-	}
-	defer procdir.Close()
-
-	dirf, err := os.Open(dir)
-	if err != nil {
-		return fmt.Errorf("open parent dir: %w", err)
-	}
-	defer dirf.Close()
-
-	for {
-		err = unix.Linkat(int(procdir.Fd()), filepath.Base(tmp.f.Name()),
-			int(dirf.Fd()), filepath.Base(objPath), unix.AT_SYMLINK_FOLLOW)
-		if errors.Is(err, fs.ErrExist) {
-			err := os.Remove(objPath)
-			if err != nil && !errors.Is(err, fs.ErrNotExist) {
-				return fmt.Errorf("remove stale path: %w", err)
-			}
-			continue
+	if s.projectIDEnabled {
+		acct, ok := ctx.Value("account").(auth.Account)
+		if !ok {
+			acct = auth.Account{}
 		}
+
+		if !isValidProjectID(acct.ProjectID) {
+			// early return to avoid the open if we dont have a valid
+			// project id
+			return nil
+		}
+
+		f, err := os.Open(*input.Bucket)
 		if err != nil {
-			return fmt.Errorf("link tmpfile: %w", err)
+			debuglogger.InernalError(fmt.Errorf("create bucket %q set project id - open: %v",
+				*input.Bucket, err))
+			return nil
 		}
-		break
-	}

-	err = tmp.f.Close()
-	if err != nil {
-		return fmt.Errorf("close tmpfile: %w", err)
+		err = s.setProjectID(f, acct.ProjectID)
+		f.Close()
+		if err != nil {
+			debuglogger.InernalError(fmt.Errorf("create bucket %q set project id: %v",
+				*input.Bucket, err))
+		}
 	}

 	return nil
 }

-func (tmp *tmpfile) Write(b []byte) (int, error) {
-	if int64(len(b)) > tmp.size {
-		return 0, fmt.Errorf("write exceeds content length %v", tmp.size)
-	}
-
-	n, err := tmp.f.Write(b)
-	tmp.size -= int64(n)
-	return n, err
-}
-
-func (tmp *tmpfile) cleanup() {
-	tmp.f.Close()
-}
-
-func (tmp *tmpfile) File() *os.File {
-	return tmp.f
-}
-
-func moveData(from *os.File, to *os.File) error {
-	return scoutfs.MoveData(from, to)
-}
-
-func statMore(path string) (stat, error) {
-	st, err := scoutfs.StatMore(path)
+func (s *ScoutFS) HeadObject(ctx context.Context, input *s3.HeadObjectInput) (*s3.HeadObjectOutput, error) {
+	res, err := s.Posix.HeadObject(ctx, input)
 	if err != nil {
-		return stat{}, err
+		return nil, err
 	}
-	var s stat

-	s.Meta_seq = st.Meta_seq
-	s.Data_seq = st.Data_seq
-	s.Data_version = st.Data_version
-	s.Online_blocks = st.Online_blocks
-	s.Offline_blocks = st.Offline_blocks
-	s.Crtime_sec = st.Crtime_sec
-	s.Crtime_nsec = st.Crtime_nsec
+	if s.glaciermode {
+		objPath := filepath.Join(*input.Bucket, *input.Key)

-	return s, nil
+		stclass := types.StorageClassStandard
+		requestOngoing := ""
+
+		requestOngoing = stageComplete
+
+		// Check if there are any offline exents associated with this file.
+		// If so, we will set storage class to glacier.
+		st, err := scoutfs.StatMore(objPath)
+		if errors.Is(err, fs.ErrNotExist) {
+			return nil, s3err.GetAPIError(s3err.ErrNoSuchKey)
+		}
+		if err != nil {
+			return nil, fmt.Errorf("stat more: %w", err)
+		}
+		if st.Offline_blocks != 0 {
+			stclass = types.StorageClassGlacier
+			requestOngoing = stageNotInProgress
+
+			ok, err := isStaging(objPath)
+			if errors.Is(err, fs.ErrNotExist) {
+				return nil, s3err.GetAPIError(s3err.ErrNoSuchKey)
+			}
+			if err != nil {
+				return nil, fmt.Errorf("check stage status: %w", err)
+			}
+			if ok {
+				requestOngoing = stageInProgress
+			}
+		}
+
+		res.Restore = &requestOngoing
+		res.StorageClass = stclass
+	}
+
+	return res, nil
+}
+
+func (s *ScoutFS) PutObject(ctx context.Context, po s3response.PutObjectInput) (s3response.PutObjectOutput, error) {
+	acct, ok := ctx.Value("account").(auth.Account)
+	if !ok {
+		acct = auth.Account{}
+	}
+
+	return s.Posix.PutObjectWithPostFunc(ctx, po, func(f *os.File) error {
+		err := s.setProjectID(f, acct.ProjectID)
+		if err != nil {
+			debuglogger.InernalError(fmt.Errorf("put object %v/%v set project id: %v",
+				filepath.Join(*po.Bucket, *po.Key), acct.ProjectID, err))
+		}
+
+		return nil
+	})
+}
+
+func (s *ScoutFS) UploadPart(ctx context.Context, input *s3.UploadPartInput) (*s3.UploadPartOutput, error) {
+	acct, ok := ctx.Value("account").(auth.Account)
+	if !ok {
+		acct = auth.Account{}
+	}
+
+	return s.Posix.UploadPartWithPostFunc(ctx, input,
+		func(f *os.File) error {
+			if !s.disableNoArchive {
+				err := setNoArchive(f)
+				if err != nil {
+					return fmt.Errorf("set noarchive: %w", err)
+				}
+			}
+
+			err := s.setProjectID(f, acct.ProjectID)
+			if err != nil {
+				return fmt.Errorf("set project id %v: %w", acct.ProjectID, err)
+			}
+
+			return nil
+		})
+}
+
+// CompleteMultipartUpload scoutfs complete upload uses scoutfs move blocks
+// ioctl to not have to read and copy the part data to the final object. This
+// saves a read and write cycle for all mutlipart uploads.
+func (s *ScoutFS) CompleteMultipartUpload(ctx context.Context, input *s3.CompleteMultipartUploadInput) (s3response.CompleteMultipartUploadResult, string, error) {
+	acct, ok := ctx.Value("account").(auth.Account)
+	if !ok {
+		acct = auth.Account{}
+	}
+
+	return s.Posix.CompleteMultipartUploadWithCopy(ctx, input,
+		func(from *os.File, to *os.File) error {
+			// May fail if the files are not 4K aligned; check for alignment
+			ffi, err := from.Stat()
+			if err != nil {
+				return fmt.Errorf("complete-mpu stat from: %w", err)
+			}
+			tfi, err := to.Stat()
+			if err != nil {
+				return fmt.Errorf("complete-mpu stat to: %w", err)
+			}
+			if ffi.Size()%4096 != 0 || tfi.Size()%4096 != 0 {
+				return os.ErrInvalid
+			}
+
+			err = s.setProjectID(to, acct.ProjectID)
+			if err != nil {
+				debuglogger.InernalError(fmt.Errorf("complete-mpu %q/%q set project id %v: %v",
+					*input.Bucket, *input.Key, acct.ProjectID, err))
+			}
+
+			err = scoutfs.MoveData(from, to)
+			if err != nil {
+				return fmt.Errorf("complete-mpu movedata: %w", err)
+			}
+
+			return nil
+		})
+}
+
+func (s *ScoutFS) isBucketValid(bucket string) bool {
+	if !s.validateBucketName {
+		return true
+	}
+
+	return backend.IsValidDirectoryName(bucket)
+}
+
+func (s *ScoutFS) GetObject(ctx context.Context, input *s3.GetObjectInput) (*s3.GetObjectOutput, error) {
+	bucket := *input.Bucket
+	object := *input.Key
+
+	if !s.isBucketValid(bucket) {
+		return nil, s3err.GetAPIError(s3err.ErrInvalidBucketName)
+	}
+
+	_, err := os.Stat(bucket)
+	if errors.Is(err, fs.ErrNotExist) {
+		return nil, s3err.GetAPIError(s3err.ErrNoSuchBucket)
+	}
+	if err != nil {
+		return nil, fmt.Errorf("stat bucket: %w", err)
+	}
+
+	objPath := filepath.Join(bucket, object)
+
+	fi, err := os.Stat(objPath)
+	if errors.Is(err, fs.ErrNotExist) || errors.Is(err, syscall.ENOTDIR) {
+		return nil, s3err.GetAPIError(s3err.ErrNoSuchKey)
+	}
+	if errors.Is(err, syscall.ENAMETOOLONG) {
+		return nil, s3err.GetAPIError(s3err.ErrKeyTooLong)
+	}
+	if err != nil {
+		return nil, fmt.Errorf("stat object: %w", err)
+	}
+
+	if strings.HasSuffix(object, "/") && !fi.IsDir() {
+		return nil, s3err.GetAPIError(s3err.ErrNoSuchKey)
+	}
+
+	if s.glaciermode {
+		// Check if there are any offline exents associated with this file.
+		// If so, we will return the InvalidObjectState error.
+		st, err := scoutfs.StatMore(objPath)
+		if errors.Is(err, fs.ErrNotExist) {
+			return nil, s3err.GetAPIError(s3err.ErrNoSuchKey)
+		}
+		if err != nil {
+			return nil, fmt.Errorf("stat more: %w", err)
+		}
+		if st.Offline_blocks != 0 {
+			return nil, s3err.GetAPIError(s3err.ErrInvalidObjectState)
+		}
+	}
+
+	return s.Posix.GetObject(ctx, input)
+}
+
+func (s *ScoutFS) ListObjects(ctx context.Context, input *s3.ListObjectsInput) (s3response.ListObjectsResult, error) {
+	if s.glaciermode {
+		return s.Posix.ListObjectsParametrized(ctx, input, s.glacierFileToObj)
+	} else {
+		return s.Posix.ListObjects(ctx, input)
+	}
+}
+
+func (s *ScoutFS) ListObjectsV2(ctx context.Context, input *s3.ListObjectsV2Input) (s3response.ListObjectsV2Result, error) {
+	if s.glaciermode {
+		return s.Posix.ListObjectsV2Parametrized(ctx, input, s.glacierFileToObj)
+	} else {
+		return s.Posix.ListObjectsV2(ctx, input)
+	}
+}
+
+// FileToObj function for ListObject calls that adds a Glacier storage class if the file is offline
+func (s *ScoutFS) glacierFileToObj(bucket string, fetchOwner bool) backend.GetObjFunc {
+	posixFileToObj := s.Posix.FileToObj(bucket, fetchOwner)
+
+	return func(path string, d fs.DirEntry) (s3response.Object, error) {
+		res, err := posixFileToObj(path, d)
+		if err != nil || d.IsDir() {
+			return res, err
+		}
+		objPath := filepath.Join(bucket, path)
+		// Check if there are any offline exents associated with this file.
+		// If so, we will return the Glacier storage class
+		st, err := scoutfs.StatMore(objPath)
+		if errors.Is(err, fs.ErrNotExist) {
+			return s3response.Object{}, backend.ErrSkipObj
+		}
+		if err != nil {
+			return s3response.Object{}, fmt.Errorf("stat more: %w", err)
+		}
+		if st.Offline_blocks != 0 {
+			res.StorageClass = types.ObjectStorageClassGlacier
+		}
+		return res, nil
+	}
+}
+
+// RestoreObject will set stage request on file if offline and do nothing if
+// file is online
+func (s *ScoutFS) RestoreObject(_ context.Context, input *s3.RestoreObjectInput) error {
+	bucket := *input.Bucket
+	object := *input.Key
+
+	if !s.isBucketValid(bucket) {
+		return s3err.GetAPIError(s3err.ErrInvalidBucketName)
+	}
+
+	_, err := os.Stat(bucket)
+	if errors.Is(err, fs.ErrNotExist) {
+		return s3err.GetAPIError(s3err.ErrNoSuchBucket)
+	}
+	if err != nil {
+		return fmt.Errorf("stat bucket: %w", err)
+	}
+
+	err = setStaging(filepath.Join(bucket, object))
+	if errors.Is(err, fs.ErrNotExist) {
+		return s3err.GetAPIError(s3err.ErrNoSuchKey)
+	}
+	if err != nil {
+		return fmt.Errorf("stage object: %w", err)
+	}
+
+	return nil
+}
+
+func isStaging(objname string) (bool, error) {
+	b, err := xattr.Get(objname, flagskey)
+	if err != nil && !isNoAttr(err) {
+		return false, err
+	}
+
+	var flags uint64
+	if !isNoAttr(err) {
+		err = json.Unmarshal(b, &flags)
+		if err != nil {
+			return false, err
+		}
+	}
+
+	return flags&Staging == Staging, nil
+}
+
+func setFlag(objname string, flag uint64) error {
+	f, err := os.Open(objname)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	return fsetFlag(f, flag)
+}
+
+func fsetFlag(f *os.File, flag uint64) error {
+	b, err := xattr.FGet(f, flagskey)
+	if err != nil && !isNoAttr(err) {
+		return err
+	}
+
+	var oldflags uint64
+	if !isNoAttr(err) {
+		err = json.Unmarshal(b, &oldflags)
+		if err != nil {
+			return err
+		}
+	}
+
+	newflags := oldflags | flag
+
+	if newflags == oldflags {
+		// no flags change, just return
+		return nil
+	}
+
+	b, err = json.Marshal(&newflags)
+	if err != nil {
+		return err
+	}
+
+	return xattr.FSet(f, flagskey, b)
+}
+
+func setStaging(objname string) error {
+	return setFlag(objname, Staging)
+}
+
+func setNoArchive(f *os.File) error {
+	return fsetFlag(f, NoArchive)
+}
+
+func isNoAttr(err error) bool {
+	xerr, ok := err.(*xattr.Error)
+	if ok && xerr.Err == xattr.ENOATTR {
+		return true
+	}
+	return false
+}
+
+func (s *ScoutFS) setProjectID(f *os.File, proj int) error {
+	if s.projectIDEnabled && isValidProjectID(proj) {
+		err := scoutfs.SetProjectID(f, uint64(proj))
+		if err != nil {
+			return fmt.Errorf("set project id: %w", err)
+		}
+	}
+	return nil
+}
+
+func isValidProjectID(proj int) bool {
+	return proj > 0
+}
+
+const (
+	sysscoutfs    = "/sys/fs/scoutfs/"
+	formatversion = "format_version"
+)
+
+// GetFormatVersion returns ScoutFS version reported by sysfs
+func fGetFormatVersion(f *os.File) scoutFsVersion {
+	fsid, err := scoutfs.GetIDs(f)
+	if err != nil {
+		return versionScoutFsNotScoutFS
+	}
+
+	path := filepath.Join(sysscoutfs, fsid.ShortID, formatversion)
+	buf, err := os.ReadFile(path)
+	if err != nil {
+		return versionScoutFsUnknown
+	}
+
+	str := strings.TrimSpace(string(buf))
+	vers, err := strconv.Atoi(str)
+	if err != nil {
+		return versionScoutFsUnknown
+	}
+
+	return scoutFsVersion(vers)
+}
+
+const (
+	// versionScoutFsUnknown is unknown version
+	versionScoutFsUnknown scoutFsVersion = iota
+	// versionScoutFsV1 is version 1
+	versionScoutFsV1
+	// versionScoutFsV2 is version 2
+	versionScoutFsV2
+	// versionScoutFsMin is minimum scoutfs version
+	versionScoutFsMin = versionScoutFsV1
+	// versionScoutFsMax is maximum scoutfs version
+	versionScoutFsMax = versionScoutFsV2
+	// versionScoutFsNotScoutFS means the target FS is not scoutfs
+	versionScoutFsNotScoutFS = versionScoutFsMax + 1
+)
+
+// scoutFsVersion version
+type scoutFsVersion int
+
+// AtLeast returns true if version is valid and at least b
+func (a scoutFsVersion) AtLeast(b scoutFsVersion) bool {
+	return a.IsValid() && a >= b
+}
+
+func (a scoutFsVersion) IsValid() bool {
+	return a >= versionScoutFsMin && a <= versionScoutFsMax
 }
--- a/backend/scoutfs/scoutfs_incompat.go
+++ b/backend/scoutfs/scoutfs_incompat.go
@@ -17,51 +17,15 @@
 package scoutfs

 import (
-	"errors"
 	"fmt"
-	"os"

-	"github.com/versity/versitygw/auth"
+	"github.com/versity/versitygw/backend"
 )

+type ScoutFS struct {
+	backend.BackendUnsupported
+}
+
 func New(rootdir string, opts ScoutfsOpts) (*ScoutFS, error) {
 	return nil, fmt.Errorf("scoutfs only available on linux")
 }
-
-type tmpfile struct{}
-
-var (
-	errNotSupported = errors.New("not supported")
-)
-
-func (s *ScoutFS) openTmpFile(_, _, _ string, _ int64, _ auth.Account) (*tmpfile, error) {
-	// make these look used for static check
-	_ = s.chownuid
-	_ = s.chowngid
-	_ = s.euid
-	_ = s.egid
-	return nil, errNotSupported
-}
-
-func (tmp *tmpfile) link() error {
-	return errNotSupported
-}
-
-func (tmp *tmpfile) Write(b []byte) (int, error) {
-	return 0, errNotSupported
-}
-
-func (tmp *tmpfile) cleanup() {
-}
-
-func (tmp *tmpfile) File() *os.File {
-	return nil
-}
-
-func moveData(_, _ *os.File) error {
-	return errNotSupported
-}
-
-func statMore(_ string) (stat, error) {
-	return stat{}, errNotSupported
-}
--- a/backend/walk.go
+++ b/backend/walk.go
--- a/backend/walk_test.go
+++ b/backend/walk_test.go
@@ -112,6 +112,22 @@ func TestWalk(t *testing.T) {
 						}},
 					},
 				},
+				{
+					name:      "max objs",
+					delimiter: "/",
+					prefix:    "photos/2006/February/",
+					maxObjs:   2,
+					expected: backend.WalkResults{
+						Objects: []s3response.Object{
+							{
+								Key: backend.GetPtrFromString("photos/2006/February/sample2.jpg"),
+							},
+							{
+								Key: backend.GetPtrFromString("photos/2006/February/sample3.jpg"),
+							},
+						},
+					},
+				},
 			},
 		},
 		{
@@ -226,7 +242,7 @@ func TestWalk(t *testing.T) {
 				tt.fsys, tc.prefix, tc.delimiter, tc.marker, tc.maxObjs,
 				tt.getobj, []string{})
 			if err != nil {
-				t.Errorf("tc.name: walk: %v", err)
+				t.Errorf("%v: walk: %v", tc.name, err)
 			}

 			compareResults(tc.name, res, tc.expected, t)
@@ -376,3 +392,702 @@ func TestWalkStop(t *testing.T) {
 		t.Fatalf("unexpected error: %v", err)
 	}
 }
+
+// TestOrderWalk tests the lexicographic ordering of the object names
+// for the case where readdir sort order of a directory is different
+// than the lexicographic ordering of the full paths. The below has
+// a readdir sort order for dir1/:
+// a, a.b
+// but if you consider the character that comes after a is "/", then
+// the "." should come before "/" in the lexicographic ordering:
+// a.b/, a/
+func TestOrderWalk(t *testing.T) {
+	tests := []walkTest{
+		{
+			fsys: fstest.MapFS{
+				"dir1/a/file1":   {},
+				"dir1/a/file2":   {},
+				"dir1/a/file3":   {},
+				"dir1/a.b/file1": {},
+				"dir1/a.b/file2": {},
+			},
+			getobj: getObj,
+			cases: []testcase{
+				{
+					name:    "order test",
+					maxObjs: 1000,
+					prefix:  "dir1/",
+					expected: backend.WalkResults{
+						Objects: []s3response.Object{
+							{Key: backend.GetPtrFromString("dir1/")},
+							{Key: backend.GetPtrFromString("dir1/a.b/")},
+							{Key: backend.GetPtrFromString("dir1/a.b/file1")},
+							{Key: backend.GetPtrFromString("dir1/a.b/file2")},
+							{Key: backend.GetPtrFromString("dir1/a/")},
+							{Key: backend.GetPtrFromString("dir1/a/file1")},
+							{Key: backend.GetPtrFromString("dir1/a/file2")},
+							{Key: backend.GetPtrFromString("dir1/a/file3")},
+						},
+					},
+				},
+			},
+		},
+		{
+			fsys: fstest.MapFS{
+				"dir|1/a/file1":   {},
+				"dir|1/a/file2":   {},
+				"dir|1/a/file3":   {},
+				"dir|1/a.b/file1": {},
+				"dir|1/a.b/file2": {},
+			},
+			getobj: getObj,
+			cases: []testcase{
+				{
+					name:      "order test delim",
+					maxObjs:   1000,
+					delimiter: "|",
+					prefix:    "dir|",
+					expected: backend.WalkResults{
+						Objects: []s3response.Object{
+							{
+								Key: backend.GetPtrFromString("dir|1/a.b/file1"),
+							},
+							{
+								Key: backend.GetPtrFromString("dir|1/a.b/file2"),
+							},
+							{
+								Key: backend.GetPtrFromString("dir|1/a/file1"),
+							},
+							{
+								Key: backend.GetPtrFromString("dir|1/a/file2"),
+							},
+							{
+								Key: backend.GetPtrFromString("dir|1/a/file3"),
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			fsys: fstest.MapFS{
+				"a": &fstest.MapFile{Mode: fs.ModeDir},
+			},
+			getobj: getObj,
+			cases: []testcase{
+				{
+					name:      "single dir obj",
+					maxObjs:   1000,
+					delimiter: "/",
+					prefix:    "a",
+					expected: backend.WalkResults{
+						CommonPrefixes: []types.CommonPrefix{
+							{
+								Prefix: backend.GetPtrFromString("a/"),
+							},
+						},
+					},
+				},
+				{
+					name:      "single dir obj",
+					maxObjs:   1000,
+					delimiter: "/",
+					prefix:    "a/",
+					expected: backend.WalkResults{
+						Objects: []s3response.Object{
+							{
+								Key: backend.GetPtrFromString("a/"),
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		for _, tc := range tt.cases {
+			res, err := backend.Walk(context.Background(),
+				tt.fsys, tc.prefix, tc.delimiter, tc.marker, tc.maxObjs,
+				tt.getobj, []string{})
+			if err != nil {
+				t.Errorf("%v: walk: %v", tc.name, err)
+			}
+
+			compareResultsOrdered(tc.name, res, tc.expected, t)
+		}
+	}
+}
+
+type markerTest struct {
+	fsys   fs.FS
+	getobj backend.GetObjFunc
+	cases  []markertestcase
+}
+
+type markertestcase struct {
+	name      string
+	prefix    string
+	delimiter string
+	marker    string
+	maxObjs   int32
+	expected  []backend.WalkResults
+}
+
+func TestMarker(t *testing.T) {
+	tests := []markerTest{
+		{
+			fsys: fstest.MapFS{
+				"dir/sample2.jpg": {},
+				"dir/sample3.jpg": {},
+				"dir/sample4.jpg": {},
+				"dir/sample5.jpg": {},
+			},
+			getobj: getObj,
+			cases: []markertestcase{
+				{
+					name:      "multi page marker",
+					delimiter: "/",
+					prefix:    "dir/",
+					maxObjs:   2,
+					expected: []backend.WalkResults{
+						{
+							Objects: []s3response.Object{
+								{
+									Key: backend.GetPtrFromString("dir/sample2.jpg"),
+								},
+								{
+									Key: backend.GetPtrFromString("dir/sample3.jpg"),
+								},
+							},
+							Truncated: true,
+						},
+						{
+							Objects: []s3response.Object{
+								{
+									Key: backend.GetPtrFromString("dir/sample4.jpg"),
+								},
+								{
+									Key: backend.GetPtrFromString("dir/sample5.jpg"),
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			fsys: fstest.MapFS{
+				"dir1/subdir/file.txt": {},
+				"dir1/subdir.ext":      {},
+				"dir1/subdir1.ext":     {},
+				"dir1/subdir2.ext":     {},
+			},
+			getobj: getObj,
+			cases: []markertestcase{
+				{
+					name:      "integration test case 1",
+					maxObjs:   2,
+					delimiter: "/",
+					prefix:    "dir1/",
+					expected: []backend.WalkResults{
+						{
+							Objects: []s3response.Object{
+								{
+									Key: backend.GetPtrFromString("dir1/subdir.ext"),
+								},
+							},
+							CommonPrefixes: []types.CommonPrefix{
+								{
+									Prefix: backend.GetPtrFromString("dir1/subdir/"),
+								},
+							},
+							Truncated: true,
+						},
+						{
+							Objects: []s3response.Object{
+								{
+									Key: backend.GetPtrFromString("dir1/subdir1.ext"),
+								},
+								{
+									Key: backend.GetPtrFromString("dir1/subdir2.ext"),
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			fsys: fstest.MapFS{
+				"asdf":          {},
+				"boo/bar":       {},
+				"boo/baz/xyzzy": {},
+				"cquux/thud":    {},
+				"cquux/bla":     {},
+			},
+			getobj: getObj,
+			cases: []markertestcase{
+				{
+					name:      "integration test case2",
+					maxObjs:   1,
+					delimiter: "/",
+					marker:    "boo/",
+					expected: []backend.WalkResults{
+						{
+							Objects: []s3response.Object{},
+							CommonPrefixes: []types.CommonPrefix{
+								{
+									Prefix: backend.GetPtrFromString("cquux/"),
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			fsys: fstest.MapFS{
+				"bar": {},
+				"baz": {},
+				"foo": {},
+			},
+			getobj: getObj,
+			cases: []markertestcase{
+				{
+					name:    "exact limit count",
+					maxObjs: 3,
+					expected: []backend.WalkResults{
+						{
+							Objects: []s3response.Object{
+								{
+									Key: backend.GetPtrFromString("bar"),
+								},
+								{
+									Key: backend.GetPtrFromString("baz"),
+								},
+								{
+									Key: backend.GetPtrFromString("foo"),
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			fsys: fstest.MapFS{
+				"d1/f1": {},
+				"d2/f2": {},
+				"d3/f3": {},
+				"d4/f4": {},
+			},
+			getobj: getObj,
+			cases: []markertestcase{
+				{
+					name:      "limited common prefix",
+					maxObjs:   3,
+					delimiter: "/",
+					expected: []backend.WalkResults{
+						{
+							CommonPrefixes: []types.CommonPrefix{
+								{
+									Prefix: backend.GetPtrFromString("d1/"),
+								},
+								{
+									Prefix: backend.GetPtrFromString("d2/"),
+								},
+								{
+									Prefix: backend.GetPtrFromString("d3/"),
+								},
+							},
+							Truncated: true,
+						},
+						{
+							CommonPrefixes: []types.CommonPrefix{
+								{
+									Prefix: backend.GetPtrFromString("d4/"),
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		for _, tc := range tt.cases {
+			marker := tc.marker
+			for i, page := range tc.expected {
+				res, err := backend.Walk(context.Background(),
+					tt.fsys, tc.prefix, tc.delimiter, marker, tc.maxObjs,
+					tt.getobj, []string{})
+				if err != nil {
+					t.Errorf("%v: walk: %v", tc.name, err)
+				}
+				marker = res.NextMarker
+
+				compareResultsOrdered(tc.name, res, page, t)
+
+				if res.Truncated != page.Truncated {
+					t.Errorf("%v page %v expected truncated %v, got %v",
+						tc.name, i, page.Truncated, res.Truncated)
+				}
+			}
+		}
+	}
+}
+
+func compareResultsOrdered(name string, got, wanted backend.WalkResults, t *testing.T) {
+	if !compareObjectsOrdered(got.Objects, wanted.Objects) {
+		t.Errorf("%v: unexpected object, got %v wanted %v",
+			name,
+			printObjects(got.Objects),
+			printObjects(wanted.Objects))
+	}
+	if !comparePrefixesOrdered(got.CommonPrefixes, wanted.CommonPrefixes) {
+		t.Errorf("%v: unexpected prefix, got %v wanted %v",
+			name,
+			printCommonPrefixes(got.CommonPrefixes),
+			printCommonPrefixes(wanted.CommonPrefixes))
+	}
+}
+
+func compareObjectsOrdered(a, b []s3response.Object) bool {
+	if len(a) == 0 && len(b) == 0 {
+		return true
+	}
+	if len(a) != len(b) {
+		return false
+	}
+
+	for i, obj := range a {
+		if *obj.Key != *b[i].Key {
+			return false
+		}
+	}
+	return true
+}
+
+func comparePrefixesOrdered(a, b []types.CommonPrefix) bool {
+	if len(a) == 0 && len(b) == 0 {
+		return true
+	}
+	if len(a) != len(b) {
+		return false
+	}
+
+	for i, cp := range a {
+		if *cp.Prefix != *b[i].Prefix {
+			return false
+		}
+	}
+	return true
+}
+
+// ---- Versioning Tests ----
+
+// getVersionsTestFunc is a simple GetVersionsFunc implementation for tests that
+// returns a single latest version for each file or directory encountered.
+// Directories are reported with a trailing delimiter in the key to match the
+// behavior of the non-versioned Walk tests where directory objects are listed.
+func getVersionsTestFunc(path, versionIdMarker string, pastVersionIdMarker *bool, availableObjCount int, d fs.DirEntry) (*backend.ObjVersionFuncResult, error) {
+	// If we have no available slots left, signal truncation (should be rare in these tests)
+	if availableObjCount <= 0 {
+		return &backend.ObjVersionFuncResult{Truncated: true, NextVersionIdMarker: ""}, nil
+	}
+
+	key := path
+	if d.IsDir() {
+		key = key + "/"
+	}
+	ver := "v1"
+	latest := true
+	ov := s3response.ObjectVersion{Key: &key, VersionId: &ver, IsLatest: &latest}
+	return &backend.ObjVersionFuncResult{ObjectVersions: []s3response.ObjectVersion{ov}}, nil
+}
+
+// TestWalkVersions mirrors TestWalk but exercises WalkVersions and validates
+// common prefixes and object versions for typical delimiter/prefix scenarios.
+func TestWalkVersions(t *testing.T) {
+	fsys := fstest.MapFS{
+		"dir1/a/file1": {},
+		"dir1/a/file2": {},
+		"dir1/b/file3": {},
+		"rootfile":     {},
+	}
+
+	// Without a delimiter, every directory and file becomes an object version
+	// via the test GetVersionsFunc (directories have trailing '/').
+	expected := backend.WalkVersioningResults{
+		ObjectVersions: []s3response.ObjectVersion{
+			{Key: backend.GetPtrFromString("dir1/")},
+			{Key: backend.GetPtrFromString("dir1/a/")},
+			{Key: backend.GetPtrFromString("dir1/a/file1")},
+			{Key: backend.GetPtrFromString("dir1/a/file2")},
+			{Key: backend.GetPtrFromString("dir1/b/")},
+			{Key: backend.GetPtrFromString("dir1/b/file3")},
+			{Key: backend.GetPtrFromString("rootfile")},
+		},
+	}
+
+	res, err := backend.WalkVersions(context.Background(), fsys, "", "", "", "", 1000, getVersionsTestFunc, []string{})
+	if err != nil {
+		t.Fatalf("walk versions: %v", err)
+	}
+	compareVersionResultsOrdered("simple versions no delimiter", res, expected, t)
+}
+
+// TestOrderWalkVersions mirrors TestOrderWalk, exercising ordering semantics for
+// version listings (lexicographic ordering of directory and file version keys).
+func TestOrderWalkVersions(t *testing.T) {
+	fsys := fstest.MapFS{
+		"dir1/a/file1":   {},
+		"dir1/a/file2":   {},
+		"dir1/a/file3":   {},
+		"dir1/a.b/file1": {},
+		"dir1/a.b/file2": {},
+	}
+
+	// Expect lexicographic ordering similar to non-version walk when no delimiter.
+	expected := backend.WalkVersioningResults{
+		ObjectVersions: []s3response.ObjectVersion{
+			{Key: backend.GetPtrFromString("dir1/")},
+			{Key: backend.GetPtrFromString("dir1/a.b/")},
+			{Key: backend.GetPtrFromString("dir1/a.b/file1")},
+			{Key: backend.GetPtrFromString("dir1/a.b/file2")},
+			{Key: backend.GetPtrFromString("dir1/a/")},
+			{Key: backend.GetPtrFromString("dir1/a/file1")},
+			{Key: backend.GetPtrFromString("dir1/a/file2")},
+			{Key: backend.GetPtrFromString("dir1/a/file3")},
+		},
+	}
+
+	res, err := backend.WalkVersions(context.Background(), fsys, "dir1/", "", "", "", 1000, getVersionsTestFunc, []string{})
+	if err != nil {
+		t.Fatalf("order walk versions: %v", err)
+	}
+	compareVersionResultsOrdered("order versions no delimiter", res, expected, t)
+}
+
+// compareVersionResults compares unordered sets of common prefixes and object versions
+// compareVersionResultsOrdered compares ordered slices
+func compareVersionResultsOrdered(name string, got, wanted backend.WalkVersioningResults, t *testing.T) {
+	if !compareObjectVersionsOrdered(got.ObjectVersions, wanted.ObjectVersions) {
+		t.Errorf("%v: unexpected object versions, got %v wanted %v", name, printVersionObjects(got.ObjectVersions), printVersionObjects(wanted.ObjectVersions))
+	}
+	if !comparePrefixesOrdered(got.CommonPrefixes, wanted.CommonPrefixes) {
+		t.Errorf("%v: unexpected prefix, got %v wanted %v", name, printCommonPrefixes(got.CommonPrefixes), printCommonPrefixes(wanted.CommonPrefixes))
+	}
+}
+
+func compareObjectVersionsOrdered(a, b []s3response.ObjectVersion) bool {
+	if len(a) == 0 && len(b) == 0 {
+		return true
+	}
+	if len(a) != len(b) {
+		return false
+	}
+	for i, ov := range a {
+		if ov.Key == nil || b[i].Key == nil {
+			return false
+		}
+		if *ov.Key != *b[i].Key {
+			return false
+		}
+	}
+	return true
+}
+
+func printVersionObjects(list []s3response.ObjectVersion) string {
+	res := "["
+	for _, ov := range list {
+		var key string
+		if ov.Key == nil {
+			key = "<nil>"
+		} else {
+			key = *ov.Key
+		}
+		if res == "[" {
+			res = res + key
+		} else {
+			res = res + ", " + key
+		}
+	}
+	return res + "]"
+}
+
+// multiVersionGetVersionsFunc is a more sophisticated test function that simulates
+// multiple versions per object, similar to the integration test behavior.
+// It creates multiple versions for each file with deterministic version IDs.
+func createMultiVersionFunc(files map[string]int) backend.GetVersionsFunc {
+	// Pre-generate all versions for deterministic testing
+	versionedFiles := make(map[string][]s3response.ObjectVersion)
+
+	for path, versionCount := range files {
+		versions := make([]s3response.ObjectVersion, versionCount)
+		for i := range versionCount {
+			versionId := fmt.Sprintf("v%d", i+1)
+			isLatest := i == versionCount-1 // Last version is latest
+			key := path
+
+			versions[i] = s3response.ObjectVersion{
+				Key:       &key,
+				VersionId: &versionId,
+				IsLatest:  &isLatest,
+			}
+		}
+		// Reverse slice so latest comes first (reverse chronological order)
+		for i, j := 0, len(versions)-1; i < j; i, j = i+1, j-1 {
+			versions[i], versions[j] = versions[j], versions[i]
+		}
+		versionedFiles[path] = versions
+	}
+
+	return func(path, versionIdMarker string, pastVersionIdMarker *bool, availableObjCount int, d fs.DirEntry) (*backend.ObjVersionFuncResult, error) {
+		if availableObjCount <= 0 {
+			return &backend.ObjVersionFuncResult{Truncated: true}, nil
+		}
+
+		// Handle directories - just return a single directory version
+		if d.IsDir() {
+			key := path + "/"
+			ver := "v1"
+			latest := true
+			ov := s3response.ObjectVersion{Key: &key, VersionId: &ver, IsLatest: &latest}
+			return &backend.ObjVersionFuncResult{ObjectVersions: []s3response.ObjectVersion{ov}}, nil
+		}
+
+		// Get versions for this file
+		versions, exists := versionedFiles[path]
+		if !exists {
+			// No versions for this file, skip it
+			return &backend.ObjVersionFuncResult{}, backend.ErrSkipObj
+		}
+
+		// Handle version ID marker pagination
+		startIdx := 0
+		if versionIdMarker != "" && !*pastVersionIdMarker {
+			// Find the starting position after the marker
+			for i, version := range versions {
+				if *version.VersionId == versionIdMarker {
+					startIdx = i + 1
+					*pastVersionIdMarker = true
+					break
+				}
+			}
+		}
+
+		// Return available versions up to the limit
+		endIdx := min(startIdx+availableObjCount, len(versions))
+
+		result := &backend.ObjVersionFuncResult{
+			ObjectVersions: versions[startIdx:endIdx],
+		}
+
+		// Check if we need to truncate
+		if endIdx < len(versions) {
+			result.Truncated = true
+			result.NextVersionIdMarker = *versions[endIdx-1].VersionId
+		}
+
+		return result, nil
+	}
+}
+
+// TestWalkVersionsTruncated tests the pagination behavior of WalkVersions
+// when there are multiple versions per object and the result is truncated.
+// This mirrors the integration test ListObjectVersions_multiple_object_versions_truncated.
+func TestWalkVersionsTruncated(t *testing.T) {
+	// Create filesystem with the same files as integration test
+	fsys := fstest.MapFS{
+		"foo": {},
+		"bar": {},
+		"baz": {},
+	}
+
+	// Define version counts per file (matching integration test)
+	versionCounts := map[string]int{
+		"foo": 4, // 4 versions
+		"bar": 3, // 3 versions
+		"baz": 5, // 5 versions
+	}
+
+	getVersionsFunc := createMultiVersionFunc(versionCounts)
+
+	// Test first page with limit of 5 (should be truncated)
+	maxKeys := 5
+	res1, err := backend.WalkVersions(context.Background(), fsys, "", "", "", "", maxKeys, getVersionsFunc, []string{})
+	if err != nil {
+		t.Fatalf("walk versions first page: %v", err)
+	}
+
+	// Verify first page results
+	if !res1.Truncated {
+		t.Error("expected first page to be truncated")
+	}
+
+	if len(res1.ObjectVersions) != maxKeys {
+		t.Errorf("expected %d versions in first page, got %d", maxKeys, len(res1.ObjectVersions))
+	}
+
+	// Expected order: bar (3 versions), baz (2 versions) - lexicographic order
+	expectedFirstPage := []string{"bar", "bar", "bar", "baz", "baz"}
+	if len(res1.ObjectVersions) != len(expectedFirstPage) {
+		t.Fatalf("first page length mismatch: expected %d, got %d", len(expectedFirstPage), len(res1.ObjectVersions))
+	}
+
+	for i, expected := range expectedFirstPage {
+		if res1.ObjectVersions[i].Key == nil || *res1.ObjectVersions[i].Key != expected {
+			t.Errorf("first page[%d]: expected key %s, got %v", i, expected, res1.ObjectVersions[i].Key)
+		}
+	}
+
+	// Verify next markers are set
+	if res1.NextMarker == "" {
+		t.Error("expected NextMarker to be set on truncated result")
+	}
+	if res1.NextVersionIdMarker == "" {
+		t.Error("expected NextVersionIdMarker to be set on truncated result")
+	}
+
+	// Test second page using markers
+	res2, err := backend.WalkVersions(context.Background(), fsys, "", "", res1.NextMarker, res1.NextVersionIdMarker, maxKeys, getVersionsFunc, []string{})
+	if err != nil {
+		t.Fatalf("walk versions second page: %v", err)
+	}
+
+	t.Logf("Second page: ObjectVersions=%d, Truncated=%v, NextMarker=%s, NextVersionIdMarker=%s",
+		len(res2.ObjectVersions), res2.Truncated, res2.NextMarker, res2.NextVersionIdMarker)
+
+	for i, ov := range res2.ObjectVersions {
+		t.Logf("  [%d] Key=%s, VersionId=%s", i, *ov.Key, *ov.VersionId)
+	}
+
+	// Verify second page results
+	// With maxKeys=5, we should have 3 pages total: 5 + 5 + 2 = 12
+
+	// Test third page if needed
+	var res3 backend.WalkVersioningResults
+	if res2.Truncated {
+		res3, err = backend.WalkVersions(context.Background(), fsys, "", "", res2.NextMarker, res2.NextVersionIdMarker, maxKeys, getVersionsFunc, []string{})
+		if err != nil {
+			t.Fatalf("walk versions third page: %v", err)
+		}
+
+		t.Logf("Third page: ObjectVersions=%d, Truncated=%v, NextMarker=%s, NextVersionIdMarker=%s",
+			len(res3.ObjectVersions), res3.Truncated, res3.NextMarker, res3.NextVersionIdMarker)
+
+		for i, ov := range res3.ObjectVersions {
+			t.Logf("  [%d] Key=%s, VersionId=%s", i, *ov.Key, *ov.VersionId)
+		}
+	}
+
+	// Verify total count across all pages
+	totalVersions := len(res1.ObjectVersions) + len(res2.ObjectVersions) + len(res3.ObjectVersions)
+	expectedTotal := versionCounts["foo"] + versionCounts["bar"] + versionCounts["baz"]
+	if totalVersions != expectedTotal {
+		t.Errorf("total versions mismatch: expected %d, got %d", expectedTotal, totalVersions)
+	}
+}
--- a/cmd/versitygw/admin.go
+++ b/cmd/versitygw/admin.go
@@ -19,16 +19,20 @@ import (
 	"crypto/sha256"
 	"crypto/tls"
 	"encoding/hex"
+	"encoding/json"
 	"encoding/xml"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
 	"os"
+	"strings"
 	"text/tabwriter"
 	"time"

 	"github.com/aws/aws-sdk-go-v2/aws"
 	v4 "github.com/aws/aws-sdk-go-v2/aws/signer/v4"
+	"github.com/aws/aws-sdk-go-v2/service/s3/types"
 	"github.com/aws/smithy-go"
 	"github.com/urfave/cli/v2"
 	"github.com/versity/versitygw/auth"
@@ -82,6 +86,11 @@ func adminCommand() *cli.Command {
 						Usage:   "groupID for the new user",
 						Aliases: []string{"gi"},
 					},
+					&cli.IntFlag{
+						Name:    "project-id",
+						Usage:   "projectID for the new user",
+						Aliases: []string{"pi"},
+					},
 				},
 			},
 			{
@@ -115,6 +124,11 @@ func adminCommand() *cli.Command {
 						Usage:   "groupID for the new user",
 						Aliases: []string{"gi"},
 					},
+					&cli.IntFlag{
+						Name:    "project-id",
+						Usage:   "projectID for the new user",
+						Aliases: []string{"pi"},
+					},
 				},
 			},
 			{
@@ -159,6 +173,66 @@ func adminCommand() *cli.Command {
 				Usage:  "Lists all the gateway buckets and owners.",
 				Action: listBuckets,
 			},
+			{
+				Name:   "create-bucket",
+				Usage:  "Create a new bucket with owner",
+				Action: createBucket,
+				Flags: []cli.Flag{
+					&cli.StringFlag{
+						Name:     "owner",
+						Usage:    "access key id of the bucket owner",
+						Required: true,
+						Aliases:  []string{"o"},
+					},
+					&cli.StringFlag{
+						Name:     "bucket",
+						Usage:    "bucket name",
+						Required: true,
+					},
+					&cli.StringFlag{
+						Name:  "acl",
+						Usage: "canned ACL to apply to the bucket",
+					},
+					&cli.StringFlag{
+						Name:  "grant-full-control",
+						Usage: "Allows grantee the read, write, read ACP, and write ACP permissions on the bucket.",
+					},
+					&cli.StringFlag{
+						Name:  "grant-read",
+						Usage: "Allows grantee to list the objects in the bucket.",
+					},
+					&cli.StringFlag{
+						Name:  "grant-read-acp",
+						Usage: "Allows grantee to read the bucket ACL.",
+					},
+					&cli.StringFlag{
+						Name: "grant-write",
+						Usage: `Allows grantee to create new objects in the bucket.
+							For the bucket and object owners of existing objects, also allows deletions and overwrites of those objects.`,
+					},
+					&cli.StringFlag{
+						Name:  "grant-write-acp",
+						Usage: "Allows grantee to write the ACL for the applicable bucket.",
+					},
+					&cli.StringFlag{
+						Name:  "create-bucket-configuration",
+						Usage: "bucket configuration (LocationConstraint, Tags)",
+					},
+					&cli.BoolFlag{
+						Name:  "object-lock-enabled-for-bucket",
+						Usage: "enable object lock for the bucket",
+					},
+					&cli.BoolFlag{
+						Name:  "no-object-lock-enabled-for-bucket",
+						Usage: "disable object lock for the bucket",
+					},
+					&cli.StringFlag{
+						Name:  "object-ownership",
+						Usage: "bucket object ownership setting",
+						Value: "",
+					},
+				},
+			},
 		},
 		Flags: []cli.Flag{
 			// TODO: create a configuration file for this
@@ -167,7 +241,6 @@ func adminCommand() *cli.Command {
 				Usage:       "admin access key id",
 				EnvVars:     []string{"ADMIN_ACCESS_KEY_ID", "ADMIN_ACCESS_KEY"},
 				Aliases:     []string{"a"},
-				Required:    true,
 				Destination: &adminAccess,
 			},
 			&cli.StringFlag{
@@ -175,7 +248,6 @@ func adminCommand() *cli.Command {
 				Usage:       "admin secret access key",
 				EnvVars:     []string{"ADMIN_SECRET_ACCESS_KEY", "ADMIN_SECRET_KEY"},
 				Aliases:     []string{"s"},
-				Required:    true,
 				Destination: &adminSecret,
 			},
 			&cli.StringFlag{
@@ -205,6 +277,32 @@ func adminCommand() *cli.Command {
 	}
 }

+// getAdminCreds returns the effective admin access key ID and secret key.
+// If admin-specific credentials are not provided, it falls back to the
+// root user credentials. Both resulting values must be non-empty;
+// otherwise, an error is returned.
+func getAdminCreds() (string, string, error) {
+	access := adminAccess
+	secret := adminSecret
+
+	// Fallbacks to root user credentials
+	if access == "" {
+		access = rootUserAccess
+	}
+	if secret == "" {
+		secret = rootUserSecret
+	}
+
+	if access == "" {
+		return "", "", errors.New("subcommand admin access key id is not set")
+	}
+	if secret == "" {
+		return "", "", errors.New("subcommand admin secret access key is not set")
+	}
+
+	return access, secret, nil
+}
+
 func initHTTPClient() *http.Client {
 	tr := &http.Transport{
 		TLSClientConfig: &tls.Config{InsecureSkipVerify: allowInsecure},
@@ -213,8 +311,12 @@ func initHTTPClient() *http.Client {
 }

 func createUser(ctx *cli.Context) error {
+	adminAccess, adminSecret, err := getAdminCreds()
+	if err != nil {
+		return err
+	}
 	access, secret, role := ctx.String("access"), ctx.String("secret"), ctx.String("role")
-	userID, groupID := ctx.Int("user-id"), ctx.Int("group-id")
+	userID, groupID, projectID := ctx.Int("user-id"), ctx.Int("group-id"), ctx.Int("project-id")
 	if access == "" || secret == "" {
 		return fmt.Errorf("invalid input parameters for the new user access/secret keys")
 	}
@@ -223,11 +325,12 @@ func createUser(ctx *cli.Context) error {
 	}

 	acc := auth.Account{
-		Access:  access,
-		Secret:  secret,
-		Role:    auth.Role(role),
-		UserID:  userID,
-		GroupID: groupID,
+		Access:    access,
+		Secret:    secret,
+		Role:      auth.Role(role),
+		UserID:    userID,
+		GroupID:   groupID,
+		ProjectID: projectID,
 	}

 	accxml, err := xml.Marshal(acc)
@@ -273,6 +376,10 @@ func createUser(ctx *cli.Context) error {
 }

 func deleteUser(ctx *cli.Context) error {
+	adminAccess, adminSecret, err := getAdminCreds()
+	if err != nil {
+		return err
+	}
 	access := ctx.String("access")
 	if access == "" {
 		return fmt.Errorf("invalid input parameter for the user access key")
@@ -316,7 +423,19 @@ func deleteUser(ctx *cli.Context) error {
 }

 func updateUser(ctx *cli.Context) error {
-	access, secret, userId, groupId, role := ctx.String("access"), ctx.String("secret"), ctx.Int("user-id"), ctx.Int("group-id"), auth.Role(ctx.String("role"))
+	adminAccess, adminSecret, err := getAdminCreds()
+	if err != nil {
+		return err
+	}
+
+	access, secret, userId, groupId, projectID, role :=
+		ctx.String("access"),
+		ctx.String("secret"),
+		ctx.Int("user-id"),
+		ctx.Int("group-id"),
+		ctx.Int("projectID"),
+		auth.Role(ctx.String("role"))
+
 	props := auth.MutableProps{}
 	if ctx.IsSet("role") {
 		if !role.IsValid() {
@@ -333,6 +452,9 @@ func updateUser(ctx *cli.Context) error {
 	if ctx.IsSet("group-id") {
 		props.GroupID = &groupId
 	}
+	if ctx.IsSet("project-id") {
+		props.ProjectID = &projectID
+	}

 	propsxml, err := xml.Marshal(props)
 	if err != nil {
@@ -377,6 +499,11 @@ func updateUser(ctx *cli.Context) error {
 }

 func listUsers(ctx *cli.Context) error {
+	adminAccess, adminSecret, err := getAdminCreds()
+	if err != nil {
+		return err
+	}
+
 	req, err := http.NewRequest(http.MethodPatch, fmt.Sprintf("%v/list-users", adminEndpoint), nil)
 	if err != nil {
 		return fmt.Errorf("failed to send the request: %w", err)
@@ -421,6 +548,251 @@ func listUsers(ctx *cli.Context) error {
 	return nil
 }

+type createBucketInput struct {
+	LocationConstraint *string
+	Tags               []types.Tag
+}
+
+// parseCreateBucketPayload parses the
+func parseCreateBucketPayload(input string) ([]byte, error) {
+	input = strings.TrimSpace(input)
+	if input == "" {
+		return []byte{}, nil
+	}
+
+	// try to parse as json, if the input starts with '{'
+	if input[0] == '{' {
+		var raw createBucketInput
+		err := json.Unmarshal([]byte(input), &raw)
+		if err != nil {
+			return nil, fmt.Errorf("invalid JSON input: %w", err)
+		}
+
+		return xml.Marshal(s3response.CreateBucketConfiguration{
+			LocationConstraint: raw.LocationConstraint,
+			TagSet:             raw.Tags,
+		})
+	}
+
+	var config s3response.CreateBucketConfiguration
+
+	// parse as string - shorthand syntax
+	inputParts, err := splitTopLevel(input)
+	if err != nil {
+		return nil, err
+	}
+	for _, part := range inputParts {
+		part = strings.TrimSpace(part)
+		if strings.HasPrefix(part, "LocationConstraint=") {
+			locConstraint := strings.TrimPrefix(part, "LocationConstraint=")
+			config.LocationConstraint = &locConstraint
+		} else if strings.HasPrefix(part, "Tags=") {
+			tags, err := parseTagging(strings.TrimPrefix(part, "Tags="))
+			if err != nil {
+				return nil, err
+			}
+
+			config.TagSet = tags
+		} else {
+			return nil, fmt.Errorf("invalid component: %v", part)
+		}
+	}
+
+	return xml.Marshal(config)
+}
+
+var errInvalidTagsSyntax = errors.New("invalid tags syntax")
+
+// splitTopLevel splits a shorthand configuration string into top-level components.
+// The function splits only on commas that are not nested inside '{}' or '[]'.
+func splitTopLevel(s string) ([]string, error) {
+	var parts []string
+	start := 0
+	depth := 0
+
+	for i, r := range s {
+		switch r {
+		case '{', '[':
+			depth++
+		case '}', ']':
+			depth--
+		case ',':
+			if depth == 0 {
+				parts = append(parts, s[start:i])
+				start = i + 1
+			}
+		}
+	}
+
+	if depth != 0 {
+		return nil, errors.New("invalid string format")
+	}
+
+	// add last segment
+	if start < len(s) {
+		parts = append(parts, s[start:])
+	}
+
+	return parts, nil
+}
+
+// parseTagging parses a tag set expressed in shorthand syntax into AWS CLI tags.
+// Expected format:
+//
+//	[{Key=string,Value=string},{Key=string,Value=string}]
+//
+// The function validates bracket structure, splits tag objects at the top level,
+// and delegates individual tag parsing to parseTag. It returns an error if the
+// syntax is invalid or if any tag entry cannot be parsed.
+func parseTagging(input string) ([]types.Tag, error) {
+	if len(input) < 2 {
+		return nil, errInvalidTagsSyntax
+	}
+
+	if input[0] != '[' || input[len(input)-1] != ']' {
+		return nil, errInvalidTagsSyntax
+	}
+	// strip []
+	input = input[1 : len(input)-1]
+
+	tagComponents, err := splitTopLevel(input)
+	if err != nil {
+		return nil, errInvalidTagsSyntax
+	}
+	result := make([]types.Tag, 0, len(tagComponents))
+	for _, tagComponent := range tagComponents {
+		tagComponent = strings.TrimSpace(tagComponent)
+		tag, err := parseTag(tagComponent)
+		if err != nil {
+			return nil, err
+		}
+
+		result = append(result, tag)
+	}
+
+	return result, nil
+}
+
+// parseTag parses a single tag definition in shorthand form.
+// Expected format:
+//
+// {Key=string,Value=string}
+func parseTag(input string) (types.Tag, error) {
+	input = strings.TrimSpace(input)
+
+	if len(input) < 2 {
+		return types.Tag{}, errInvalidTagsSyntax
+	}
+
+	if input[0] != '{' || input[len(input)-1] != '}' {
+		return types.Tag{}, errInvalidTagsSyntax
+	}
+
+	// strip {}
+	input = input[1 : len(input)-1]
+
+	components := strings.Split(input, ",")
+	if len(components) != 2 {
+		return types.Tag{}, errInvalidTagsSyntax
+	}
+
+	var key, value string
+
+	for _, c := range components {
+		c = strings.TrimSpace(c)
+
+		switch {
+		case strings.HasPrefix(c, "Key="):
+			key = strings.TrimPrefix(c, "Key=")
+		case strings.HasPrefix(c, "Value="):
+			value = strings.TrimPrefix(c, "Value=")
+		default:
+			return types.Tag{}, errInvalidTagsSyntax
+		}
+	}
+
+	if key == "" {
+		return types.Tag{}, errInvalidTagsSyntax
+	}
+
+	return types.Tag{
+		Key:   &key,
+		Value: &value,
+	}, nil
+}
+
+func createBucket(ctx *cli.Context) error {
+	adminAccess, adminSecret, err := getAdminCreds()
+	if err != nil {
+		return err
+	}
+
+	bucket, owner := ctx.String("bucket"), ctx.String("owner")
+
+	payload, err := parseCreateBucketPayload(ctx.String("create-bucket-configuration"))
+	if err != nil {
+		return fmt.Errorf("invalid create bucket configuration: %w", err)
+	}
+
+	hashedPayload := sha256.Sum256(payload)
+	hexPayload := hex.EncodeToString(hashedPayload[:])
+
+	headers := map[string]string{
+		"x-amz-content-sha256":     hexPayload,
+		"x-vgw-owner":              owner,
+		"x-amz-acl":                ctx.String("acl"),
+		"x-amz-grant-full-control": ctx.String("grant-full-control"),
+		"x-amz-grant-read":         ctx.String("grant-read"),
+		"x-amz-grant-read-acp":     ctx.String("grant-read-acp"),
+		"x-amz-grant-write":        ctx.String("grant-write"),
+		"x-amz-grant-write-acp":    ctx.String("grant-write-acp"),
+		"x-amz-object-ownership":   ctx.String("object-ownership"),
+	}
+
+	if ctx.Bool("object-lock-enabled-for-bucket") {
+		headers["x-amz-bucket-object-lock-enabled"] = "true"
+	}
+	if ctx.Bool("no-object-lock-enabled-for-bucket") {
+		headers["x-amz-bucket-object-lock-enabled"] = "false"
+	}
+
+	req, err := http.NewRequestWithContext(ctx.Context, http.MethodPatch, fmt.Sprintf("%s/%s/create", adminEndpoint, bucket), bytes.NewReader(payload))
+	if err != nil {
+		return err
+	}
+
+	for key, value := range headers {
+		if value != "" {
+			req.Header.Set(key, value)
+		}
+	}
+
+	signer := v4.NewSigner()
+	err = signer.SignHTTP(req.Context(), aws.Credentials{AccessKeyID: adminAccess, SecretAccessKey: adminSecret}, req, hexPayload, "s3", adminRegion, time.Now())
+	if err != nil {
+		return fmt.Errorf("failed to sign the request: %w", err)
+	}
+
+	client := initHTTPClient()
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return fmt.Errorf("failed to send the request: %w", err)
+	}
+	defer resp.Body.Close()
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return err
+	}
+
+	if resp.StatusCode >= 400 {
+		return parseApiError(body)
+	}
+
+	return nil
+}
+
 const (
 	// account table formatting
 	minwidth int  = 2   // minimal cell width including any padding
@@ -433,16 +805,21 @@ const (
 func printAcctTable(accs []auth.Account) {
 	w := new(tabwriter.Writer)
 	w.Init(os.Stdout, minwidth, tabwidth, padding, padchar, flags)
-	fmt.Fprintln(w, "Account\tRole\tUserID\tGroupID")
-	fmt.Fprintln(w, "-------\t----\t------\t-------")
+	fmt.Fprintln(w, "Account\tRole\tUserID\tGroupID\tProjectID")
+	fmt.Fprintln(w, "-------\t----\t------\t-------\t---------")
 	for _, acc := range accs {
-		fmt.Fprintf(w, "%v\t%v\t%v\t%v\n", acc.Access, acc.Role, acc.UserID, acc.GroupID)
+		fmt.Fprintf(w, "%v\t%v\t%v\t%v\t%v\n", acc.Access, acc.Role, acc.UserID, acc.GroupID, acc.ProjectID)
 	}
 	fmt.Fprintln(w)
 	w.Flush()
 }

 func changeBucketOwner(ctx *cli.Context) error {
+	adminAccess, adminSecret, err := getAdminCreds()
+	if err != nil {
+		return err
+	}
+
 	bucket, owner := ctx.String("bucket"), ctx.String("owner")
 	req, err := http.NewRequest(http.MethodPatch, fmt.Sprintf("%v/change-bucket-owner/?bucket=%v&owner=%v", adminEndpoint, bucket, owner), nil)
 	if err != nil {
@@ -494,6 +871,11 @@ func printBuckets(buckets []s3response.Bucket) {
 }

 func listBuckets(ctx *cli.Context) error {
+	adminAccess, adminSecret, err := getAdminCreds()
+	if err != nil {
+		return err
+	}
+
 	req, err := http.NewRequest(http.MethodPatch, fmt.Sprintf("%v/list-buckets", adminEndpoint), nil)
 	if err != nil {
 		return fmt.Errorf("failed to send the request: %w", err)
--- a/cmd/versitygw/main.go
+++ b/cmd/versitygw/main.go
@@ -16,68 +16,84 @@ package main

 import (
 	"context"
-	"crypto/tls"
 	"fmt"
 	"log"
 	"net"
 	"net/http"
 	_ "net/http/pprof"
 	"os"
+	"strconv"
 	"strings"

-	"github.com/gofiber/fiber/v2"
 	"github.com/urfave/cli/v2"
 	"github.com/versity/versitygw/auth"
 	"github.com/versity/versitygw/backend"
+	"github.com/versity/versitygw/debuglogger"
 	"github.com/versity/versitygw/metrics"
 	"github.com/versity/versitygw/s3api"
 	"github.com/versity/versitygw/s3api/middlewares"
+	"github.com/versity/versitygw/s3api/utils"
 	"github.com/versity/versitygw/s3event"
 	"github.com/versity/versitygw/s3log"
+	"github.com/versity/versitygw/webui"
 )

 var (
-	port, admPort                            string
-	rootUserAccess                           string
-	rootUserSecret                           string
-	region                                   string
-	admCertFile, admKeyFile                  string
-	certFile, keyFile                        string
-	kafkaURL, kafkaTopic, kafkaKey           string
-	natsURL, natsTopic                       string
-	eventWebhookURL                          string
-	eventConfigFilePath                      string
-	logWebhookURL, accessLog                 string
-	adminLogFile                             string
-	healthPath                               string
-	virtualDomain                            string
-	debug                                    bool
-	pprof                                    string
-	quiet                                    bool
-	readonly                                 bool
-	iamDir                                   string
-	ldapURL, ldapBindDN, ldapPassword        string
-	ldapQueryBase, ldapObjClasses            string
-	ldapAccessAtr, ldapSecAtr, ldapRoleAtr   string
-	ldapUserIdAtr, ldapGroupIdAtr            string
-	vaultEndpointURL, vaultSecretStoragePath string
-	vaultMountPath, vaultRootToken           string
-	vaultRoleId, vaultRoleSecret             string
-	vaultServerCert, vaultClientCert         string
-	vaultClientCertKey                       string
-	s3IamAccess, s3IamSecret                 string
-	s3IamRegion, s3IamBucket                 string
-	s3IamEndpoint                            string
-	s3IamSslNoVerify, s3IamDebug             bool
-	iamCacheDisable                          bool
-	iamCacheTTL                              int
-	iamCachePrune                            int
-	metricsService                           string
-	statsdServers                            string
-	dogstatsServers                          string
-	ipaHost, ipaVaultName                    string
-	ipaUser, ipaPassword                     string
-	ipaInsecure, ipaDebug                    bool
+	port, admPort                          string
+	rootUserAccess                         string
+	rootUserSecret                         string
+	region                                 string
+	corsAllowOrigin                        string
+	admCertFile, admKeyFile                string
+	certFile, keyFile                      string
+	kafkaURL, kafkaTopic, kafkaKey         string
+	natsURL, natsTopic                     string
+	rabbitmqURL, rabbitmqExchange          string
+	rabbitmqRoutingKey                     string
+	eventWebhookURL                        string
+	eventConfigFilePath                    string
+	logWebhookURL, accessLog               string
+	adminLogFile                           string
+	healthPath                             string
+	virtualDomain                          string
+	debug                                  bool
+	keepAlive                              bool
+	pprof                                  string
+	quiet                                  bool
+	readonly                               bool
+	disableStrictBucketNames               bool
+	iamDir                                 string
+	ldapURL, ldapBindDN, ldapPassword      string
+	ldapQueryBase, ldapObjClasses          string
+	ldapAccessAtr, ldapSecAtr, ldapRoleAtr string
+	ldapUserIdAtr, ldapGroupIdAtr          string
+	ldapProjectIdAtr                       string
+	ldapTLSSkipVerify                      bool
+	vaultEndpointURL, vaultNamespace       string
+	vaultSecretStoragePath                 string
+	vaultSecretStorageNamespace            string
+	vaultAuthMethod, vaultAuthNamespace    string
+	vaultMountPath                         string
+	vaultRootToken, vaultRoleId            string
+	vaultRoleSecret, vaultServerCert       string
+	vaultClientCert, vaultClientCertKey    string
+	s3IamAccess, s3IamSecret               string
+	s3IamRegion, s3IamBucket               string
+	s3IamEndpoint                          string
+	s3IamSslNoVerify                       bool
+	iamCacheDisable                        bool
+	iamCacheTTL                            int
+	iamCachePrune                          int
+	metricsService                         string
+	statsdServers                          string
+	dogstatsServers                        string
+	ipaHost, ipaVaultName                  string
+	ipaUser, ipaPassword                   string
+	ipaInsecure                            bool
+	iamDebug                               bool
+	webuiAddr                              string
+	webuiCertFile, webuiKeyFile            string
+	webuiNoTLS                             bool
 )

 var (
@@ -155,6 +171,30 @@ func initFlags() []cli.Flag {
 			Destination: &port,
 			Aliases:     []string{"p"},
 		},
+		&cli.StringFlag{
+			Name:        "webui",
+			Usage:       "enable WebUI server on the specified listen address (e.g. ':7071', '127.0.0.1:7071', 'localhost:7071'; disabled when omitted)",
+			EnvVars:     []string{"VGW_WEBUI_PORT"},
+			Destination: &webuiAddr,
+		},
+		&cli.StringFlag{
+			Name:        "webui-cert",
+			Usage:       "TLS cert file for WebUI (defaults to --cert value when WebUI is enabled)",
+			EnvVars:     []string{"VGW_WEBUI_CERT"},
+			Destination: &webuiCertFile,
+		},
+		&cli.StringFlag{
+			Name:        "webui-key",
+			Usage:       "TLS key file for WebUI (defaults to --key value when WebUI is enabled)",
+			EnvVars:     []string{"VGW_WEBUI_KEY"},
+			Destination: &webuiKeyFile,
+		},
+		&cli.BoolFlag{
+			Name:        "webui-no-tls",
+			Usage:       "disable TLS for WebUI even if TLS is configured for the gateway",
+			EnvVars:     []string{"VGW_WEBUI_NO_TLS"},
+			Destination: &webuiNoTLS,
+		},
 		&cli.StringFlag{
 			Name:        "access",
 			Usage:       "root user access key",
@@ -177,6 +217,12 @@ func initFlags() []cli.Flag {
 			Destination: &region,
 			Aliases:     []string{"r"},
 		},
+		&cli.StringFlag{
+			Name:        "cors-allow-origin",
+			Usage:       "default CORS Access-Control-Allow-Origin value (applied when no bucket CORS configuration exists, and for admin APIs)",
+			EnvVars:     []string{"VGW_CORS_ALLOW_ORIGIN"},
+			Destination: &corsAllowOrigin,
+		},
 		&cli.StringFlag{
 			Name:        "cert",
 			Usage:       "TLS cert file",
@@ -221,6 +267,12 @@ func initFlags() []cli.Flag {
 			EnvVars:     []string{"VGW_PPROF"},
 			Destination: &pprof,
 		},
+		&cli.BoolFlag{
+			Name:        "keep-alive",
+			Usage:       "enable keep-alive connections (for finnicky clients)",
+			EnvVars:     []string{"VGW_KEEP_ALIVE"},
+			Destination: &keepAlive,
+		},
 		&cli.BoolFlag{
 			Name:        "quiet",
 			Usage:       "silence stdout request logging output",
@@ -288,6 +340,27 @@ func initFlags() []cli.Flag {
 			Destination: &natsTopic,
 			Aliases:     []string{"ent"},
 		},
+		&cli.StringFlag{
+			Name:        "event-rabbitmq-url",
+			Usage:       "rabbitmq server url to send the bucket notifications (amqp or amqps scheme)",
+			EnvVars:     []string{"VGW_EVENT_RABBITMQ_URL"},
+			Destination: &rabbitmqURL,
+			Aliases:     []string{"eru"},
+		},
+		&cli.StringFlag{
+			Name:        "event-rabbitmq-exchange",
+			Usage:       "rabbitmq exchange to publish bucket notifications to (blank for default)",
+			EnvVars:     []string{"VGW_EVENT_RABBITMQ_EXCHANGE"},
+			Destination: &rabbitmqExchange,
+			Aliases:     []string{"ere"},
+		},
+		&cli.StringFlag{
+			Name:        "event-rabbitmq-routing-key",
+			Usage:       "rabbitmq routing key when publishing bucket notifications (defaults to bucket name when blank)",
+			EnvVars:     []string{"VGW_EVENT_RABBITMQ_ROUTING_KEY"},
+			Destination: &rabbitmqRoutingKey,
+			Aliases:     []string{"errk"},
+		},
 		&cli.StringFlag{
 			Name:        "event-webhook-url",
 			Usage:       "webhook url to send bucket notifications",
@@ -368,18 +441,54 @@ func initFlags() []cli.Flag {
 			EnvVars:     []string{"VGW_IAM_LDAP_GROUP_ID_ATR"},
 			Destination: &ldapGroupIdAtr,
 		},
+		&cli.StringFlag{
+			Name:        "iam-ldap-project-id-atr",
+			Usage:       "ldap server user project id attribute name",
+			EnvVars:     []string{"VGW_IAM_LDAP_PROJECT_ID_ATR"},
+			Destination: &ldapProjectIdAtr,
+		},
+		&cli.BoolFlag{
+			Name:        "iam-ldap-tls-skip-verify",
+			Usage:       "disable TLS certificate verification for LDAP connections (insecure, for self-signed certificates)",
+			EnvVars:     []string{"VGW_IAM_LDAP_TLS_SKIP_VERIFY"},
+			Destination: &ldapTLSSkipVerify,
+		},
 		&cli.StringFlag{
 			Name:        "iam-vault-endpoint-url",
 			Usage:       "vault server url",
 			EnvVars:     []string{"VGW_IAM_VAULT_ENDPOINT_URL"},
 			Destination: &vaultEndpointURL,
 		},
+		&cli.StringFlag{
+			Name:        "iam-vault-namespace",
+			Usage:       "vault server namespace",
+			EnvVars:     []string{"VGW_IAM_VAULT_NAMESPACE"},
+			Destination: &vaultNamespace,
+		},
 		&cli.StringFlag{
 			Name:        "iam-vault-secret-storage-path",
 			Usage:       "vault server secret storage path",
 			EnvVars:     []string{"VGW_IAM_VAULT_SECRET_STORAGE_PATH"},
 			Destination: &vaultSecretStoragePath,
 		},
+		&cli.StringFlag{
+			Name:        "iam-vault-secret-storage-namespace",
+			Usage:       "vault server secret storage namespace",
+			EnvVars:     []string{"VGW_IAM_VAULT_SECRET_STORAGE_NAMESPACE"},
+			Destination: &vaultSecretStorageNamespace,
+		},
+		&cli.StringFlag{
+			Name:        "iam-vault-auth-method",
+			Usage:       "vault server auth method",
+			EnvVars:     []string{"VGW_IAM_VAULT_AUTH_METHOD"},
+			Destination: &vaultAuthMethod,
+		},
+		&cli.StringFlag{
+			Name:        "iam-vault-auth-namespace",
+			Usage:       "vault server auth namespace",
+			EnvVars:     []string{"VGW_IAM_VAULT_AUTH_NAMESPACE"},
+			Destination: &vaultAuthNamespace,
+		},
 		&cli.StringFlag{
 			Name:        "iam-vault-mount-path",
 			Usage:       "vault server mount path",
@@ -459,12 +568,6 @@ func initFlags() []cli.Flag {
 			EnvVars:     []string{"VGW_S3_IAM_NO_VERIFY"},
 			Destination: &s3IamSslNoVerify,
 		},
-		&cli.BoolFlag{
-			Name:        "s3-iam-debug",
-			Usage:       "s3 IAM debug output",
-			EnvVars:     []string{"VGW_S3_IAM_DEBUG"},
-			Destination: &s3IamDebug,
-		},
 		&cli.BoolFlag{
 			Name:        "iam-cache-disable",
 			Usage:       "disable local iam cache",
@@ -485,6 +588,13 @@ func initFlags() []cli.Flag {
 			Value:       3600,
 			Destination: &iamCachePrune,
 		},
+		&cli.BoolFlag{
+			Name:        "iam-debug",
+			Usage:       "enable IAM debug output",
+			Value:       false,
+			EnvVars:     []string{"VGW_IAM_DEBUG"},
+			Destination: &iamDebug,
+		},
 		&cli.StringFlag{
 			Name: "health",
 			Usage: `health check endpoint path. Health endpoint will be configured on GET http method: GET <health>
@@ -498,6 +608,12 @@ func initFlags() []cli.Flag {
 			EnvVars:     []string{"VGW_READ_ONLY"},
 			Destination: &readonly,
 		},
+		&cli.BoolFlag{
+			Name:        "disable-strict-bucket-names",
+			Usage:       "allow relaxed bucket naming (disables strict validation checks)",
+			EnvVars:     []string{"VGW_DISABLE_STRICT_BUCKET_NAMES"},
+			Destination: &disableStrictBucketNames,
+		},
 		&cli.StringFlag{
 			Name:        "metrics-service-name",
 			Usage:       "service name tag for metrics, hostname if blank",
@@ -549,12 +665,6 @@ func initFlags() []cli.Flag {
 			EnvVars:     []string{"VGW_IPA_INSECURE"},
 			Destination: &ipaInsecure,
 		},
-		&cli.BoolFlag{
-			Name:        "ipa-debug",
-			Usage:       "FreeIPA IAM debug output",
-			EnvVars:     []string{"VGW_IPA_DEBUG"},
-			Destination: &ipaDebug,
-		},
 	}
 }

@@ -563,6 +673,44 @@ func runGateway(ctx context.Context, be backend.Backend) error {
 		return fmt.Errorf("root user access and secret key must be provided")
 	}

+	webuiAddr = strings.TrimSpace(webuiAddr)
+	if webuiAddr != "" && isAllDigits(webuiAddr) {
+		webuiAddr = ":" + webuiAddr
+	}
+
+	// WebUI runs in a browser and typically talks to the gateway/admin APIs cross-origin
+	// (different port). If no bucket CORS configuration exists, those API responses need
+	// a default Access-Control-Allow-Origin to be usable from the WebUI.
+	if webuiAddr != "" && strings.TrimSpace(corsAllowOrigin) == "" {
+		// A single Access-Control-Allow-Origin value cannot cover multiple specific
+		// origins. Default to '*' for usability and print a warning so operators can
+		// lock it down explicitly.
+		corsAllowOrigin = "*"
+		webuiScheme := "http"
+		if !webuiNoTLS && (strings.TrimSpace(webuiCertFile) != "" || strings.TrimSpace(certFile) != "") {
+			webuiScheme = "https"
+		}
+
+		// Suggest a more secure explicit origin based on the actual WebUI listening interfaces.
+		// (Browsers require an exact origin match; this is typically one chosen hostname/IP.)
+		var suggestion string
+		ips, ipsErr := getMatchingIPs(webuiAddr)
+		_, webPrt, prtErr := net.SplitHostPort(webuiAddr)
+		if ipsErr == nil && prtErr == nil && len(ips) > 0 {
+			origins := make([]string, 0, len(ips))
+			for _, ip := range ips {
+				origins = append(origins, fmt.Sprintf("%s://%s:%s", webuiScheme, ip, webPrt))
+			}
+			suggestion = fmt.Sprintf("consider setting it to one of: %s (or your public hostname)", strings.Join(origins, ", "))
+		} else {
+			suggestion = fmt.Sprintf("consider setting it to %s://<host>:<port>", webuiScheme)
+		}
+
+		fmt.Fprintf(os.Stderr, "WARNING: --webui is enabled but --cors-allow-origin is not set; defaulting to '*'; %s\n", suggestion)
+	}
+
+	utils.SetBucketNameValidationStrict(!disableStrictBucketNames)
+
 	if pprof != "" {
 		// listen on specified port for pprof debug
 		// point browser to http://<ip:port>/debug/pprof/
@@ -571,16 +719,10 @@ func runGateway(ctx context.Context, be backend.Backend) error {
 		}()
 	}

-	app := fiber.New(fiber.Config{
-		AppName:               "versitygw",
-		ServerHeader:          "VERSITYGW",
-		StreamRequestBody:     true,
-		DisableKeepalive:      true,
-		Network:               fiber.NetworkTCP,
-		DisableStartupMessage: true,
-	})
-
 	var opts []s3api.Option
+	if corsAllowOrigin != "" {
+		opts = append(opts, s3api.WithCORSAllowOrigin(corsAllowOrigin))
+	}

 	if certFile != "" || keyFile != "" {
 		if certFile == "" {
@@ -590,14 +732,12 @@ func runGateway(ctx context.Context, be backend.Backend) error {
 			return fmt.Errorf("TLS cert specified without key file")
 		}

-		cert, err := tls.LoadX509KeyPair(certFile, keyFile)
+		cs := utils.NewCertStorage()
+		err := cs.SetCertificate(certFile, keyFile)
 		if err != nil {
 			return fmt.Errorf("tls: load certs: %v", err)
 		}
-		opts = append(opts, s3api.WithTLS(cert))
-	}
-	if debug {
-		opts = append(opts, s3api.WithDebug())
+		opts = append(opts, s3api.WithTLS(cs))
 	}
 	if admPort == "" {
 		opts = append(opts, s3api.WithAdminServer())
@@ -614,29 +754,14 @@ func runGateway(ctx context.Context, be backend.Backend) error {
 	if virtualDomain != "" {
 		opts = append(opts, s3api.WithHostStyle(virtualDomain))
 	}
-
-	admApp := fiber.New(fiber.Config{
-		AppName:               "versitygw",
-		ServerHeader:          "VERSITYGW",
-		Network:               fiber.NetworkTCP,
-		DisableStartupMessage: true,
-	})
-
-	var admOpts []s3api.AdminOpt
-
-	if admCertFile != "" || admKeyFile != "" {
-		if admCertFile == "" {
-			return fmt.Errorf("TLS key specified without cert file")
-		}
-		if admKeyFile == "" {
-			return fmt.Errorf("TLS cert specified without key file")
-		}
-
-		cert, err := tls.LoadX509KeyPair(admCertFile, admKeyFile)
-		if err != nil {
-			return fmt.Errorf("tls: load certs: %v", err)
-		}
-		admOpts = append(admOpts, s3api.WithAdminSrvTLS(cert))
+	if keepAlive {
+		opts = append(opts, s3api.WithKeepAlive())
+	}
+	if debug {
+		debuglogger.SetDebugEnabled()
+	}
+	if iamDebug {
+		debuglogger.SetIAMDebugEnabled()
 	}

 	iam, err := auth.New(&auth.Opts{
@@ -645,42 +770,46 @@ func runGateway(ctx context.Context, be backend.Backend) error {
 			Secret: rootUserSecret,
 			Role:   auth.RoleAdmin,
 		},
-		Dir:                    iamDir,
-		LDAPServerURL:          ldapURL,
-		LDAPBindDN:             ldapBindDN,
-		LDAPPassword:           ldapPassword,
-		LDAPQueryBase:          ldapQueryBase,
-		LDAPObjClasses:         ldapObjClasses,
-		LDAPAccessAtr:          ldapAccessAtr,
-		LDAPSecretAtr:          ldapSecAtr,
-		LDAPRoleAtr:            ldapRoleAtr,
-		LDAPUserIdAtr:          ldapUserIdAtr,
-		LDAPGroupIdAtr:         ldapGroupIdAtr,
-		VaultEndpointURL:       vaultEndpointURL,
-		VaultSecretStoragePath: vaultSecretStoragePath,
-		VaultMountPath:         vaultMountPath,
-		VaultRootToken:         vaultRootToken,
-		VaultRoleId:            vaultRoleId,
-		VaultRoleSecret:        vaultRoleSecret,
-		VaultServerCert:        vaultServerCert,
-		VaultClientCert:        vaultClientCert,
-		VaultClientCertKey:     vaultClientCertKey,
-		S3Access:               s3IamAccess,
-		S3Secret:               s3IamSecret,
-		S3Region:               s3IamRegion,
-		S3Bucket:               s3IamBucket,
-		S3Endpoint:             s3IamEndpoint,
-		S3DisableSSlVerfiy:     s3IamSslNoVerify,
-		S3Debug:                s3IamDebug,
-		CacheDisable:           iamCacheDisable,
-		CacheTTL:               iamCacheTTL,
-		CachePrune:             iamCachePrune,
-		IpaHost:                ipaHost,
-		IpaVaultName:           ipaVaultName,
-		IpaUser:                ipaUser,
-		IpaPassword:            ipaPassword,
-		IpaInsecure:            ipaInsecure,
-		IpaDebug:               ipaDebug,
+		Dir:                         iamDir,
+		LDAPServerURL:               ldapURL,
+		LDAPBindDN:                  ldapBindDN,
+		LDAPPassword:                ldapPassword,
+		LDAPQueryBase:               ldapQueryBase,
+		LDAPObjClasses:              ldapObjClasses,
+		LDAPAccessAtr:               ldapAccessAtr,
+		LDAPSecretAtr:               ldapSecAtr,
+		LDAPRoleAtr:                 ldapRoleAtr,
+		LDAPUserIdAtr:               ldapUserIdAtr,
+		LDAPGroupIdAtr:              ldapGroupIdAtr,
+		LDAPProjectIdAtr:            ldapProjectIdAtr,
+		LDAPTLSSkipVerify:           ldapTLSSkipVerify,
+		VaultEndpointURL:            vaultEndpointURL,
+		VaultNamespace:              vaultNamespace,
+		VaultSecretStoragePath:      vaultSecretStoragePath,
+		VaultSecretStorageNamespace: vaultSecretStorageNamespace,
+		VaultAuthMethod:             vaultAuthMethod,
+		VaultAuthNamespace:          vaultAuthNamespace,
+		VaultMountPath:              vaultMountPath,
+		VaultRootToken:              vaultRootToken,
+		VaultRoleId:                 vaultRoleId,
+		VaultRoleSecret:             vaultRoleSecret,
+		VaultServerCert:             vaultServerCert,
+		VaultClientCert:             vaultClientCert,
+		VaultClientCertKey:          vaultClientCertKey,
+		S3Access:                    s3IamAccess,
+		S3Secret:                    s3IamSecret,
+		S3Region:                    s3IamRegion,
+		S3Bucket:                    s3IamBucket,
+		S3Endpoint:                  s3IamEndpoint,
+		S3DisableSSlVerfiy:          s3IamSslNoVerify,
+		CacheDisable:                iamCacheDisable,
+		CacheTTL:                    iamCacheTTL,
+		CachePrune:                  iamCachePrune,
+		IpaHost:                     ipaHost,
+		IpaVaultName:                ipaVaultName,
+		IpaUser:                     ipaUser,
+		IpaPassword:                 ipaPassword,
+		IpaInsecure:                 ipaInsecure,
 	})
 	if err != nil {
 		return fmt.Errorf("setup iam: %w", err)
@@ -710,6 +839,9 @@ func runGateway(ctx context.Context, be backend.Backend) error {
 		KafkaTopicKey:        kafkaKey,
 		NatsURL:              natsURL,
 		NatsTopic:            natsTopic,
+		RabbitmqURL:          rabbitmqURL,
+		RabbitmqExchange:     rabbitmqExchange,
+		RabbitmqRoutingKey:   rabbitmqRoutingKey,
 		WebhookURL:           eventWebhookURL,
 		FilterConfigFilePath: eventConfigFilePath,
 	})
@@ -717,7 +849,7 @@ func runGateway(ctx context.Context, be backend.Backend) error {
 		return fmt.Errorf("init bucket event notifications: %w", err)
 	}

-	srv, err := s3api.New(app, be, middlewares.RootUserConfig{
+	srv, err := s3api.New(be, middlewares.RootUserConfig{
 		Access: rootUserAccess,
 		Secret: rootUserSecret,
 	}, port, region, iam, loggers.S3Logger, loggers.AdminLogger, evSender, metricsManager, opts...)
@@ -725,17 +857,135 @@ func runGateway(ctx context.Context, be backend.Backend) error {
 		return fmt.Errorf("init gateway: %v", err)
 	}

-	admSrv := s3api.NewAdminServer(admApp, be, middlewares.RootUserConfig{Access: rootUserAccess, Secret: rootUserSecret}, admPort, region, iam, loggers.AdminLogger, admOpts...)
+	var admSrv *s3api.S3AdminServer

-	if !quiet {
-		printBanner(port, admPort, certFile != "", admCertFile != "")
+	if admPort != "" {
+		var opts []s3api.AdminOpt
+		if corsAllowOrigin != "" {
+			opts = append(opts, s3api.WithAdminCORSAllowOrigin(corsAllowOrigin))
+		}
+
+		if admCertFile != "" || admKeyFile != "" {
+			if admCertFile == "" {
+				return fmt.Errorf("TLS key specified without cert file")
+			}
+			if admKeyFile == "" {
+				return fmt.Errorf("TLS cert specified without key file")
+			}
+
+			cs := utils.NewCertStorage()
+			err = cs.SetCertificate(admCertFile, admKeyFile)
+			if err != nil {
+				return fmt.Errorf("tls: load certs: %v", err)
+			}
+			opts = append(opts, s3api.WithAdminSrvTLS(cs))
+		}
+		if quiet {
+			opts = append(opts, s3api.WithAdminQuiet())
+		}
+		if debug {
+			opts = append(opts, s3api.WithAdminDebug())
+		}
+
+		admSrv = s3api.NewAdminServer(be, middlewares.RootUserConfig{Access: rootUserAccess, Secret: rootUserSecret}, admPort, region, iam, loggers.AdminLogger, srv.Router.Ctrl, opts...)
 	}

-	c := make(chan error, 2)
+	var webSrv *webui.Server
+	webuiSSLEnabled := false
+	webTLSCert := ""
+	webTLSKey := ""
+	if webuiAddr != "" {
+		_, webPrt, err := net.SplitHostPort(webuiAddr)
+		if err != nil {
+			return fmt.Errorf("webui listen address must be in the form ':port' or 'host:port': %w", err)
+		}
+		webPortNum, err := strconv.Atoi(webPrt)
+		if err != nil {
+			return fmt.Errorf("webui port must be a number: %w", err)
+		}
+		if webPortNum < 0 || webPortNum > 65535 {
+			return fmt.Errorf("webui port must be between 0 and 65535")
+		}
+
+		var webOpts []webui.Option
+		if !webuiNoTLS {
+			// WebUI can either use explicitly provided TLS files or reuse the
+			// gateway's TLS files by default.
+			webTLSCert = webuiCertFile
+			webTLSKey = webuiKeyFile
+			if webTLSCert == "" && webTLSKey == "" {
+				webTLSCert = certFile
+				webTLSKey = keyFile
+			}
+			if webTLSCert != "" || webTLSKey != "" {
+				if webTLSCert == "" {
+					return fmt.Errorf("webui TLS key specified without cert file")
+				}
+				if webTLSKey == "" {
+					return fmt.Errorf("webui TLS cert specified without key file")
+				}
+				webuiSSLEnabled = true
+
+				cs := utils.NewCertStorage()
+				err := cs.SetCertificate(webTLSCert, webTLSKey)
+				if err != nil {
+					return fmt.Errorf("tls: load certs: %v", err)
+				}
+
+				webOpts = append(webOpts, webui.WithTLS(cs))
+			}
+		}
+
+		sslEnabled := certFile != ""
+		admSSLEnabled := sslEnabled
+		if admPort != "" {
+			admSSLEnabled = admCertFile != ""
+		}
+
+		gateways, err := buildServiceURLs(port, sslEnabled)
+		if err != nil {
+			return fmt.Errorf("webui: build gateway URLs: %w", err)
+		}
+
+		adminGateways := gateways
+		if admPort != "" {
+			adminGateways, err = buildServiceURLs(admPort, admSSLEnabled)
+			if err != nil {
+				return fmt.Errorf("webui: build admin gateway URLs: %w", err)
+			}
+		}
+
+		if quiet {
+			webOpts = append(webOpts, webui.WithQuiet())
+		}
+
+		webSrv = webui.NewServer(&webui.ServerConfig{
+			ListenAddr:    webuiAddr,
+			Gateways:      gateways,
+			AdminGateways: adminGateways,
+			Region:        region,
+		}, webOpts...)
+	}
+
+	if !quiet {
+		printBanner(port, admPort, certFile != "", admCertFile != "", webuiAddr, webuiSSLEnabled)
+	}
+
+	servers := 1
+	if admPort != "" {
+		servers++
+	}
+	if webSrv != nil {
+		servers++
+	}
+	c := make(chan error, servers)
 	go func() { c <- srv.Serve() }()
 	if admPort != "" {
 		go func() { c <- admSrv.Serve() }()
 	}
+	if webSrv != nil {
+		go func() { c <- webSrv.Serve() }()
+	}

 	// for/select blocks until shutdown
 Loop:
@@ -760,35 +1010,71 @@ Loop:
 					break Loop
 				}
 			}
+			if certFile != "" && keyFile != "" {
+				err = srv.CertStorage.SetCertificate(certFile, keyFile)
+				if err != nil {
+					debuglogger.InernalError(fmt.Errorf("srv cert reload failed: %w", err))
+				} else {
+					fmt.Printf("srv cert reloaded (cert: %s, key: %s)\n", certFile, keyFile)
+				}
+			}
+			if admPort != "" && admCertFile != "" && admKeyFile != "" {
+				err = admSrv.CertStorage.SetCertificate(admCertFile, admKeyFile)
+				if err != nil {
+					debuglogger.InernalError(fmt.Errorf("admSrv cert reload failed: %w", err))
+				} else {
+					fmt.Printf("admSrv cert reloaded (cert: %s, key: %s)\n", admCertFile, admKeyFile)
+				}
+			}
+			if webSrv != nil && webTLSCert != "" && webTLSKey != "" {
+				err := webSrv.CertStorage.SetCertificate(webTLSCert, webTLSKey)
+				if err != nil {
+					debuglogger.InernalError(fmt.Errorf("webSrv cert reload failed: %w", err))
+				} else {
+					fmt.Printf("webSrv cert reloaded (cert: %s, key: %s)\n", webTLSCert, webTLSKey)
+				}
+			}
 		}
 	}
 	saveErr := err

+	// first shut down the s3api and admin servers
+	// as they have dependecy from other modules
+	err = srv.ShutDown()
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "shutdown api server: %v\n", err)
+	}
+
+	if admSrv != nil {
+		err := admSrv.Shutdown()
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "shutdown admin server: %v\n", err)
+		}
+	}
+
+	if webSrv != nil {
+		err := webSrv.Shutdown()
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "shutdown webui server: %v\n", err)
+		}
+	}
+
 	be.Shutdown()

 	err = iam.Shutdown()
 	if err != nil {
-		if saveErr == nil {
-			saveErr = err
-		}
 		fmt.Fprintf(os.Stderr, "shutdown iam: %v\n", err)
 	}

 	if loggers.S3Logger != nil {
 		err := loggers.S3Logger.Shutdown()
 		if err != nil {
-			if saveErr == nil {
-				saveErr = err
-			}
 			fmt.Fprintf(os.Stderr, "shutdown s3 logger: %v\n", err)
 		}
 	}
 	if loggers.AdminLogger != nil {
 		err := loggers.AdminLogger.Shutdown()
 		if err != nil {
-			if saveErr == nil {
-				saveErr = err
-			}
 			fmt.Fprintf(os.Stderr, "shutdown admin logger: %v\n", err)
 		}
 	}
@@ -796,9 +1082,6 @@ Loop:
 	if evSender != nil {
 		err := evSender.Close()
 		if err != nil {
-			if saveErr == nil {
-				saveErr = err
-			}
 			fmt.Fprintf(os.Stderr, "close event sender: %v\n", err)
 		}
 	}
@@ -810,7 +1093,7 @@ Loop:
 	return saveErr
 }

-func printBanner(port, admPort string, ssl, admSsl bool) {
+func printBanner(port, admPort string, ssl, admSsl bool, webuiAddr string, webuiSsl bool) {
 	interfaces, err := getMatchingIPs(port)
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "Failed to match local IP addresses: %v\n", err)
@@ -892,6 +1175,30 @@ func printBanner(port, admPort string, ssl, admSsl bool) {
 		}
 	}

+	if strings.TrimSpace(webuiAddr) != "" {
+		webInterfaces, err := getMatchingIPs(webuiAddr)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "Failed to match webui port local IP addresses: %v\n", err)
+			return
+		}
+		_, webPrt, err := net.SplitHostPort(webuiAddr)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "Failed to parse webui port: %v\n", err)
+			return
+		}
+		lines = append(lines,
+			centerText(""),
+			leftText("WebUI listening on:"),
+		)
+		for _, ip := range webInterfaces {
+			url := fmt.Sprintf("http://%s:%s", ip, webPrt)
+			if webuiSsl {
+				url = fmt.Sprintf("https://%s:%s", ip, webPrt)
+			}
+			lines = append(lines, leftText("  "+url))
+		}
+	}
+
 	// Print the top border
 	fmt.Println("┌" + strings.Repeat("─", columnWidth-2) + "┐")

@@ -967,13 +1274,46 @@ func getMatchingIPs(spec string) ([]string, error) {
 	return result, nil
 }

+func buildServiceURLs(spec string, ssl bool) ([]string, error) {
+	interfaces, err := getMatchingIPs(spec)
+	if err != nil {
+		return nil, err
+	}
+	_, prt, err := net.SplitHostPort(spec)
+	if err != nil {
+		return nil, fmt.Errorf("parse address/port: %w", err)
+	}
+	if len(interfaces) == 0 {
+		interfaces = []string{"localhost"}
+	}
+
+	scheme := "http"
+	if ssl {
+		scheme = "https"
+	}
+	urls := make([]string, 0, len(interfaces))
+	for _, ip := range interfaces {
+		urls = append(urls, fmt.Sprintf("%s://%s:%s", scheme, ip, prt))
+	}
+	return urls, nil
+}
+
+func isAllDigits(s string) bool {
+	if s == "" {
+		return false
+	}
+	for _, r := range s {
+		if r < '0' || r > '9' {
+			return false
+		}
+	}
+	return true
+}
+
 const columnWidth = 70

 func centerText(text string) string {
-	padding := (columnWidth - 2 - len(text)) / 2
-	if padding < 0 {
-		padding = 0
-	}
+	padding := max((columnWidth-2-len(text))/2, 0)
 	return strings.Repeat(" ", padding) + text
 }

--- a/cmd/versitygw/plugin.go
+++ b/cmd/versitygw/plugin.go
@@ -32,8 +32,9 @@ func pluginCommand() *cli.Command {
 		Flags: []cli.Flag{
 			&cli.StringFlag{
 				Name:    "config",
-				Usage:   "location of the config file",
+				Usage:   "location of the plugin config file",
 				Aliases: []string{"c"},
+				EnvVars: []string{"VGW_PLUGIN_CONFIG"},
 			},
 		},
 	}
--- a/cmd/versitygw/posix.go
+++ b/cmd/versitygw/posix.go
@@ -120,12 +120,13 @@ func runPosix(ctx *cli.Context) error {
 	}

 	opts := posix.PosixOpts{
-		ChownUID:       chownuid,
-		ChownGID:       chowngid,
-		BucketLinks:    bucketlinks,
-		VersioningDir:  versioningDir,
-		NewDirPerm:     fs.FileMode(dirPerms),
-		ForceNoTmpFile: forceNoTmpFile,
+		ChownUID:            chownuid,
+		ChownGID:            chowngid,
+		BucketLinks:         bucketlinks,
+		VersioningDir:       versioningDir,
+		NewDirPerm:          fs.FileMode(dirPerms),
+		ForceNoTmpFile:      forceNoTmpFile,
+		ValidateBucketNames: disableStrictBucketNames,
 	}

 	var ms meta.MetadataStorer
--- a/cmd/versitygw/scoutfs.go
+++ b/cmd/versitygw/scoutfs.go
@@ -26,6 +26,7 @@ import (
 var (
 	glacier          bool
 	disableNoArchive bool
+	setProjectID     bool
 )

 func scoutfsCommand() *cli.Command {
@@ -66,12 +67,24 @@ move interfaces as well as support for tiered filesystems.`,
 				EnvVars:     []string{"VGW_CHOWN_GID"},
 				Destination: &chowngid,
 			},
+			&cli.BoolFlag{
+				Name:        "projectid",
+				Usage:       "set project id on newly created buckets, files, and directories to client account ProjectID",
+				EnvVars:     []string{"VGW_SET_PROJECT_ID"},
+				Destination: &setProjectID,
+			},
 			&cli.BoolFlag{
 				Name:        "bucketlinks",
 				Usage:       "allow symlinked directories at bucket level to be treated as buckets",
 				EnvVars:     []string{"VGW_BUCKET_LINKS"},
 				Destination: &bucketlinks,
 			},
+			&cli.StringFlag{
+				Name:        "versioning-dir",
+				Usage:       "the directory path to enable bucket versioning",
+				EnvVars:     []string{"VGW_VERSIONING_DIR"},
+				Destination: &versioningDir,
+			},
 			&cli.UintFlag{
 				Name:        "dir-perms",
 				Usage:       "default directory permissions for new directories",
@@ -106,6 +119,9 @@ func runScoutfs(ctx *cli.Context) error {
 	opts.BucketLinks = bucketlinks
 	opts.NewDirPerm = fs.FileMode(dirPerms)
 	opts.DisableNoArchive = disableNoArchive
+	opts.VersioningDir = versioningDir
+	opts.ValidateBucketNames = disableStrictBucketNames
+	opts.SetProjectID = setProjectID

 	be, err := scoutfs.New(ctx.Args().Get(0), opts)
 	if err != nil {
--- a/cmd/versitygw/test.go
+++ b/cmd/versitygw/test.go
@@ -39,6 +39,7 @@ var (
 	versioningEnabled bool
 	azureTests        bool
 	tlsStatus         bool
+	parallel          bool
 )

 func testCommand() *cli.Command {
@@ -115,6 +116,12 @@ func initTestCommands() []*cli.Command {
 					Destination: &azureTests,
 					Aliases:     []string{"azure"},
 				},
+				&cli.BoolFlag{
+					Name:        "parallel",
+					Usage:       "executes the tests concurrently",
+					Destination: &parallel,
+					Aliases:     []string{"p"},
+				},
 			},
 		},
 		{
@@ -304,9 +311,9 @@ func initTestCommands() []*cli.Command {
 	}, extractIntTests()...)
 }

-type testFunc func(*integration.S3Conf)
+type testFunc func(*integration.TestState)

-func getAction(tf testFunc) func(*cli.Context) error {
+func getAction(tf testFunc) func(ctx *cli.Context) error {
 	return func(ctx *cli.Context) error {
 		opts := []integration.Option{
 			integration.WithAccess(awsID),
@@ -329,12 +336,14 @@ func getAction(tf testFunc) func(*cli.Context) error {
 		}

 		s := integration.NewS3Conf(opts...)
-		tf(s)
+		ts := integration.NewTestState(ctx.Context, s, parallel)
+		tf(ts)
+		ts.Wait()

 		fmt.Println()
-		fmt.Println("RAN:", integration.RunCount, "PASS:", integration.PassCount, "FAIL:", integration.FailCount)
-		if integration.FailCount > 0 {
-			return fmt.Errorf("test failed with %v errors", integration.FailCount)
+		fmt.Println("RAN:", integration.RunCount.Load(), "PASS:", integration.PassCount.Load(), "FAIL:", integration.FailCount.Load())
+		if integration.FailCount.Load() > 0 {
+			return fmt.Errorf("test failed with %v errors", integration.FailCount.Load())
 		}
 		return nil
 	}
--- a/s3api/debuglogger/logger.go
+++ b/s3api/debuglogger/logger.go
@@ -18,6 +18,7 @@ import (
 	"fmt"
 	"log"
 	"net/http"
+	"os"
 	"strings"
 	"sync/atomic"

@@ -25,18 +26,39 @@ import (
 )

 type Color string
+type prefix string

 const (
 	green  Color = "\033[32m"
 	yellow Color = "\033[33m"
 	blue   Color = "\033[34m"
+	red    Color = "\033[31m"
 	Purple Color = "\033[0;35m"

+	prefixPanic        prefix = "[PANIC]: "
+	prefixInernalError prefix = "[INTERNAL ERROR]: "
+	prefixInfo         prefix = "[INFO]: "
+	prefixDebug        prefix = "[DEBUG]: "
+
 	reset      = "\033[0m"
 	borderChar = "─"
 	boxWidth   = 120
 )

+// Panic prints the panics out in the console
+func Panic(er error) {
+	printError(prefixPanic, er)
+}
+
+// InernalError prints the internal error out in the console
+func InernalError(er error) {
+	printError(prefixInernalError, er)
+}
+
+func printError(prefix prefix, er error) {
+	fmt.Fprintf(os.Stderr, string(red)+string(prefix)+"%v"+reset+"\n", er)
+}
+
 // Logs http request details: headers, body, params, query args
 func LogFiberRequestDetails(ctx *fiber.Ctx) {
 	// Log the full request url
@@ -45,9 +67,9 @@ func LogFiberRequestDetails(ctx *fiber.Ctx) {

 	// log request headers
 	wrapInBox(green, "REQUEST HEADERS", boxWidth, func() {
-		ctx.Request().Header.VisitAll(func(key, value []byte) {
+		for key, value := range ctx.Request().Header.All() {
 			printWrappedLine(yellow, string(key), string(value))
-		})
+		}
 	})
 	// skip request body log for PutObject and UploadPart
 	skipBodyLog := isLargeDataAction(ctx)
@@ -61,18 +83,18 @@ func LogFiberRequestDetails(ctx *fiber.Ctx) {
 	}

 	if ctx.Request().URI().QueryArgs().Len() != 0 {
-		ctx.Request().URI().QueryArgs().VisitAll(func(key, val []byte) {
-			log.Printf("%s: %s", key, val)
-		})
+		for key, value := range ctx.Request().URI().QueryArgs().All() {
+			log.Printf("%s: %s", key, value)
+		}
 	}
 }

 // Logs http response details: body, headers
 func LogFiberResponseDetails(ctx *fiber.Ctx) {
 	wrapInBox(green, "RESPONSE HEADERS", boxWidth, func() {
-		ctx.Response().Header.VisitAll(func(key, value []byte) {
+		for key, value := range ctx.Response().Header.All() {
 			printWrappedLine(yellow, string(key), string(value))
-		})
+		}
 	})

 	_, ok := ctx.Locals("skip-res-body-log").(bool)
@@ -91,14 +113,19 @@ func SetDebugEnabled() {
 	debugEnabled.Store(true)
 }

+// IsDebugEnabled returns true if debugging is enabled
+func IsDebugEnabled() bool {
+	return debugEnabled.Load()
+}
+
 // Logf is the same as 'fmt.Printf' with debug prefix,
 // a color added and '\n' at the end
 func Logf(format string, v ...any) {
 	if !debugEnabled.Load() {
 		return
 	}
-	debugPrefix := "[DEBUG]: "
-	fmt.Printf(string(yellow)+debugPrefix+format+reset+"\n", v...)
+
+	fmt.Printf(string(yellow)+string(prefixDebug)+format+reset+"\n", v...)
 }

 // Infof prints out green info block with [INFO]: prefix
@@ -106,8 +133,30 @@ func Infof(format string, v ...any) {
 	if !debugEnabled.Load() {
 		return
 	}
-	debugPrefix := "[INFO]: "
-	fmt.Printf(string(green)+debugPrefix+format+reset+"\n", v...)
+
+	fmt.Printf(string(green)+string(prefixInfo)+format+reset+"\n", v...)
+}
+
+var debugIAMEnabled atomic.Bool
+
+// SetIAMDebugEnabled sets the IAM debug mode
+func SetIAMDebugEnabled() {
+	debugIAMEnabled.Store(true)
+}
+
+// IsDebugEnabled returns true if debugging enabled
+func IsIAMDebugEnabled() bool {
+	return debugEnabled.Load()
+}
+
+// IAMLogf is the same as 'fmt.Printf' with debug prefix,
+// a color added and '\n' at the end
+func IAMLogf(format string, v ...any) {
+	if !debugIAMEnabled.Load() {
+		return
+	}
+
+	fmt.Printf(string(yellow)+string(prefixDebug)+format+reset+"\n", v...)
 }

 // PrintInsideHorizontalBorders prints the text inside horizontal
--- a/docker-entrypoint.sh
+++ b/docker-entrypoint.sh
@@ -0,0 +1,51 @@
+#!/bin/sh
+set -e
+
+BIN="${VGW_BINARY:-/usr/local/bin/versitygw}"
+
+if [ ! -x "$BIN" ]; then
+    echo "Entrypoint error: versitygw binary not found at $BIN" >&2
+    exit 1
+fi
+
+# If arguments were provided, run them directly for backward compatibility.
+if [ "$#" -gt 0 ]; then
+    exec "$BIN" "$@"
+fi
+
+backend="${VGW_BACKEND:-}"
+if [ -z "$backend" ]; then
+    cat >&2 <<'EOF'
+No command arguments were provided and VGW_BACKEND is unset.
+Set VGW_BACKEND to one of: posix, scoutfs, s3, azure, plugin
+or pass explicit arguments to the container to run the versitygw command directly.
+EOF
+    exit 1
+fi
+
+case "$backend" in
+    posix|scoutfs|s3|azure|plugin)
+        ;;
+    *)
+        echo "VGW_BACKEND invalid backend (was '$backend')." >&2
+        exit 1
+        ;;
+esac
+
+set -- "$backend"
+
+if [ -n "${VGW_BACKEND_ARG:-}" ]; then
+    set -- "$@" "$VGW_BACKEND_ARG"
+fi
+
+if [ -n "${VGW_BACKEND_ARGS:-}" ]; then
+    # shellcheck disable=SC2086
+    set -- "$@" ${VGW_BACKEND_ARGS}
+fi
+
+if [ -n "${VGW_ARGS:-}" ]; then
+    # shellcheck disable=SC2086
+    set -- "$@" ${VGW_ARGS}
+fi
+
+exec "$BIN" "$@"
--- a/extra/example.conf
+++ b/extra/example.conf
@@ -23,7 +23,8 @@
 # VersityGW Required Options #
 ##############################

-# VGW_BACKEND must be defined, and must be one of: posix, scoutfs, or s3
+# VGW_BACKEND must be defined, and must be one of: posix, scoutfs, s3, azure,
+# or plugin
 # This defines the backend that the VGW will use for data access.
 VGW_BACKEND=posix

@@ -119,6 +120,12 @@ ROOT_SECRET_ACCESS_KEY=
 # https://<VGW_ENDPOINT>/<bucket>
 #VGW_VIRTUAL_DOMAIN=

+# By default, versitygw will enforce similar bucket naming rules as described
+# in https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html
+# Set to true to allow legacy or non-DNS-compliant bucket names by skipping
+# strict validation checks.
+#VGW_DISABLE_STRICT_BUCKET_NAMES=false
+
 ###############
 # Access Logs #
 ###############
@@ -169,6 +176,19 @@ ROOT_SECRET_ACCESS_KEY=
 #VGW_EVENT_NATS_URL=
 #VGW_EVENT_NATS_TOPIC=

+# Bucket events can be sent to a RabbitMQ messaging service. When
+# VGW_EVENT_RABBITMQ_URL is specified, events will be published to the specified
+# exchange (VGW_EVENT_RABBITMQ_EXCHANGE) using the routing key
+# (VGW_EVENT_RABBITMQ_ROUTING_KEY). If exchange is blank the default exchange is
+# used. If routing key is blank, it will be left empty (the server can bind a
+# queue with an empty binding key or you can set an explicit key).
+# Example URL formats:
+#   amqp://user:pass@rabbitmq:5672/
+#   amqps://user:pass@rabbitmq:5671/vhost
+#VGW_EVENT_RABBITMQ_URL=
+#VGW_EVENT_RABBITMQ_EXCHANGE=
+#VGW_EVENT_RABBITMQ_ROUTING_KEY=
+
 # Bucket events can be sent to a webhook. When VGW_EVENT_WEBHOOK_URL is
 # specified, all configured bucket events will be sent to the webhook.
 #VGW_EVENT_WEBHOOK_URL=
@@ -181,6 +201,42 @@ ROOT_SECRET_ACCESS_KEY=
 # to generate a default rules file "event_config.json" in the current directory.
 #VGW_EVENT_FILTER=

+###########
+# Web GUI #
+###########
+
+# The VGW_WEBUI_PORT option enables the Web GUI server on the specified
+# listening address. The Web GUI provides a browser-based interface for managing
+# users, buckets and objects. The format can be either ':port' to listen on all
+# interfaces (e.g., ':7071') or 'host:port' to listen on a specific interface
+# (e.g., '127.0.0.1:7071' or 'localhost:7071'). When omitted, the Web GUI is
+# disabled.
+#VGW_WEBUI_PORT=
+
+# The VGW_WEBUI_CERT and VGW_WEBUI_KEY options specify the TLS certificate and
+# private key for the Web GUI server. If these are not specified and TLS is
+# configured for the gateway (VGW_CERT and VGW_KEY), the Web GUI will use the
+# same certificates as the gateway. If neither are specified, the Web GUI will
+# run without TLS (HTTP only). These options allow the Web GUI to use different
+# certificates than the main S3 gateway.
+#VGW_WEBUI_CERT=
+#VGW_WEBUI_KEY=
+
+# The VGW_WEBUI_NO_TLS option disables TLS for the Web GUI even if TLS
+# certificates are configured for the gateway. Set to true to force the Web GUI
+# to use HTTP instead of HTTPS. This can be useful when running the Web GUI
+# behind a reverse proxy that handles TLS termination.
+#VGW_WEBUI_NO_TLS=false
+
+# The VGW_CORS_ALLOW_ORIGIN option sets the default CORS (Cross-Origin Resource
+# Sharing) Access-Control-Allow-Origin header value. This header is applied to
+# responses when no bucket-specific CORS configuration exists, and for all admin
+# API responses. When the Web GUI is enabled and this option is not set, it
+# defaults to '*' (allow all origins) for usability. For production environments,
+# it is recommended to set this to a specific origin (e.g.,
+# 'https://webui.example.com') to improve security.
+#VGW_CORS_ALLOW_ORIGIN=
+
 #######################
 # Debug / Diagnostics #
 #######################
@@ -259,6 +315,11 @@ ROOT_SECRET_ACCESS_KEY=
 #VGW_IAM_LDAP_ROLE_ATR=
 #VGW_IAM_LDAP_USER_ID_ATR=
 #VGW_IAM_LDAP_GROUP_ID_ATR=
+# Disable TLS certificate verification for LDAP connections (insecure, allows
+# self-signed certificates). This should only be used in testing environments
+# or when using self-signed certificates. The default is false (verification
+# enabled).
+#VGW_IAM_LDAP_TLS_SKIP_VERIFY=false

 # The FreeIPA options will enable the FreeIPA IAM service with accounts stored
 # in an external FreeIPA service. Currently the FreeIPA IAM service only
@@ -420,6 +481,11 @@ ROOT_SECRET_ACCESS_KEY=
 #VGW_CHOWN_UID=false
 #VGW_CHOWN_GID=false

+# The VGW_SET_PROJECT_ID option will enable setting account defined ProjectID
+# for newly created buckets, files, and directories if the account ProjectID
+# is greater than 0 and the filesystem format version supports project IDs.
+#VGW_SET_PROJECT_ID=false
+
 # The VGW_BUCKET_LINKS option will enable the gateway to treat symbolic links
 # to directories at the top level gateway directory as buckets.
 #VGW_BUCKET_LINKS=false
@@ -430,6 +496,14 @@ ROOT_SECRET_ACCESS_KEY=
 # as any parent directories automatically created with object uploads.
 #VGW_DIR_PERMS=0755

+# To enable object versions, the VGW_VERSIONING_DIR option must be set to the
+# directory that will be used to store the object versions. The version
+# directory must NOT be a subdirectory of the VGW_BACKEND_ARG directory.
+# There may be implications for archive policy updates to include version
+# directory as well. It is recommended to discuss archive implications of
+# versioning with Versity support before enabling on an archiving filesystem.
+#VGW_VERSIONING_DIR=
+
 # The default behavior of the gateway is to automatically set the noarchive
 # flag on the multipart upload parts while the multipart upload is in progress.
 # This is to prevent the parts from being archived since they are temporary
@@ -459,3 +533,48 @@ ROOT_SECRET_ACCESS_KEY=
 #VGW_S3_DISABLE_CHECKSUM=false
 #VGW_S3_SSL_SKIP_VERIFY=false
 #VGW_S3_DEBUG=false
+
+########
+# azure #
+########
+
+# The azure backend allows the gateway to store objects in Azure Blob Storage.
+# Buckets created through the gateway map to blob containers within the
+# configured storage account. This backend is useful when existing workflows
+# expect an S3-compatible interface while data resides in Azure.
+
+# When the azure backend is selected, configure credentials with one of the
+# following approaches:
+# - Shared key: Define AZ_ACCOUNT_NAME with the storage account name and
+#   AZ_ACCESS_KEY with the corresponding account key.
+# - SAS token: Set AZ_SAS_TOKEN to an account or container scoped SAS token.
+#   Provide AZ_ENDPOINT if the token does not implicitly define the endpoint.
+# - Default Azure credentials: Leave AZ_ACCOUNT_NAME and AZ_ACCESS_KEY blank
+#   and configure the standard Azure identity environment variables supported
+#   by the DefaultAzureCredential chain (e.g. AZURE_CLIENT_ID, AZURE_TENANT_ID,
+#   AZURE_CLIENT_SECRET, managed identity, etc.).
+# Use AZ_ENDPOINT to override the service URL (for example when targeting
+# Azurite or a sovereign cloud). If unset, it defaults to
+# https://<account>.blob.core.windows.net/ when an account name is provided.
+#AZ_ACCOUNT_NAME=
+#AZ_ACCESS_KEY=
+#AZ_SAS_TOKEN=
+#AZ_ENDPOINT=
+
+##########
+# plugin #
+##########
+
+# The plugin backend loads a Go plugin shared object that exposes a variable
+# named "Backend" of type *plugins.BackendPlugin. The gateway uses the
+# exported constructor to create the backend implementation at runtime.
+
+# Set VGW_BACKEND_ARG to the absolute path of the compiled plugin (.so) file.
+# The path must be readable by the gateway service account and remain stable
+# across restarts.
+#VGW_BACKEND_ARG=/usr/lib/versitygw/plugins/example.so
+
+# Provide the plugin-specific configuration file path via VGW_PLUGIN_CONFIG.
+# The gateway automatically forwards this value to the plugin backend when it
+# starts up.
+#VGW_PLUGIN_CONFIG=/etc/versitygw.d/example-plugin.conf
--- a/extra/versitygw@.service
+++ b/extra/versitygw@.service
@@ -17,7 +17,7 @@ Group=root

 EnvironmentFile=/etc/versitygw.d/%i.conf

-ExecStart=/bin/bash -c 'if [[ ! ("${VGW_BACKEND}" == "posix" || "${VGW_BACKEND}" == "scoutfs" || "${VGW_BACKEND}" == "s3") ]]; then echo "VGW_BACKEND environment variable not set to one of posix, scoutfs, or s3"; exit 1; fi && exec /usr/bin/versitygw "$VGW_BACKEND" "$VGW_BACKEND_ARG"'
+ExecStart=/bin/bash -c 'if [[ ! ("${VGW_BACKEND}" == "posix" || "${VGW_BACKEND}" == "scoutfs" || "${VGW_BACKEND}" == "s3" || "${VGW_BACKEND}" == "azure" || "${VGW_BACKEND}" == "plugin") ]]; then echo "VGW_BACKEND environment variable ${VGW_BACKEND} not set to valid backend type"; exit 1; fi && exec /usr/bin/versitygw "$VGW_BACKEND" "$VGW_BACKEND_ARG"'

 # Let systemd restart this service always
 Restart=always
--- a/go.mod
+++ b/go.mod
@@ -1,82 +1,91 @@
 module github.com/versity/versitygw

-go 1.23.0
+go 1.24.0

 toolchain go1.24.1

 require (
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0
-	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.1
-	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.1
-	github.com/DataDog/datadog-go/v5 v5.6.0
-	github.com/aws/aws-sdk-go-v2 v1.36.5
-	github.com/aws/aws-sdk-go-v2/service/s3 v1.82.0
-	github.com/aws/smithy-go v1.22.4
-	github.com/go-ldap/ldap/v3 v3.4.11
-	github.com/gofiber/fiber/v2 v2.52.8
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.21.0
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1
+	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.4
+	github.com/DataDog/datadog-go/v5 v5.8.2
+	github.com/aws/aws-sdk-go-v2 v1.41.1
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.95.1
+	github.com/aws/smithy-go v1.24.0
+	github.com/davecgh/go-spew v1.1.1
+	github.com/go-ldap/ldap/v3 v3.4.12
+	github.com/gofiber/fiber/v2 v2.52.10
 	github.com/google/go-cmp v0.7.0
 	github.com/google/uuid v1.6.0
 	github.com/hashicorp/vault-client-go v0.4.3
-	github.com/nats-io/nats.go v1.43.0
+	github.com/minio/crc64nvme v1.1.1
+	github.com/nats-io/nats.go v1.48.0
 	github.com/oklog/ulid/v2 v2.1.1
 	github.com/pkg/xattr v0.4.12
-	github.com/segmentio/kafka-go v0.4.48
+	github.com/rabbitmq/amqp091-go v1.10.0
+	github.com/segmentio/kafka-go v0.4.50
 	github.com/smira/go-statsd v1.3.4
+	github.com/stretchr/testify v1.11.1
 	github.com/urfave/cli/v2 v2.27.7
-	github.com/valyala/fasthttp v1.62.0
-	github.com/versity/scoutfs-go v0.0.0-20240325223134-38eb2f5f7d44
-	golang.org/x/sync v0.15.0
-	golang.org/x/sys v0.33.0
+	github.com/valyala/fasthttp v1.69.0
+	github.com/versity/scoutfs-go v0.0.0-20240625221833-95fd765b760b
+	golang.org/x/sync v0.19.0
+	golang.org/x/sys v0.40.0
 )

 require (
-	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1 // indirect
-	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
-	github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 // indirect
+	github.com/Azure/go-ntlmssp v0.1.0 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.32 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.25.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.34.0 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.17 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/signin v1.0.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.30.9 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.13 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.41.6 // indirect
+	github.com/clipperhouse/stringish v0.1.1 // indirect
+	github.com/clipperhouse/uax29/v2 v2.3.1 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 // indirect
-	github.com/golang-jwt/jwt/v5 v5.2.2 // indirect
+	github.com/golang-jwt/jwt/v5 v5.3.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-retryablehttp v0.7.8 // indirect
 	github.com/hashicorp/go-rootcerts v1.0.2 // indirect
 	github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect
+	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
-	github.com/nats-io/nkeys v0.4.11 // indirect
+	github.com/nats-io/nkeys v0.4.12 // indirect
 	github.com/nats-io/nuid v1.0.1 // indirect
-	github.com/pierrec/lz4/v4 v4.1.22 // indirect
+	github.com/pierrec/lz4/v4 v4.1.25 // indirect
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/ryanuber/go-glob v1.0.0 // indirect
-	golang.org/x/crypto v0.39.0 // indirect
-	golang.org/x/net v0.41.0 // indirect
-	golang.org/x/text v0.26.0 // indirect
-	golang.org/x/time v0.12.0 // indirect
+	golang.org/x/crypto v0.47.0 // indirect
+	golang.org/x/net v0.49.0 // indirect
+	golang.org/x/text v0.33.0 // indirect
+	golang.org/x/time v0.14.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

 require (
 	github.com/andybalholm/brotli v1.2.0 // indirect
-	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.11 // indirect
-	github.com/aws/aws-sdk-go-v2/config v1.29.17
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.70
-	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.82
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.36 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.36 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.36 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.4 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.7.4 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.17 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.17 // indirect
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.4 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.32.7
+	github.com/aws/aws-sdk-go-v2/credentials v1.19.7
+	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.20.19
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.17 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.17 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.17 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.8 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.17 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.17 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.7 // indirect
-	github.com/klauspost/compress v1.18.0 // indirect
+	github.com/klauspost/compress v1.18.3 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/mattn/go-runewidth v0.0.16 // indirect
-	github.com/rivo/uniseg v0.4.7 // indirect
+	github.com/mattn/go-runewidth v0.0.19 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
 	github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect
--- a/go.sum
+++ b/go.sum
@@ -1,87 +1,89 @@
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0 h1:Gt0j3wceWMwPmiazCa8MzMA0MfhmPIz0Qp0FJ6qcM0U=
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0/go.mod h1:Ot/6aikWnKWi4l9QB7qVSwa8iMphQNqkWALMoNT3rzM=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.1 h1:B+blDbyVIG3WaikNxPnhPiJ1MThR03b3vKGtER95TP4=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.1/go.mod h1:JdM5psgjfBf5fo2uWOZhflPWyDBZ/O/CNAH9CtsuZE4=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.21.0 h1:fou+2+WFTib47nS+nz/ozhEBnvU96bKHy6LjRsY4E28=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.21.0/go.mod h1:t76Ruy8AHvUAC8GfMWJMa0ElSbuIcO03NLpynfbgsPA=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1 h1:Hk5QBxZQC1jb2Fwj6mpzme37xbCDdNTxU7O9eb5+LB4=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1/go.mod h1:IYus9qsFobWIc2YVwe/WPjcnyCkPKtnHAqUYeebc8z0=
 github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2 h1:yz1bePFlP5Vws5+8ez6T3HWXPmwOK7Yvq8QxDBD3SKY=
 github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2/go.mod h1:Pa9ZNPuoNu/GztvBSKk9J1cDJW6vk/n0zLtV4mgd8N8=
-github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1 h1:FPKJS1T+clwv+OLGt13a8UjqeRuh0O4SJ3lUriThc+4=
-github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1/go.mod h1:j2chePtV91HrC22tGoRX3sGY42uF13WzmmV80/OdVAA=
-github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.8.0 h1:LR0kAX9ykz8G4YgLCaRDVJ3+n43R8MneB5dTy2konZo=
-github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.8.0/go.mod h1:DWAciXemNf++PQJLeXUB4HHH5OpsAh12HZnu2wXE1jA=
-github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.1 h1:lhZdRq7TIx0GJQvSyX2Si406vrYsov2FXGp/RnSEtcs=
-github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.1/go.mod h1:8cl44BDmi+effbARHMQjgOKA2AYvcohNm7KEt42mSV8=
-github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8=
-github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
+github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 h1:9iefClla7iYpfYWdzPCRDozdmndjTm8DXdpCzPajMgA=
+github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2/go.mod h1:XtLgD3ZD34DAaVIIAyG3objl5DynM3CQ/vMcbBNJZGI=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.8.1 h1:/Zt+cDPnpC3OVDm/JKLOs7M2DKmLRIIp3XIx9pHHiig=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.8.1/go.mod h1:Ng3urmn6dYe8gnbCMoHHVl5APYz2txho3koEkV2o2HA=
+github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.4 h1:jWQK1GI+LeGGUKBADtcH2rRqPxYB1Ljwms5gFA2LqrM=
+github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.4/go.mod h1:8mwH4klAm9DUgR2EEHyEEAQlRDvLPyg5fQry3y+cDew=
+github.com/Azure/go-ntlmssp v0.1.0 h1:DjFo6YtWzNqNvQdrwEyr/e4nhU3vRiwenz5QX7sFz+A=
+github.com/Azure/go-ntlmssp v0.1.0/go.mod h1:NYqdhxd/8aAct/s4qSYZEerdPuH1liG2/X9DiVTbhpk=
 github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1 h1:WJTmL004Abzc5wDB5VtZG2PJk5ndYDgVacGqfirKxjM=
 github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1/go.mod h1:tCcJZ0uHAmvjsVYzEFivsRTN00oz5BEsRgQHu5JZ9WE=
-github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 h1:oygO0locgZJe7PpYPXT5A29ZkwJaPqcva7BVeemZOZs=
-github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI=
-github.com/DataDog/datadog-go/v5 v5.6.0 h1:2oCLxjF/4htd55piM75baflj/KoE6VYS7alEUqFvRDw=
-github.com/DataDog/datadog-go/v5 v5.6.0/go.mod h1:K9kcYBlxkcPP8tvvjZZKs/m1edNAUFzBbdpTUKfCsuw=
+github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 h1:XRzhVemXdgvJqCH0sFfrBUTnUJSBrBf7++ypk+twtRs=
+github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0/go.mod h1:HKpQxkWaGLJ+D/5H8QRpyQXA1eKjxkFlOMwck5+33Jk=
+github.com/DataDog/datadog-go/v5 v5.8.2 h1:9IEfH1Mw9AjWwhAMqCAkhbxjuJeMxm2ARX2VdgL+ols=
+github.com/DataDog/datadog-go/v5 v5.8.2/go.mod h1:K9kcYBlxkcPP8tvvjZZKs/m1edNAUFzBbdpTUKfCsuw=
 github.com/Microsoft/go-winio v0.5.0/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
-github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI=
-github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
+github.com/alexbrainman/sspi v0.0.0-20250919150558-7d374ff0d59e h1:4dAU9FXIyQktpoUAgOJK3OTFc/xug0PCXYCqU0FgDKI=
+github.com/alexbrainman/sspi v0.0.0-20250919150558-7d374ff0d59e/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
 github.com/andybalholm/brotli v1.2.0 h1:ukwgCxwYrmACq68yiUqwIWnGY0cTPox/M94sVwToPjQ=
 github.com/andybalholm/brotli v1.2.0/go.mod h1:rzTDkvFWvIrjDXZHkuS16NPggd91W3kUSvPlQ1pLaKY=
-github.com/aws/aws-sdk-go-v2 v1.36.5 h1:0OF9RiEMEdDdZEMqF9MRjevyxAQcf6gY+E7vwBILFj0=
-github.com/aws/aws-sdk-go-v2 v1.36.5/go.mod h1:EYrzvCCN9CMUTa5+6lf6MM4tq3Zjp8UhSGR/cBsjai0=
-github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.11 h1:12SpdwU8Djs+YGklkinSSlcrPyj3H4VifVsKf78KbwA=
-github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.11/go.mod h1:dd+Lkp6YmMryke+qxW/VnKyhMBDTYP41Q2Bb+6gNZgY=
-github.com/aws/aws-sdk-go-v2/config v1.29.17 h1:jSuiQ5jEe4SAMH6lLRMY9OVC+TqJLP5655pBGjmnjr0=
-github.com/aws/aws-sdk-go-v2/config v1.29.17/go.mod h1:9P4wwACpbeXs9Pm9w1QTh6BwWwJjwYvJ1iCt5QbCXh8=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.70 h1:ONnH5CM16RTXRkS8Z1qg7/s2eDOhHhaXVd72mmyv4/0=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.70/go.mod h1:M+lWhhmomVGgtuPOhO85u4pEa3SmssPTdcYpP/5J/xc=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.32 h1:KAXP9JSHO1vKGCr5f4O6WmlVKLFFXgWYAGoJosorxzU=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.32/go.mod h1:h4Sg6FQdexC1yYG9RDnOvLbW1a/P986++/Y/a+GyEM8=
-github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.82 h1:EO13QJTCD1Ig2IrQnoHTRrn981H9mB7afXsZ89WptI4=
-github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.82/go.mod h1:AGh1NCg0SH+uyJamiJA5tTQcql4MMRDXGRdMmCxCXzY=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.36 h1:SsytQyTMHMDPspp+spo7XwXTP44aJZZAC7fBV2C5+5s=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.36/go.mod h1:Q1lnJArKRXkenyog6+Y+zr7WDpk4e6XlR6gs20bbeNo=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.36 h1:i2vNHQiXUvKhs3quBR6aqlgJaiaexz/aNvdCktW/kAM=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.36/go.mod h1:UdyGa7Q91id/sdyHPwth+043HhmP6yP9MBHgbZM0xo8=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 h1:bIqFDwgGXXN1Kpp99pDOdKMTTb5d2KyU5X/BZxjOkRo=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3/go.mod h1:H5O/EsxDWyU+LP/V8i5sm8cxoZgc2fdNR9bxlOFrQTo=
-github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.36 h1:GMYy2EOWfzdP3wfVAGXBNKY5vK4K8vMET4sYOYltmqs=
-github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.36/go.mod h1:gDhdAV6wL3PmPqBhiPbnlS447GoWs8HTTOYef9/9Inw=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.4 h1:CXV68E2dNqhuynZJPB80bhPQwAKqBWVer887figW6Jc=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.4/go.mod h1:/xFi9KtvBXP97ppCz1TAEvU1Uf66qvid89rbem3wCzQ=
-github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.7.4 h1:nAP2GYbfh8dd2zGZqFRSMlq+/F6cMPBUuCsGAMkN074=
-github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.7.4/go.mod h1:LT10DsiGjLWh4GbjInf9LQejkYEhBgBCjLG5+lvk4EE=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.17 h1:t0E6FzREdtCsiLIoLCWsYliNsRBgyGD/MCK571qk4MI=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.17/go.mod h1:ygpklyoaypuyDvOM5ujWGrYWpAK3h7ugnmKCU/76Ys4=
-github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.17 h1:qcLWgdhq45sDM9na4cvXax9dyLitn8EYBRl8Ak4XtG4=
-github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.17/go.mod h1:M+jkjBFZ2J6DJrjMv2+vkBbuht6kxJYtJiwoVgX4p4U=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.82.0 h1:JubM8CGDDFaAOmBrd8CRYNr49ZNgEAiLwGwgNMdS0nw=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.82.0/go.mod h1:kUklwasNoCn5YpyAqC/97r6dzTA1SRKJfKq16SXeoDU=
-github.com/aws/aws-sdk-go-v2/service/sso v1.25.5 h1:AIRJ3lfb2w/1/8wOOSqYb9fUKGwQbtysJ2H1MofRUPg=
-github.com/aws/aws-sdk-go-v2/service/sso v1.25.5/go.mod h1:b7SiVprpU+iGazDUqvRSLf5XmCdn+JtT1on7uNL6Ipc=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.3 h1:BpOxT3yhLwSJ77qIY3DoHAQjZsc4HEGfMCE4NGy3uFg=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.3/go.mod h1:vq/GQR1gOFLquZMSrxUK/cpvKCNVYibNyJ1m7JrU88E=
-github.com/aws/aws-sdk-go-v2/service/sts v1.34.0 h1:NFOJ/NXEGV4Rq//71Hs1jC/NvPs1ezajK+yQmkwnPV0=
-github.com/aws/aws-sdk-go-v2/service/sts v1.34.0/go.mod h1:7ph2tGpfQvwzgistp2+zga9f+bCjlQJPkPUmMgDSD7w=
-github.com/aws/smithy-go v1.22.4 h1:uqXzVZNuNexwc/xrh6Tb56u89WDlJY6HS+KC0S4QSjw=
-github.com/aws/smithy-go v1.22.4/go.mod h1:t1ufH5HMublsJYulve2RKmHDC15xu1f26kHCp/HgceI=
-github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
-github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/aws/aws-sdk-go-v2 v1.41.1 h1:ABlyEARCDLN034NhxlRUSZr4l71mh+T5KAeGh6cerhU=
+github.com/aws/aws-sdk-go-v2 v1.41.1/go.mod h1:MayyLB8y+buD9hZqkCW3kX1AKq07Y5pXxtgB+rRFhz0=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.4 h1:489krEF9xIGkOaaX3CE/Be2uWjiXrkCH6gUX+bZA/BU=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.4/go.mod h1:IOAPF6oT9KCsceNTvvYMNHy0+kMF8akOjeDvPENWxp4=
+github.com/aws/aws-sdk-go-v2/config v1.32.7 h1:vxUyWGUwmkQ2g19n7JY/9YL8MfAIl7bTesIUykECXmY=
+github.com/aws/aws-sdk-go-v2/config v1.32.7/go.mod h1:2/Qm5vKUU/r7Y+zUk/Ptt2MDAEKAfUtKc1+3U1Mo3oY=
+github.com/aws/aws-sdk-go-v2/credentials v1.19.7 h1:tHK47VqqtJxOymRrNtUXN5SP/zUTvZKeLx4tH6PGQc8=
+github.com/aws/aws-sdk-go-v2/credentials v1.19.7/go.mod h1:qOZk8sPDrxhf+4Wf4oT2urYJrYt3RejHSzgAquYeppw=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.17 h1:I0GyV8wiYrP8XpA70g1HBcQO1JlQxCMTW9npl5UbDHY=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.17/go.mod h1:tyw7BOl5bBe/oqvoIeECFJjMdzXoa/dfVz3QQ5lgHGA=
+github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.20.19 h1:Gxj3kAlmM+a/VVO4YNsmgHGVUZhSxs0tuVwLIxZBCtM=
+github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.20.19/go.mod h1:XGq5kImVqQT4HUNbbG+0Y8O74URsPNH7CGPg1s1HW5E=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.17 h1:xOLELNKGp2vsiteLsvLPwxC+mYmO6OZ8PYgiuPJzF8U=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.17/go.mod h1:5M5CI3D12dNOtH3/mk6minaRwI2/37ifCURZISxA/IQ=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.17 h1:WWLqlh79iO48yLkj1v3ISRNiv+3KdQoZ6JWyfcsyQik=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.17/go.mod h1:EhG22vHRrvF8oXSTYStZhJc1aUgKtnJe+aOiFEV90cM=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 h1:WKuaxf++XKWlHWu9ECbMlha8WOEGm0OUEZqm4K/Gcfk=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4/go.mod h1:ZWy7j6v1vWGmPReu0iSGvRiise4YI5SkR3OHKTZ6Wuc=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.17 h1:JqcdRG//czea7Ppjb+g/n4o8i/R50aTBHkA7vu0lK+k=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.17/go.mod h1:CO+WeGmIdj/MlPel2KwID9Gt7CNq4M65HUfBW97liM0=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.4 h1:0ryTNEdJbzUCEWkVXEXoqlXV72J5keC1GvILMOuD00E=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.4/go.mod h1:HQ4qwNZh32C3CBeO6iJLQlgtMzqeG17ziAA/3KDJFow=
+github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.8 h1:Z5EiPIzXKewUQK0QTMkutjiaPVeVYXX7KIqhXu/0fXs=
+github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.8/go.mod h1:FsTpJtvC4U1fyDXk7c71XoDv3HlRm8V3NiYLeYLh5YE=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.17 h1:RuNSMoozM8oXlgLG/n6WLaFGoea7/CddrCfIiSA+xdY=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.17/go.mod h1:F2xxQ9TZz5gDWsclCtPQscGpP0VUOc8RqgFM3vDENmU=
+github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.17 h1:bGeHBsGZx0Dvu/eJC0Lh9adJa3M1xREcndxLNZlve2U=
+github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.17/go.mod h1:dcW24lbU0CzHusTE8LLHhRLI42ejmINN8Lcr22bwh/g=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.95.1 h1:C2dUPSnEpy4voWFIq3JNd8gN0Y5vYGDo44eUE58a/p8=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.95.1/go.mod h1:5jggDlZ2CLQhwJBiZJb4vfk4f0GxWdEDruWKEJ1xOdo=
+github.com/aws/aws-sdk-go-v2/service/signin v1.0.5 h1:VrhDvQib/i0lxvr3zqlUwLwJP4fpmpyD9wYG1vfSu+Y=
+github.com/aws/aws-sdk-go-v2/service/signin v1.0.5/go.mod h1:k029+U8SY30/3/ras4G/Fnv/b88N4mAfliNn08Dem4M=
+github.com/aws/aws-sdk-go-v2/service/sso v1.30.9 h1:v6EiMvhEYBoHABfbGB4alOYmCIrcgyPPiBE1wZAEbqk=
+github.com/aws/aws-sdk-go-v2/service/sso v1.30.9/go.mod h1:yifAsgBxgJWn3ggx70A3urX2AN49Y5sJTD1UQFlfqBw=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.13 h1:gd84Omyu9JLriJVCbGApcLzVR3XtmC4ZDPcAI6Ftvds=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.13/go.mod h1:sTGThjphYE4Ohw8vJiRStAcu3rbjtXRsdNB0TvZ5wwo=
+github.com/aws/aws-sdk-go-v2/service/sts v1.41.6 h1:5fFjR/ToSOzB2OQ/XqWpZBmNvmP/pJ1jOWYlFDJTjRQ=
+github.com/aws/aws-sdk-go-v2/service/sts v1.41.6/go.mod h1:qgFDZQSD/Kys7nJnVqYlWKnh0SSdMjAi0uSwON4wgYQ=
+github.com/aws/smithy-go v1.24.0 h1:LpilSUItNPFr1eY85RYgTIg5eIEPtvFbskaFcmmIUnk=
+github.com/aws/smithy-go v1.24.0/go.mod h1:LEj2LM3rBRQJxPZTB4KuzZkaZYnZPnvgIhb4pu07mx0=
+github.com/clipperhouse/stringish v0.1.1 h1:+NSqMOr3GR6k1FdRhhnXrLfztGzuG+VuFDfatpWHKCs=
+github.com/clipperhouse/stringish v0.1.1/go.mod h1:v/WhFtE1q0ovMta2+m+UbpZ+2/HEXNWYXQgCt4hdOzA=
+github.com/clipperhouse/uax29/v2 v2.3.1 h1:RjM8gnVbFbgI67SBekIC7ihFpyXwRPYWXn9BZActHbw=
+github.com/clipperhouse/uax29/v2 v2.3.1/go.mod h1:Wn1g7MK6OoeDT0vL+Q0SQLDz/KpfsVRgg6W7ihQeh4g=
 github.com/cpuguy83/go-md2man/v2 v2.0.7 h1:zbFlGlXEAKlwXpmvle3d8Oe3YnkKIK4xSRTd3sHPnBo=
 github.com/cpuguy83/go-md2man/v2 v2.0.7/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=
-github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
 github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM=
 github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE=
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 h1:BP4M0CvQ4S3TGls2FvczZtj5Re/2ZzkV9VwqPHH/3Bo=
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
-github.com/go-ldap/ldap/v3 v3.4.11 h1:4k0Yxweg+a3OyBLjdYn5OKglv18JNvfDykSoI8bW0gU=
-github.com/go-ldap/ldap/v3 v3.4.11/go.mod h1:bY7t0FLK8OAVpp/vV6sSlpz3EQDGcQwc8pF0ujLgKvM=
-github.com/gofiber/fiber/v2 v2.52.8 h1:xl4jJQ0BV5EJTA2aWiKw/VddRpHrKeZLF0QPUxqn0x4=
-github.com/gofiber/fiber/v2 v2.52.8/go.mod h1:YEcBbO/FB+5M1IZNBP9FO3J9281zgPAreiI1oqg8nDw=
-github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8=
-github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
+github.com/go-ldap/ldap/v3 v3.4.12 h1:1b81mv7MagXZ7+1r7cLTWmyuTqVqdwbtJSjC0DAp9s4=
+github.com/go-ldap/ldap/v3 v3.4.12/go.mod h1:+SPAGcTtOfmGsCb3h1RFiq4xpp4N636G75OEace8lNo=
+github.com/gofiber/fiber/v2 v2.52.10 h1:jRHROi2BuNti6NYXmZ6gbNSfT3zj/8c0xy94GOU5elY=
+github.com/gofiber/fiber/v2 v2.52.10/go.mod h1:YEcBbO/FB+5M1IZNBP9FO3J9281zgPAreiI1oqg8nDw=
+github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
+github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
 github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
@@ -115,31 +117,37 @@ github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZ
 github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
 github.com/keybase/go-keychain v0.0.1 h1:way+bWYa6lDppZoZcgMbYsvC7GxljxrskdNInRtuthU=
 github.com/keybase/go-keychain v0.0.1/go.mod h1:PdEILRW3i9D8JcdM+FmY6RwkHGnhHxXwkPPMeUgOK1k=
-github.com/klauspost/compress v1.15.9/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHUDtV4Yw2GlzU=
-github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
-github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
+github.com/klauspost/compress v1.18.3 h1:9PJRvfbmTabkOX8moIpXPbMMbYN60bWImDDU7L+/6zw=
+github.com/klauspost/compress v1.18.3/go.mod h1:R0h/fSBs8DE4ENlcrlib3PsXS61voFxhIs2DeRhCvJ4=
+github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzhA9Y=
+github.com/klauspost/cpuid/v2 v2.3.0/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
 github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc=
-github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
+github.com/mattn/go-runewidth v0.0.19 h1:v++JhqYnZuu5jSKrk9RbgF5v4CGUjqRfBm05byFGLdw=
+github.com/mattn/go-runewidth v0.0.19/go.mod h1:XBkDxAl56ILZc9knddidhrOlY5R/pDhgLpndooCuJAs=
+github.com/minio/crc64nvme v1.1.1 h1:8dwx/Pz49suywbO+auHCBpCtlW1OfpcLN7wYgVR6wAI=
+github.com/minio/crc64nvme v1.1.1/go.mod h1:eVfm2fAzLlxMdUGc0EEBGSMmPwmXD5XiNRpnu9J3bvg=
 github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
-github.com/nats-io/nats.go v1.43.0 h1:uRFZ2FEoRvP64+UUhaTokyS18XBCR/xM2vQZKO4i8ug=
-github.com/nats-io/nats.go v1.43.0/go.mod h1:iRWIPokVIFbVijxuMQq4y9ttaBTMe0SFdlZfMDd+33g=
-github.com/nats-io/nkeys v0.4.11 h1:q44qGV008kYd9W1b1nEBkNzvnWxtRSQ7A8BoqRrcfa0=
-github.com/nats-io/nkeys v0.4.11/go.mod h1:szDimtgmfOi9n25JpfIdGw12tZFYXqhGxjhVxsatHVE=
+github.com/nats-io/nats.go v1.48.0 h1:pSFyXApG+yWU/TgbKCjmm5K4wrHu86231/w84qRVR+U=
+github.com/nats-io/nats.go v1.48.0/go.mod h1:iRWIPokVIFbVijxuMQq4y9ttaBTMe0SFdlZfMDd+33g=
+github.com/nats-io/nkeys v0.4.12 h1:nssm7JKOG9/x4J8II47VWCL1Ds29avyiQDRn0ckMvDc=
+github.com/nats-io/nkeys v0.4.12/go.mod h1:MT59A1HYcjIcyQDJStTfaOY6vhy9XTUjOFo+SVsvpBg=
 github.com/nats-io/nuid v1.0.1 h1:5iA8DT8V7q8WK2EScv2padNa/rTESc1KdnPw4TC2paw=
 github.com/nats-io/nuid v1.0.1/go.mod h1:19wcPz3Ph3q0Jbyiqsd0kePYG7A95tJPxeL+1OSON2c=
 github.com/oklog/ulid/v2 v2.1.1 h1:suPZ4ARWLOJLegGFiZZ1dFAkqzhMjL3J1TzI+5wHz8s=
 github.com/oklog/ulid/v2 v2.1.1/go.mod h1:rcEKHmBBKfef9DhnvX7y1HZBYxjXb0cP5ExxNsTT1QQ=
 github.com/pborman/getopt v0.0.0-20170112200414-7148bc3a4c30/go.mod h1:85jBQOZwpVEaDAr341tbn15RS4fCAsIst0qp7i8ex1o=
-github.com/pierrec/lz4/v4 v4.1.15/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
-github.com/pierrec/lz4/v4 v4.1.22 h1:cKFw6uJDK+/gfw5BcDL0JL5aBsAFdsIT18eRtLj7VIU=
-github.com/pierrec/lz4/v4 v4.1.22/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
+github.com/pierrec/lz4/v4 v4.1.25 h1:kocOqRffaIbU5djlIBr7Wh+cx82C0vtFb0fOurZHqD0=
+github.com/pierrec/lz4/v4 v4.1.25/go.mod h1:EoQMVJgeeEOMsCqCzqFm2O0cJvljX2nGZjcRIPL34O4=
 github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ=
 github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -147,38 +155,38 @@ github.com/pkg/xattr v0.4.12 h1:rRTkSyFNTRElv6pkA3zpjHpQ90p/OdHQC1GmGh1aTjM=
 github.com/pkg/xattr v0.4.12/go.mod h1:di8WF84zAKk8jzR1UBTEWh9AUlIZZ7M/JNt8e9B6ktU=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/redis/go-redis/v9 v9.8.0 h1:q3nRvjrlge/6UD7eTu/DSg2uYiU2mCL0G/uzBWqhicI=
-github.com/redis/go-redis/v9 v9.8.0/go.mod h1:huWgSWd8mW6+m0VPhJjSSQ+d6Nh1VICQ6Q5lHuCH/Iw=
-github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
-github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
-github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
+github.com/rabbitmq/amqp091-go v1.10.0 h1:STpn5XsHlHGcecLmMFCtg7mqq0RnD+zFr4uzukfVhBw=
+github.com/rabbitmq/amqp091-go v1.10.0/go.mod h1:Hy4jKW5kQART1u+JkDTF9YYOQUHXqMuhrgxOEeS7G4o=
+github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
+github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
 github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk=
 github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
-github.com/segmentio/kafka-go v0.4.48 h1:9jyu9CWK4W5W+SroCe8EffbrRZVqAOkuaLd/ApID4Vs=
-github.com/segmentio/kafka-go v0.4.48/go.mod h1:HjF6XbOKh0Pjlkr5GVZxt6CsjjwnmhVOfURM5KMd8qg=
+github.com/segmentio/kafka-go v0.4.50 h1:mcyC3tT5WeyWzrFbd6O374t+hmcu1NKt2Pu1L3QaXmc=
+github.com/segmentio/kafka-go v0.4.50/go.mod h1:Y1gn60kzLEEaW28YshXyk2+VCUKbJ3Qr6DrnT3i4+9E=
 github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/smira/go-statsd v1.3.4 h1:kBYWcLSGT+qC6JVbvfz48kX7mQys32fjDOPrfmsSx2c=
 github.com/smira/go-statsd v1.3.4/go.mod h1:RjdsESPgDODtg1VpVVf9MJrEW2Hw0wtRNbmB1CAhu6A=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
-github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
+github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/urfave/cli/v2 v2.27.7 h1:bH59vdhbjLv3LAvIu6gd0usJHgoTTPhCFib8qqOwXYU=
 github.com/urfave/cli/v2 v2.27.7/go.mod h1:CyNAG/xg+iAOg0N4MPGZqVmv2rCoP267496AOXUZjA4=
 github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=
 github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
-github.com/valyala/fasthttp v1.62.0 h1:8dKRBX/y2rCzyc6903Zu1+3qN0H/d2MsxPPmVNamiH0=
-github.com/valyala/fasthttp v1.62.0/go.mod h1:FCINgr4GKdKqV8Q0xv8b+UxPV+H/O5nNFo3D+r54Htg=
-github.com/versity/scoutfs-go v0.0.0-20240325223134-38eb2f5f7d44 h1:Wx1o3pNrCzsHIIDyZ2MLRr6tF/1FhAr7HNDn80QqDWE=
-github.com/versity/scoutfs-go v0.0.0-20240325223134-38eb2f5f7d44/go.mod h1:gJsq73k+4685y+rbDIpPY8i/5GbsiwP6JFoFyUDB1fQ=
+github.com/valyala/fasthttp v1.69.0 h1:fNLLESD2SooWeh2cidsuFtOcrEi4uB4m1mPrkJMZyVI=
+github.com/valyala/fasthttp v1.69.0/go.mod h1:4wA4PfAraPlAsJ5jMSqCE2ug5tqUPwKXxVj8oNECGcw=
+github.com/versity/scoutfs-go v0.0.0-20240625221833-95fd765b760b h1:kuqsuYRMG1c6YXBAQvWO7CiurlpYtjDJWI6oZ2K/ZZE=
+github.com/versity/scoutfs-go v0.0.0-20240625221833-95fd765b760b/go.mod h1:gJsq73k+4685y+rbDIpPY8i/5GbsiwP6JFoFyUDB1fQ=
 github.com/xdg-go/pbkdf2 v1.0.0 h1:Su7DPu48wXMwC3bs7MCNG+z4FhcyEuz5dlvchbq0B0c=
 github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI=
 github.com/xdg-go/scram v1.1.2 h1:FHX5I5B4i4hKRVRBCFRxq1iQRej7WO3hhBuJf+UUySY=
@@ -190,32 +198,22 @@ github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1/go.mod h1:Ohn+xnUBi
 github.com/xyproto/randomstring v1.0.5 h1:YtlWPoRdgMu3NZtP45drfy1GKoojuR7hmRcnhZqKjWU=
 github.com/xyproto/randomstring v1.0.5/go.mod h1:rgmS5DeNXLivK7YprL0pY+lTuhNQW3iGxZ18UQApw/E=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
-github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
+go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
-golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM=
-golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U=
+golang.org/x/crypto v0.47.0 h1:V6e3FRj+n4dbpw86FJ8Fv7XVOql7TEwpHapKoMJ/GO8=
+golang.org/x/crypto v0.47.0/go.mod h1:ff3Y9VzzKbwSSEzWqJsJVBnWmRwRSHt/6Op5n9bQc4A=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
-golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
-golang.org/x/net v0.41.0 h1:vBTly1HeNPEn3wtREYfy4GZ/NECgw2Cnl+nK6Nz3uvw=
-golang.org/x/net v0.41.0/go.mod h1:B/K4NNqkfmg07DQYrbwvSluqCJOOXwUjeb/5lOisjbA=
+golang.org/x/net v0.49.0 h1:eeHFmOGUTtaaPSGNmjBKpbng9MulQsJURQUAfUwY++o=
+golang.org/x/net v0.49.0/go.mod h1:/ysNB2EvaqvesRkuLAyjI1ycPZlQHM3q01F02UY/MV8=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
-golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
+golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -223,42 +221,27 @@ golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220408201424-a24fb2fb8a0f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
-golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.40.0 h1:DBZZqJ2Rkml6QMQsZywtnjnnGvHza6BTfYFWY9kjEWQ=
+golang.org/x/sys v0.40.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
-golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
-golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
-golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
-golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M=
-golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA=
-golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
-golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
+golang.org/x/text v0.33.0 h1:B3njUFyqtHDUI5jMn1YIr5B0IE2U0qck04r6d4KPAxE=
+golang.org/x/text v0.33.0/go.mod h1:LuMebE6+rBincTi9+xWTY8TztLzKHc/9C1uBCG27+q8=
+golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
+golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
--- a/metrics/actions.go
+++ b/metrics/actions.go
@@ -24,57 +24,99 @@ var (
 )

 var (
-	ActionUndetected                    = "ActionUnDetected"
-	ActionAbortMultipartUpload          = "s3_AbortMultipartUpload"
-	ActionCompleteMultipartUpload       = "s3_CompleteMultipartUpload"
-	ActionCopyObject                    = "s3_CopyObject"
-	ActionCreateBucket                  = "s3_CreateBucket"
-	ActionCreateMultipartUpload         = "s3_CreateMultipartUpload"
-	ActionDeleteBucket                  = "s3_DeleteBucket"
-	ActionDeleteBucketPolicy            = "s3_DeleteBucketPolicy"
-	ActionDeleteBucketTagging           = "s3_DeleteBucketTagging"
-	ActionDeleteObject                  = "s3_DeleteObject"
-	ActionDeleteObjectTagging           = "s3_DeleteObjectTagging"
-	ActionDeleteObjects                 = "s3_DeleteObjects"
-	ActionGetBucketAcl                  = "s3_GetBucketAcl"
-	ActionGetBucketPolicy               = "s3_GetBucketPolicy"
-	ActionGetBucketTagging              = "s3_GetBucketTagging"
-	ActionGetBucketVersioning           = "s3_GetBucketVersioning"
-	ActionGetObject                     = "s3_GetObject"
-	ActionGetObjectAcl                  = "s3_GetObjectAcl"
-	ActionGetObjectAttributes           = "s3_GetObjectAttributes"
-	ActionGetObjectLegalHold            = "s3_GetObjectLegalHold"
-	ActionGetObjectLockConfiguration    = "s3_GetObjectLockConfiguration"
-	ActionGetObjectRetention            = "s3_GetObjectRetention"
-	ActionGetObjectTagging              = "s3_GetObjectTagging"
-	ActionHeadBucket                    = "s3_HeadBucket"
-	ActionHeadObject                    = "s3_HeadObject"
-	ActionListAllMyBuckets              = "s3_ListAllMyBuckets"
-	ActionListMultipartUploads          = "s3_ListMultipartUploads"
-	ActionListObjectVersions            = "s3_ListObjectVersions"
-	ActionListObjects                   = "s3_ListObjects"
-	ActionListObjectsV2                 = "s3_ListObjectsV2"
-	ActionListParts                     = "s3_ListParts"
-	ActionPutBucketAcl                  = "s3_PutBucketAcl"
-	ActionPutBucketPolicy               = "s3_PutBucketPolicy"
-	ActionPutBucketTagging              = "s3_PutBucketTagging"
-	ActionPutBucketVersioning           = "s3_PutBucketVersioning"
-	ActionPutObject                     = "s3_PutObject"
-	ActionPutObjectAcl                  = "s3_PutObjectAcl"
-	ActionPutObjectLegalHold            = "s3_PutObjectLegalHold"
-	ActionPutObjectLockConfiguration    = "s3_PutObjectLockConfiguration"
-	ActionPutObjectRetention            = "s3_PutObjectRetention"
-	ActionPutObjectTagging              = "s3_PutObjectTagging"
-	ActionRestoreObject                 = "s3_RestoreObject"
-	ActionSelectObjectContent           = "s3_SelectObjectContent"
-	ActionUploadPart                    = "s3_UploadPart"
-	ActionUploadPartCopy                = "s3_UploadPartCopy"
-	ActionPutBucketOwnershipControls    = "s3_PutBucketOwnershipControls"
-	ActionGetBucketOwnershipControls    = "s3_GetBucketOwnershipControls"
-	ActionDeleteBucketOwnershipControls = "s3_DeleteBucketOwnershipControls"
-	ActionPutBucketCors                 = "s3_PutBucketCors"
-	ActionGetBucketCors                 = "s3_GetBucketCors"
-	ActionDeleteBucketCors              = "s3_DeleteBucketCors"
+	ActionUndetected                                  = "ActionUnDetected"
+	ActionAbortMultipartUpload                        = "s3_AbortMultipartUpload"
+	ActionCompleteMultipartUpload                     = "s3_CompleteMultipartUpload"
+	ActionCopyObject                                  = "s3_CopyObject"
+	ActionCreateBucket                                = "s3_CreateBucket"
+	ActionCreateMultipartUpload                       = "s3_CreateMultipartUpload"
+	ActionDeleteBucket                                = "s3_DeleteBucket"
+	ActionDeleteBucketPolicy                          = "s3_DeleteBucketPolicy"
+	ActionDeleteBucketTagging                         = "s3_DeleteBucketTagging"
+	ActionDeleteObject                                = "s3_DeleteObject"
+	ActionDeleteObjectTagging                         = "s3_DeleteObjectTagging"
+	ActionDeleteObjects                               = "s3_DeleteObjects"
+	ActionGetBucketAcl                                = "s3_GetBucketAcl"
+	ActionGetBucketPolicy                             = "s3_GetBucketPolicy"
+	ActionGetBucketTagging                            = "s3_GetBucketTagging"
+	ActionGetBucketVersioning                         = "s3_GetBucketVersioning"
+	ActionGetObject                                   = "s3_GetObject"
+	ActionGetObjectAcl                                = "s3_GetObjectAcl"
+	ActionGetObjectAttributes                         = "s3_GetObjectAttributes"
+	ActionGetObjectLegalHold                          = "s3_GetObjectLegalHold"
+	ActionGetObjectLockConfiguration                  = "s3_GetObjectLockConfiguration"
+	ActionGetObjectRetention                          = "s3_GetObjectRetention"
+	ActionGetObjectTagging                            = "s3_GetObjectTagging"
+	ActionHeadBucket                                  = "s3_HeadBucket"
+	ActionHeadObject                                  = "s3_HeadObject"
+	ActionListAllMyBuckets                            = "s3_ListAllMyBuckets"
+	ActionListMultipartUploads                        = "s3_ListMultipartUploads"
+	ActionListObjectVersions                          = "s3_ListObjectVersions"
+	ActionListObjects                                 = "s3_ListObjects"
+	ActionListObjectsV2                               = "s3_ListObjectsV2"
+	ActionListParts                                   = "s3_ListParts"
+	ActionPutBucketAcl                                = "s3_PutBucketAcl"
+	ActionPutBucketPolicy                             = "s3_PutBucketPolicy"
+	ActionPutBucketTagging                            = "s3_PutBucketTagging"
+	ActionPutBucketVersioning                         = "s3_PutBucketVersioning"
+	ActionPutObject                                   = "s3_PutObject"
+	ActionPutObjectAcl                                = "s3_PutObjectAcl"
+	ActionPutObjectLegalHold                          = "s3_PutObjectLegalHold"
+	ActionPutObjectLockConfiguration                  = "s3_PutObjectLockConfiguration"
+	ActionPutObjectRetention                          = "s3_PutObjectRetention"
+	ActionPutObjectTagging                            = "s3_PutObjectTagging"
+	ActionRestoreObject                               = "s3_RestoreObject"
+	ActionSelectObjectContent                         = "s3_SelectObjectContent"
+	ActionUploadPart                                  = "s3_UploadPart"
+	ActionUploadPartCopy                              = "s3_UploadPartCopy"
+	ActionPutBucketOwnershipControls                  = "s3_PutBucketOwnershipControls"
+	ActionGetBucketOwnershipControls                  = "s3_GetBucketOwnershipControls"
+	ActionDeleteBucketOwnershipControls               = "s3_DeleteBucketOwnershipControls"
+	ActionPutBucketCors                               = "s3_PutBucketCors"
+	ActionGetBucketCors                               = "s3_GetBucketCors"
+	ActionDeleteBucketCors                            = "s3_DeleteBucketCors"
+	ActionOptions                                     = "s3_Options"
+	ActionPutBucketAnalyticsConfiguration             = "s3_PutBucketAnalyticsConfiguration"
+	ActionGetBucketAnalyticsConfiguration             = "s3_GetBucketAnalyticsConfiguration"
+	ActionListBucketAnalyticsConfigurations           = "s3_ListBucketAnalyticsConfigurations"
+	ActionDeleteBucketAnalyticsConfiguration          = "s3_DeleteBucketAnalyticsConfiguration"
+	ActionPutBucketEncryption                         = "s3_PutBucketEncryption"
+	ActionGetBucketEncryption                         = "s3_GetBucketEncryption"
+	ActionDeleteBucketEncryption                      = "s3_DeleteBucketEncryption"
+	ActionPutBucketIntelligentTieringConfiguration    = "s3_PutBucketIntelligentTieringConfiguration"
+	ActionGetBucketIntelligentTieringConfiguration    = "s3_GetBucketIntelligentTieringConfiguration"
+	ActionListBucketIntelligentTieringConfigurations  = "s3_ListBucketIntelligentTieringConfigurations"
+	ActionDeleteBucketIntelligentTieringConfiguration = "s3_DeleteBucketIntelligentTieringConfiguration"
+	ActionPutBucketInventoryConfiguration             = "s3_PutBucketInventoryConfiguration"
+	ActionGetBucketInventoryConfiguration             = "s3_GetBucketInventoryConfiguration"
+	ActionListBucketInventoryConfigurations           = "s3_ListBucketInventoryConfigurations"
+	ActionDeleteBucketInventoryConfiguration          = "s3_DeleteBucketInventoryConfiguration"
+	ActionPutBucketLifecycleConfiguration             = "s3_PutBucketLifecycleConfiguration"
+	ActionGetBucketLifecycleConfiguration             = "s3_GetBucketLifecycleConfiguration"
+	ActionDeleteBucketLifecycle                       = "s3_DeleteBucketLifecycle"
+	ActionPutBucketLogging                            = "s3_PutBucketLogging"
+	ActionGetBucketLogging                            = "s3_GetBucketLogging"
+	ActionPutBucketRequestPayment                     = "s3_PutBucketRequestPayment"
+	ActionGetBucketRequestPayment                     = "s3_GetBucketRequestPayment"
+	ActionPutBucketMetricsConfiguration               = "s3_PutBucketMetricsConfiguration"
+	ActionGetBucketMetricsConfiguration               = "s3_GetBucketMetricsConfiguration"
+	ActionListBucketMetricsConfigurations             = "s3_ListBucketMetricsConfigurations"
+	ActionDeleteBucketMetricsConfiguration            = "s3_DeleteBucketMetricsConfiguration"
+	ActionPutBucketReplication                        = "s3_PutBucketReplication"
+	ActionGetBucketReplication                        = "s3_GetBucketReplication"
+	ActionDeleteBucketReplication                     = "s3_DeleteBucketReplication"
+	ActionPutPublicAccessBlock                        = "s3_PutPublicAccessBlock"
+	ActionGetPublicAccessBlock                        = "s3_GetPublicAccessBlock"
+	ActionDeletePublicAccessBlock                     = "s3_DeletePublicAccessBlock"
+	ActionPutBucketNotificationConfiguration          = "s3_PutBucketNotificationConfiguration"
+	ActionGetBucketNotificationConfiguration          = "s3_GetBucketNotificationConfiguration"
+	ActionPutBucketAccelerateConfiguration            = "s3_PutBucketAccelerateConfiguration"
+	ActionGetBucketAccelerateConfiguration            = "s3_GetBucketAccelerateConfiguration"
+	ActionPutBucketWebsite                            = "s3_PutBucketWebsite"
+	ActionGetBucketWebsite                            = "s3_GetBucketWebsite"
+	ActionDeleteBucketWebsite                         = "s3_DeleteBucketWebsite"
+	ActionGetBucketPolicyStatus                       = "s3_GetBucketPolicyStatus"
+	ActionGetBucketLocation                           = "s3_GetBucketLocation"

 	// Admin actions
 	ActionAdminCreateUser        = "admin_CreateUser"
@@ -83,6 +125,7 @@ var (
 	ActionAdminChangeBucketOwner = "admin_ChangeBucketOwner"
 	ActionAdminListUsers         = "admin_ListUsers"
 	ActionAdminListBuckets       = "admin_ListBuckets"
+	ActionAdminCreateBucket      = "admin_CreateBucket"
 )

 func init() {
@@ -281,4 +324,184 @@ func init() {
 		Name:    "DeleteBucketCors",
 		Service: "s3",
 	}
+	ActionMap[ActionPutBucketOwnershipControls] = Action{
+		Name:    "PutBucketOwnershipControls",
+		Service: "s3",
+	}
+	ActionMap[ActionGetBucketOwnershipControls] = Action{
+		Name:    "GetBucketOwnershipControls",
+		Service: "s3",
+	}
+	ActionMap[ActionDeleteBucketOwnershipControls] = Action{
+		Name:    "DeleteBucketOwnershipControls",
+		Service: "s3",
+	}
+	ActionMap[ActionOptions] = Action{
+		Name:    "Options",
+		Service: "s3",
+	}
+	ActionMap[ActionPutBucketAnalyticsConfiguration] = Action{
+		Name:    "PutBucketAnalyticsConfiguration",
+		Service: "s3",
+	}
+	ActionMap[ActionGetBucketAnalyticsConfiguration] = Action{
+		Name:    "GetBucketAnalyticsConfiguration",
+		Service: "s3",
+	}
+	ActionMap[ActionListBucketAnalyticsConfigurations] = Action{
+		Name:    "ListBucketAnalyticsConfigurations",
+		Service: "s3",
+	}
+	ActionMap[ActionDeleteBucketAnalyticsConfiguration] = Action{
+		Name:    "DeleteBucketAnalyticsConfiguration",
+		Service: "s3",
+	}
+	ActionMap[ActionPutBucketEncryption] = Action{
+		Name:    "PutBucketEncryption",
+		Service: "s3",
+	}
+	ActionMap[ActionGetBucketEncryption] = Action{
+		Name:    "GetBucketEncryption",
+		Service: "s3",
+	}
+	ActionMap[ActionDeleteBucketEncryption] = Action{
+		Name:    "DeleteBucketEncryption",
+		Service: "s3",
+	}
+	ActionMap[ActionPutBucketIntelligentTieringConfiguration] = Action{
+		Name:    "PutBucketIntelligentTieringConfiguration",
+		Service: "s3",
+	}
+	ActionMap[ActionGetBucketIntelligentTieringConfiguration] = Action{
+		Name:    "GetBucketIntelligentTieringConfiguration",
+		Service: "s3",
+	}
+	ActionMap[ActionListBucketIntelligentTieringConfigurations] = Action{
+		Name:    "ListBucketIntelligentTieringConfigurations",
+		Service: "s3",
+	}
+	ActionMap[ActionDeleteBucketIntelligentTieringConfiguration] = Action{
+		Name:    "DeleteBucketIntelligentTieringConfiguration",
+		Service: "s3",
+	}
+	ActionMap[ActionPutBucketInventoryConfiguration] = Action{
+		Name:    "PutBucketInventoryConfiguration",
+		Service: "s3",
+	}
+	ActionMap[ActionGetBucketInventoryConfiguration] = Action{
+		Name:    "GetBucketInventoryConfiguration",
+		Service: "s3",
+	}
+	ActionMap[ActionListBucketInventoryConfigurations] = Action{
+		Name:    "ListBucketInventoryConfigurations",
+		Service: "s3",
+	}
+	ActionMap[ActionDeleteBucketInventoryConfiguration] = Action{
+		Name:    "DeleteBucketInventoryConfiguration",
+		Service: "s3",
+	}
+	ActionMap[ActionPutBucketLifecycleConfiguration] = Action{
+		Name:    "PutBucketLifecycleConfiguration",
+		Service: "s3",
+	}
+	ActionMap[ActionGetBucketLifecycleConfiguration] = Action{
+		Name:    "GetBucketLifecycleConfiguration",
+		Service: "s3",
+	}
+	ActionMap[ActionDeleteBucketLifecycle] = Action{
+		Name:    "DeleteBucketLifecycle",
+		Service: "s3",
+	}
+	ActionMap[ActionPutBucketLogging] = Action{
+		Name:    "PutBucketLogging",
+		Service: "s3",
+	}
+	ActionMap[ActionGetBucketLogging] = Action{
+		Name:    "GetBucketLogging",
+		Service: "s3",
+	}
+	ActionMap[ActionPutBucketRequestPayment] = Action{
+		Name:    "PutBucketRequestPayment",
+		Service: "s3",
+	}
+	ActionMap[ActionGetBucketRequestPayment] = Action{
+		Name:    "GetBucketRequestPayment",
+		Service: "s3",
+	}
+	ActionMap[ActionPutBucketMetricsConfiguration] = Action{
+		Name:    "PutBucketMetricsConfiguration",
+		Service: "s3",
+	}
+	ActionMap[ActionGetBucketMetricsConfiguration] = Action{
+		Name:    "GetBucketMetricsConfiguration",
+		Service: "s3",
+	}
+	ActionMap[ActionListBucketMetricsConfigurations] = Action{
+		Name:    "ListBucketMetricsConfigurations",
+		Service: "s3",
+	}
+	ActionMap[ActionDeleteBucketMetricsConfiguration] = Action{
+		Name:    "DeleteBucketMetricsConfiguration",
+		Service: "s3",
+	}
+	ActionMap[ActionPutBucketReplication] = Action{
+		Name:    "PutBucketReplication",
+		Service: "s3",
+	}
+	ActionMap[ActionGetBucketReplication] = Action{
+		Name:    "GetBucketReplication",
+		Service: "s3",
+	}
+	ActionMap[ActionDeleteBucketReplication] = Action{
+		Name:    "DeleteBucketReplication",
+		Service: "s3",
+	}
+	ActionMap[ActionPutPublicAccessBlock] = Action{
+		Name:    "PutPublicAccessBlock",
+		Service: "s3",
+	}
+	ActionMap[ActionGetPublicAccessBlock] = Action{
+		Name:    "GetPublicAccessBlock",
+		Service: "s3",
+	}
+	ActionMap[ActionDeletePublicAccessBlock] = Action{
+		Name:    "DeletePublicAccessBlock",
+		Service: "s3",
+	}
+	ActionMap[ActionPutBucketNotificationConfiguration] = Action{
+		Name:    "PutBucketNotificationConfiguration",
+		Service: "s3",
+	}
+	ActionMap[ActionGetBucketNotificationConfiguration] = Action{
+		Name:    "GetBucketNotificationConfiguration",
+		Service: "s3",
+	}
+	ActionMap[ActionPutBucketAccelerateConfiguration] = Action{
+		Name:    "PutBucketAccelerateConfiguration",
+		Service: "s3",
+	}
+	ActionMap[ActionGetBucketAccelerateConfiguration] = Action{
+		Name:    "GetBucketAccelerateConfiguration",
+		Service: "s3",
+	}
+	ActionMap[ActionPutBucketWebsite] = Action{
+		Name:    "PutBucketWebsite",
+		Service: "s3",
+	}
+	ActionMap[ActionGetBucketWebsite] = Action{
+		Name:    "GetBucketWebsite",
+		Service: "s3",
+	}
+	ActionMap[ActionDeleteBucketWebsite] = Action{
+		Name:    "DeleteBucketWebsite",
+		Service: "s3",
+	}
+	ActionMap[ActionGetBucketPolicyStatus] = Action{
+		Name:    "GetBucketPolicyStatus",
+		Service: "s3",
+	}
+	ActionMap[ActionGetBucketLocation] = Action{
+		Name:    "GetBucketLocation",
+		Service: "s3",
+	}
 }
--- a/metrics/metrics.go
+++ b/metrics/metrics.go
@@ -41,8 +41,14 @@ type Tag struct {
 	Value string
 }

-// Manager is a manager of metrics plugins
-type Manager struct {
+// Manager is the interface definition for metrics manager
+type Manager interface {
+	Send(ctx *fiber.Ctx, err error, action string, count int64, status int)
+	Close()
+}
+
+// manager is a manager of metrics plugins
+type manager struct {
 	wg  sync.WaitGroup
 	ctx context.Context

@@ -59,7 +65,7 @@ type Config struct {
 }

 // NewManager initializes metrics plugins and returns a new metrics manager
-func NewManager(ctx context.Context, conf Config) (*Manager, error) {
+func NewManager(ctx context.Context, conf Config) (Manager, error) {
 	if len(conf.StatsdServers) == 0 && len(conf.DogStatsdServers) == 0 {
 		return nil, nil
 	}
@@ -74,7 +80,7 @@ func NewManager(ctx context.Context, conf Config) (*Manager, error) {

 	addDataChan := make(chan datapoint, dataItemCount)

-	mgr := &Manager{
+	mgr := &manager{
 		addDataChan: addDataChan,
 		ctx:         ctx,
 		config:      conf,
@@ -112,7 +118,7 @@ func NewManager(ctx context.Context, conf Config) (*Manager, error) {
 	return mgr, nil
 }

-func (m *Manager) Send(ctx *fiber.Ctx, err error, action string, count int64, status int) {
+func (m *manager) Send(ctx *fiber.Ctx, err error, action string, count int64, status int) {
 	// In case of Authentication failures, url parsing ...
 	if action == "" {
 		action = ActionUndetected
@@ -168,12 +174,12 @@ func (m *Manager) Send(ctx *fiber.Ctx, err error, action string, count int64, st
 }

 // increment increments the key by one
-func (m *Manager) increment(key string, tags ...Tag) {
+func (m *manager) increment(key string, tags ...Tag) {
 	m.add(key, 1, tags...)
 }

 // add adds value to key
-func (m *Manager) add(key string, value int64, tags ...Tag) {
+func (m *manager) add(key string, value int64, tags ...Tag) {
 	if m.ctx.Err() != nil {
 		return
 	}
@@ -192,7 +198,7 @@ func (m *Manager) add(key string, value int64, tags ...Tag) {
 }

 // Close closes metrics channels, waits for data to complete, closes all plugins
-func (m *Manager) Close() {
+func (m *manager) Close() {
 	// drain the datapoint channels
 	close(m.addDataChan)
 	m.wg.Wait()
@@ -209,7 +215,7 @@ type publisher interface {
 	Close()
 }

-func (m *Manager) addForwarder(addChan <-chan datapoint) {
+func (m *manager) addForwarder(addChan <-chan datapoint) {
 	for data := range addChan {
 		for _, s := range m.publishers {
 			s.Add(data.key, data.value, data.tags...)
--- a/runtests.sh
+++ b/runtests.sh
@@ -16,7 +16,6 @@ ECHO "Generating TLS certificate and key in the cert.pem and key.pem files"
 openssl genpkey -algorithm RSA -out key.pem -pkeyopt rsa_keygen_bits:2048
 openssl req -new -x509 -key key.pem -out cert.pem -days 365 -subj "/C=US/ST=California/L=San Francisco/O=Versity/OU=Software/CN=versity.com"

-
 ECHO "Running the sdk test over http"
 # run server in background not versioning-enabled
 # port: 7070(default)
@@ -33,7 +32,7 @@ fi

 # run tests
 # full flow tests
-if ! ./versitygw test -a user -s pass -e http://127.0.0.1:7070 full-flow; then
+if ! ./versitygw test -a user -s pass -e http://127.0.0.1:7070 full-flow --parallel; then
 	echo "full flow tests failed"
 	kill $GW_PID
 	exit 1
@@ -70,7 +69,7 @@ fi

 # run tests
 # full flow tests
-if ! ./versitygw test --allow-insecure -a user -s pass -e https://127.0.0.1:7071 full-flow; then
+if ! ./versitygw test --allow-insecure -a user -s pass -e https://127.0.0.1:7071 full-flow --parallel; then
 	echo "full flow tests failed"
 	kill $GW_HTTPS_PID
 	exit 1
@@ -90,7 +89,6 @@ fi

 kill $GW_HTTPS_PID

-
 ECHO "Running the sdk test over http against the versioning-enabled gateway"
 # run server in background versioning-enabled
 # port: 7072
@@ -108,7 +106,7 @@ fi

 # run tests
 # full flow tests
-if ! ./versitygw test -a user -s pass -e http://127.0.0.1:7072 full-flow -vs; then
+if ! ./versitygw test -a user -s pass -e http://127.0.0.1:7072 full-flow -vs --parallel; then
 	echo "versioning-enabled full-flow tests failed"
 	kill $GW_VS_PID
 	exit 1
@@ -140,7 +138,7 @@ fi

 # run tests
 # full flow tests
-if ! ./versitygw test --allow-insecure -a user -s pass -e https://127.0.0.1:7073 full-flow -vs; then
+if ! ./versitygw test --allow-insecure -a user -s pass -e https://127.0.0.1:7073 full-flow -vs --parallel; then
 	echo "versioning-enabled full-flow tests failed"
 	kill $GW_VS_HTTPS_PID
 	exit 1
@@ -162,4 +160,3 @@ exit 0
 # go tool covdata percent -i=/tmp/covdata
 # go tool covdata textfmt -i=/tmp/covdata -o profile.txt
 # go tool cover -html=profile.txt
-
--- a/s3api/admin-router.go
+++ b/s3api/admin-router.go
@@ -18,30 +18,101 @@ import (
 	"github.com/gofiber/fiber/v2"
 	"github.com/versity/versitygw/auth"
 	"github.com/versity/versitygw/backend"
+	"github.com/versity/versitygw/metrics"
 	"github.com/versity/versitygw/s3api/controllers"
+	"github.com/versity/versitygw/s3api/middlewares"
 	"github.com/versity/versitygw/s3log"
 )

-type S3AdminRouter struct{}
+type S3AdminRouter struct {
+	s3api controllers.S3ApiController
+}

-func (ar *S3AdminRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMService, logger s3log.AuditLogger) {
-	controller := controllers.NewAdminController(iam, be, logger)
+func (ar *S3AdminRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMService, logger s3log.AuditLogger, root middlewares.RootUserConfig, region string, debug bool, corsAllowOrigin string) {
+	ctrl := controllers.NewAdminController(iam, be, logger, ar.s3api)
+	services := &controllers.Services{
+		Logger: logger,
+	}

 	// CreateUser admin api
-	app.Patch("/create-user", controller.CreateUser)
+	app.Patch("/create-user",
+		controllers.ProcessHandlers(ctrl.CreateUser, metrics.ActionAdminCreateUser, services,
+			middlewares.VerifyV4Signature(root, iam, region, false, true),
+			middlewares.IsAdmin(metrics.ActionAdminCreateUser),
+			middlewares.ApplyDefaultCORS(corsAllowOrigin),
+		))
+	app.Options("/create-user",
+		middlewares.ApplyDefaultCORSPreflight(corsAllowOrigin),
+		middlewares.ApplyDefaultCORS(corsAllowOrigin),
+	)

 	// DeleteUsers admin api
-	app.Patch("/delete-user", controller.DeleteUser)
+	app.Patch("/delete-user",
+		controllers.ProcessHandlers(ctrl.DeleteUser, metrics.ActionAdminDeleteUser, services,
+			middlewares.VerifyV4Signature(root, iam, region, false, true),
+			middlewares.IsAdmin(metrics.ActionAdminDeleteUser),
+			middlewares.ApplyDefaultCORS(corsAllowOrigin),
+		))
+	app.Options("/delete-user",
+		middlewares.ApplyDefaultCORSPreflight(corsAllowOrigin),
+		middlewares.ApplyDefaultCORS(corsAllowOrigin),
+	)

 	// UpdateUser admin api
-	app.Patch("/update-user", controller.UpdateUser)
+	app.Patch("/update-user",
+		controllers.ProcessHandlers(ctrl.UpdateUser, metrics.ActionAdminUpdateUser, services,
+			middlewares.VerifyV4Signature(root, iam, region, false, true),
+			middlewares.IsAdmin(metrics.ActionAdminUpdateUser),
+			middlewares.ApplyDefaultCORS(corsAllowOrigin),
+		))
+	app.Options("/update-user",
+		middlewares.ApplyDefaultCORSPreflight(corsAllowOrigin),
+		middlewares.ApplyDefaultCORS(corsAllowOrigin),
+	)

 	// ListUsers admin api
-	app.Patch("/list-users", controller.ListUsers)
+	app.Patch("/list-users",
+		controllers.ProcessHandlers(ctrl.ListUsers, metrics.ActionAdminListUsers, services,
+			middlewares.VerifyV4Signature(root, iam, region, false, true),
+			middlewares.IsAdmin(metrics.ActionAdminListUsers),
+			middlewares.ApplyDefaultCORS(corsAllowOrigin),
+		))
+	app.Options("/list-users",
+		middlewares.ApplyDefaultCORSPreflight(corsAllowOrigin),
+		middlewares.ApplyDefaultCORS(corsAllowOrigin),
+	)

 	// ChangeBucketOwner admin api
-	app.Patch("/change-bucket-owner", controller.ChangeBucketOwner)
+	app.Patch("/change-bucket-owner",
+		controllers.ProcessHandlers(ctrl.ChangeBucketOwner, metrics.ActionAdminChangeBucketOwner, services,
+			middlewares.VerifyV4Signature(root, iam, region, false, true),
+			middlewares.IsAdmin(metrics.ActionAdminChangeBucketOwner),
+			middlewares.ApplyDefaultCORS(corsAllowOrigin),
+		))
+	app.Options("/change-bucket-owner",
+		middlewares.ApplyDefaultCORSPreflight(corsAllowOrigin),
+		middlewares.ApplyDefaultCORS(corsAllowOrigin),
+	)

 	// ListBucketsAndOwners admin api
-	app.Patch("/list-buckets", controller.ListBuckets)
+	app.Patch("/list-buckets",
+		controllers.ProcessHandlers(ctrl.ListBuckets, metrics.ActionAdminListBuckets, services,
+			middlewares.VerifyV4Signature(root, iam, region, false, true),
+			middlewares.IsAdmin(metrics.ActionAdminListBuckets),
+			middlewares.ApplyDefaultCORS(corsAllowOrigin),
+		))
+	app.Options("/list-buckets",
+		middlewares.ApplyDefaultCORSPreflight(corsAllowOrigin),
+		middlewares.ApplyDefaultCORS(corsAllowOrigin),
+	)
+
+	app.Patch("/:bucket/create",
+		controllers.ProcessHandlers(ctrl.CreateBucket, metrics.ActionAdminListBuckets, services,
+			middlewares.VerifyV4Signature(root, iam, region, false, true),
+			middlewares.IsAdmin(metrics.ActionAdminCreateBucket),
+		))
+	app.Options("/:bucket/create",
+		middlewares.ApplyDefaultCORSPreflight(corsAllowOrigin),
+		middlewares.ApplyDefaultCORS(corsAllowOrigin),
+	)
 }
--- a/s3api/admin-server.go
+++ b/s3api/admin-server.go
@@ -15,61 +15,111 @@
 package s3api

 import (
-	"crypto/tls"
-
 	"github.com/gofiber/fiber/v2"
 	"github.com/gofiber/fiber/v2/middleware/logger"
+	"github.com/gofiber/fiber/v2/middleware/recover"
 	"github.com/versity/versitygw/auth"
 	"github.com/versity/versitygw/backend"
+	"github.com/versity/versitygw/debuglogger"
+	"github.com/versity/versitygw/s3api/controllers"
 	"github.com/versity/versitygw/s3api/middlewares"
+	"github.com/versity/versitygw/s3api/utils"
 	"github.com/versity/versitygw/s3log"
 )

 type S3AdminServer struct {
-	app     *fiber.App
-	backend backend.Backend
-	router  *S3AdminRouter
-	port    string
-	cert    *tls.Certificate
+	app             *fiber.App
+	backend         backend.Backend
+	router          *S3AdminRouter
+	port            string
+	CertStorage     *utils.CertStorage
+	quiet           bool
+	debug           bool
+	corsAllowOrigin string
 }

-func NewAdminServer(app *fiber.App, be backend.Backend, root middlewares.RootUserConfig, port, region string, iam auth.IAMService, l s3log.AuditLogger, opts ...AdminOpt) *S3AdminServer {
+func NewAdminServer(be backend.Backend, root middlewares.RootUserConfig, port, region string, iam auth.IAMService, l s3log.AuditLogger, ctrl controllers.S3ApiController, opts ...AdminOpt) *S3AdminServer {
 	server := &S3AdminServer{
-		app:     app,
 		backend: be,
-		router:  new(S3AdminRouter),
-		port:    port,
+		router: &S3AdminRouter{
+			s3api: ctrl,
+		},
+		port: port,
 	}

 	for _, opt := range opts {
 		opt(server)
 	}

+	app := fiber.New(fiber.Config{
+		AppName:               "versitygw",
+		ServerHeader:          "VERSITYGW",
+		Network:               fiber.NetworkTCP,
+		DisableStartupMessage: true,
+		ErrorHandler:          globalErrorHandler,
+	})
+
+	server.app = app
+
+	app.Use(recover.New(
+		recover.Config{
+			EnableStackTrace:  true,
+			StackTraceHandler: stackTraceHandler,
+		}))
+
 	// Logging middlewares
-	app.Use(logger.New())
-	app.Use(middlewares.DecodeURL(l, nil))
+	if !server.quiet {
+		app.Use(logger.New(logger.Config{
+			Format: "${time} | adm | ${status} | ${latency} | ${ip} | ${method} | ${path} | ${error} | ${queryParams}\n",
+		}))
+	}
+	app.Use(controllers.WrapMiddleware(middlewares.DecodeURL, l, nil))

-	// Authentication middlewares
-	app.Use(middlewares.VerifyV4Signature(root, iam, l, nil, region, false))
-	app.Use(middlewares.VerifyMD5Body(l))
+	// initialize the debug logger in debug mode
+	if debuglogger.IsDebugEnabled() {
+		app.Use(middlewares.DebugLogger())
+	}

-	// Admin role checker
-	app.Use(middlewares.IsAdmin(l))
-
-	server.router.Init(app, be, iam, l)
+	server.router.Init(app, be, iam, l, root, region, server.debug, server.corsAllowOrigin)

 	return server
 }

 type AdminOpt func(s *S3AdminServer)

-func WithAdminSrvTLS(cert tls.Certificate) AdminOpt {
-	return func(s *S3AdminServer) { s.cert = &cert }
+func WithAdminSrvTLS(cs *utils.CertStorage) AdminOpt {
+	return func(s *S3AdminServer) { s.CertStorage = cs }
+}
+
+// WithQuiet silences default logging output
+func WithAdminQuiet() AdminOpt {
+	return func(s *S3AdminServer) { s.quiet = true }
+}
+
+// WithAdminDebug enables the debug logging
+func WithAdminDebug() AdminOpt {
+	return func(s *S3AdminServer) { s.debug = true }
+}
+
+// WithAdminCORSAllowOrigin sets the default CORS Access-Control-Allow-Origin value
+// for the standalone admin server.
+func WithAdminCORSAllowOrigin(origin string) AdminOpt {
+	return func(s *S3AdminServer) { s.corsAllowOrigin = origin }
 }

 func (sa *S3AdminServer) Serve() (err error) {
-	if sa.cert != nil {
-		return sa.app.ListenTLSWithCertificate(sa.port, *sa.cert)
+	if sa.CertStorage != nil {
+		ln, err := utils.NewTLSListener(sa.app.Config().Network, sa.port, sa.CertStorage.GetCertificate)
+		if err != nil {
+			return err
+		}
+
+		return sa.app.Listener(ln)
 	}
 	return sa.app.Listen(sa.port)
 }
+
+// ShutDown gracefully shuts down the server with a context timeout
+func (sa S3AdminServer) Shutdown() error {
+	return sa.app.ShutdownWithTimeout(shutDownDuration)
+}
--- a/s3api/controllers/admin.go
+++ b/s3api/controllers/admin.go
@@ -15,49 +15,42 @@
 package controllers

 import (
-	"encoding/json"
 	"encoding/xml"
-	"fmt"
 	"net/http"
 	"strings"

-	"github.com/aws/aws-sdk-go-v2/service/s3/types"
 	"github.com/gofiber/fiber/v2"
 	"github.com/versity/versitygw/auth"
 	"github.com/versity/versitygw/backend"
-	"github.com/versity/versitygw/metrics"
 	"github.com/versity/versitygw/s3err"
 	"github.com/versity/versitygw/s3log"
 	"github.com/versity/versitygw/s3response"
 )

 type AdminController struct {
-	iam auth.IAMService
-	be  backend.Backend
-	l   s3log.AuditLogger
+	iam   auth.IAMService
+	be    backend.Backend
+	l     s3log.AuditLogger
+	s3api S3ApiController
 }

-func NewAdminController(iam auth.IAMService, be backend.Backend, l s3log.AuditLogger) AdminController {
-	return AdminController{iam: iam, be: be, l: l}
+func NewAdminController(iam auth.IAMService, be backend.Backend, l s3log.AuditLogger, s3api S3ApiController) AdminController {
+	return AdminController{iam: iam, be: be, l: l, s3api: s3api}
 }

-func (c AdminController) CreateUser(ctx *fiber.Ctx) error {
+func (c AdminController) CreateUser(ctx *fiber.Ctx) (*Response, error) {
 	var usr auth.Account
 	err := xml.Unmarshal(ctx.Body(), &usr)
 	if err != nil {
-		return SendResponse(ctx, s3err.GetAPIError(s3err.ErrMalformedXML),
-			&MetaOpts{
-				Logger: c.l,
-				Action: metrics.ActionAdminCreateUser,
-			})
+		return &Response{
+			MetaOpts: &MetaOptions{},
+		}, s3err.GetAPIError(s3err.ErrMalformedXML)
 	}

 	if !usr.Role.IsValid() {
-		return SendResponse(ctx, s3err.GetAPIError(s3err.ErrAdminInvalidUserRole),
-			&MetaOpts{
-				Logger: c.l,
-				Action: metrics.ActionAdminCreateUser,
-			})
+		return &Response{
+			MetaOpts: &MetaOptions{},
+		}, s3err.GetAPIError(s3err.ErrAdminInvalidUserRole)
 	}

 	err = c.iam.CreateAccount(usr)
@@ -66,47 +59,38 @@ func (c AdminController) CreateUser(ctx *fiber.Ctx) error {
 			err = s3err.GetAPIError(s3err.ErrAdminUserExists)
 		}

-		return SendResponse(ctx, err,
-			&MetaOpts{
-				Logger: c.l,
-				Action: metrics.ActionAdminCreateUser,
-			})
+		return &Response{
+			MetaOpts: &MetaOptions{},
+		}, err
 	}

-	return SendResponse(ctx, nil,
-		&MetaOpts{
-			Logger: c.l,
-			Action: metrics.ActionAdminCreateUser,
+	return &Response{
+		MetaOpts: &MetaOptions{
 			Status: http.StatusCreated,
-		})
+		},
+	}, nil
 }

-func (c AdminController) UpdateUser(ctx *fiber.Ctx) error {
+func (c AdminController) UpdateUser(ctx *fiber.Ctx) (*Response, error) {
 	access := ctx.Query("access")
 	if access == "" {
-		return SendResponse(ctx, s3err.GetAPIError(s3err.ErrAdminMissingUserAcess),
-			&MetaOpts{
-				Logger: c.l,
-				Action: metrics.ActionAdminUpdateUser,
-			})
+		return &Response{
+			MetaOpts: &MetaOptions{},
+		}, s3err.GetAPIError(s3err.ErrAdminMissingUserAcess)
 	}

 	var props auth.MutableProps
 	if err := xml.Unmarshal(ctx.Body(), &props); err != nil {
-		return SendResponse(ctx, s3err.GetAPIError(s3err.ErrMalformedXML),
-			&MetaOpts{
-				Logger: c.l,
-				Action: metrics.ActionAdminUpdateUser,
-			})
+		return &Response{
+			MetaOpts: &MetaOptions{},
+		}, s3err.GetAPIError(s3err.ErrMalformedXML)
 	}

 	err := props.Validate()
 	if err != nil {
-		return SendResponse(ctx, s3err.GetAPIError(s3err.ErrAdminInvalidUserRole),
-			&MetaOpts{
-				Logger: c.l,
-				Action: metrics.ActionAdminUpdateUser,
-			})
+		return &Response{
+			MetaOpts: &MetaOptions{},
+		}, s3err.GetAPIError(s3err.ErrAdminInvalidUserRole)
 	}

 	err = c.iam.UpdateUserAccount(access, props)
@@ -115,98 +99,102 @@ func (c AdminController) UpdateUser(ctx *fiber.Ctx) error {
 			err = s3err.GetAPIError(s3err.ErrAdminUserNotFound)
 		}

-		return SendResponse(ctx, err,
-			&MetaOpts{
-				Logger: c.l,
-				Action: metrics.ActionAdminUpdateUser,
-			})
+		return &Response{
+			MetaOpts: &MetaOptions{},
+		}, err
 	}

-	return SendResponse(ctx, nil,
-		&MetaOpts{
-			Logger: c.l,
-			Action: metrics.ActionAdminUpdateUser,
-		})
+	return &Response{
+		MetaOpts: &MetaOptions{},
+	}, nil
 }

-func (c AdminController) DeleteUser(ctx *fiber.Ctx) error {
+func (c AdminController) DeleteUser(ctx *fiber.Ctx) (*Response, error) {
 	access := ctx.Query("access")
+	if access == "" {
+		return &Response{
+			MetaOpts: &MetaOptions{},
+		}, s3err.GetAPIError(s3err.ErrAdminMissingUserAcess)
+	}

 	err := c.iam.DeleteUserAccount(access)
-	return SendResponse(ctx, err,
-		&MetaOpts{
-			Logger: c.l,
-			Action: metrics.ActionAdminDeleteUser,
-		})
+	return &Response{
+		MetaOpts: &MetaOptions{},
+	}, err
 }

-func (c AdminController) ListUsers(ctx *fiber.Ctx) error {
+func (c AdminController) ListUsers(ctx *fiber.Ctx) (*Response, error) {
 	accs, err := c.iam.ListUserAccounts()
-	return SendXMLResponse(ctx,
-		auth.ListUserAccountsResult{
-			Accounts: accs,
-		}, err,
-		&MetaOpts{
-			Logger: c.l,
-			Action: metrics.ActionAdminListUsers,
-		})
+	return &Response{
+		Data:     auth.ListUserAccountsResult{Accounts: accs},
+		MetaOpts: &MetaOptions{},
+	}, err
 }

-func (c AdminController) ChangeBucketOwner(ctx *fiber.Ctx) error {
+func (c AdminController) ChangeBucketOwner(ctx *fiber.Ctx) (*Response, error) {
 	owner := ctx.Query("owner")
 	bucket := ctx.Query("bucket")

 	accs, err := auth.CheckIfAccountsExist([]string{owner}, c.iam)
 	if err != nil {
-		return SendResponse(ctx, err,
-			&MetaOpts{
-				Logger: c.l,
-				Action: metrics.ActionAdminChangeBucketOwner,
-			})
+		return &Response{
+			MetaOpts: &MetaOptions{},
+		}, err
 	}
 	if len(accs) > 0 {
-		return SendResponse(ctx, s3err.GetAPIError(s3err.ErrAdminUserNotFound),
-			&MetaOpts{
-				Logger: c.l,
-				Action: metrics.ActionAdminChangeBucketOwner,
-			})
+		return &Response{
+			MetaOpts: &MetaOptions{},
+		}, s3err.GetAPIError(s3err.ErrAdminUserNotFound)
 	}

-	acl := auth.ACL{
-		Owner: owner,
-		Grantees: []auth.Grantee{
-			{
-				Permission: auth.PermissionFullControl,
-				Access:     owner,
-				Type:       types.TypeCanonicalUser,
-			},
-		},
-	}
-
-	aclParsed, err := json.Marshal(acl)
-	if err != nil {
-		return SendResponse(ctx, fmt.Errorf("failed to marshal the bucket acl: %w", err),
-			&MetaOpts{
-				Logger: c.l,
-				Action: metrics.ActionAdminChangeBucketOwner,
-			})
-	}
-
-	err = c.be.ChangeBucketOwner(ctx.Context(), bucket, aclParsed)
-	return SendResponse(ctx, err,
-		&MetaOpts{
-			Logger: c.l,
-			Action: metrics.ActionAdminChangeBucketOwner,
-		})
+	err = c.be.ChangeBucketOwner(ctx.Context(), bucket, owner)
+	return &Response{
+		MetaOpts: &MetaOptions{},
+	}, err
 }

-func (c AdminController) ListBuckets(ctx *fiber.Ctx) error {
+func (c AdminController) ListBuckets(ctx *fiber.Ctx) (*Response, error) {
 	buckets, err := c.be.ListBucketsAndOwners(ctx.Context())
-	return SendXMLResponse(ctx,
-		s3response.ListBucketsResult{
+	return &Response{
+		Data: s3response.ListBucketsResult{
 			Buckets: buckets,
-		}, err, &MetaOpts{
-			Logger: c.l,
-			Action: metrics.ActionAdminListBuckets,
-		})
+		},
+		MetaOpts: &MetaOptions{},
+	}, err
+}
+
+func (c AdminController) CreateBucket(ctx *fiber.Ctx) (*Response, error) {
+	owner := ctx.Get("x-vgw-owner")
+	if owner == "" {
+		return &Response{
+			MetaOpts: &MetaOptions{},
+		}, s3err.GetAPIError(s3err.ErrAdminEmptyBucketOwnerHeader)
+	}
+
+	acc, err := c.iam.GetUserAccount(owner)
+	if err != nil {
+		if err == auth.ErrNoSuchUser {
+			err = s3err.GetAPIError(s3err.ErrAdminUserNotFound)
+		}
+
+		return &Response{
+			MetaOpts: &MetaOptions{},
+		}, err
+	}
+
+	// store the owner access key id in context
+	ctx.Context().SetUserValue("bucket-owner", acc)
+
+	_, err = c.s3api.CreateBucket(ctx)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{},
+		}, err
+	}
+
+	return &Response{
+		MetaOpts: &MetaOptions{
+			Status: http.StatusCreated,
+		},
+	}, nil
 }
--- a/s3api/controllers/admin_test.go
+++ b/s3api/controllers/admin_test.go
--- a/s3api/controllers/backend_moq_test.go
+++ b/s3api/controllers/backend_moq_test.go
@@ -26,7 +26,7 @@ var _ backend.Backend = &BackendMock{}
 //			AbortMultipartUploadFunc: func(contextMoqParam context.Context, abortMultipartUploadInput *s3.AbortMultipartUploadInput) error {
 //				panic("mock out the AbortMultipartUpload method")
 //			},
-//			ChangeBucketOwnerFunc: func(contextMoqParam context.Context, bucket string, acl []byte) error {
+//			ChangeBucketOwnerFunc: func(contextMoqParam context.Context, bucket string, owner string) error {
 //				panic("mock out the ChangeBucketOwner method")
 //			},
 //			CompleteMultipartUploadFunc: func(contextMoqParam context.Context, completeMultipartUploadInput *s3.CompleteMultipartUploadInput) (s3response.CompleteMultipartUploadResult, string, error) {
@@ -59,7 +59,7 @@ var _ backend.Backend = &BackendMock{}
 //			DeleteObjectFunc: func(contextMoqParam context.Context, deleteObjectInput *s3.DeleteObjectInput) (*s3.DeleteObjectOutput, error) {
 //				panic("mock out the DeleteObject method")
 //			},
-//			DeleteObjectTaggingFunc: func(contextMoqParam context.Context, bucket string, object string) error {
+//			DeleteObjectTaggingFunc: func(contextMoqParam context.Context, bucket string, object string, versionId string) error {
 //				panic("mock out the DeleteObjectTagging method")
 //			},
 //			DeleteObjectsFunc: func(contextMoqParam context.Context, deleteObjectsInput *s3.DeleteObjectsInput) (s3response.DeleteResult, error) {
@@ -101,7 +101,7 @@ var _ backend.Backend = &BackendMock{}
 //			GetObjectRetentionFunc: func(contextMoqParam context.Context, bucket string, object string, versionId string) ([]byte, error) {
 //				panic("mock out the GetObjectRetention method")
 //			},
-//			GetObjectTaggingFunc: func(contextMoqParam context.Context, bucket string, object string) (map[string]string, error) {
+//			GetObjectTaggingFunc: func(contextMoqParam context.Context, bucket string, object string, versionId string) (map[string]string, error) {
 //				panic("mock out the GetObjectTagging method")
 //			},
 //			HeadBucketFunc: func(contextMoqParam context.Context, headBucketInput *s3.HeadBucketInput) (*s3.HeadBucketOutput, error) {
@@ -134,7 +134,7 @@ var _ backend.Backend = &BackendMock{}
 //			PutBucketAclFunc: func(contextMoqParam context.Context, bucket string, data []byte) error {
 //				panic("mock out the PutBucketAcl method")
 //			},
-//			PutBucketCorsFunc: func(contextMoqParam context.Context, bytes []byte) error {
+//			PutBucketCorsFunc: func(contextMoqParam context.Context, bucket string, cors []byte) error {
 //				panic("mock out the PutBucketCors method")
 //			},
 //			PutBucketOwnershipControlsFunc: func(contextMoqParam context.Context, bucket string, ownership types.ObjectOwnership) error {
@@ -161,10 +161,10 @@ var _ backend.Backend = &BackendMock{}
 //			PutObjectLockConfigurationFunc: func(contextMoqParam context.Context, bucket string, config []byte) error {
 //				panic("mock out the PutObjectLockConfiguration method")
 //			},
-//			PutObjectRetentionFunc: func(contextMoqParam context.Context, bucket string, object string, versionId string, bypass bool, retention []byte) error {
+//			PutObjectRetentionFunc: func(contextMoqParam context.Context, bucket string, object string, versionId string, retention []byte) error {
 //				panic("mock out the PutObjectRetention method")
 //			},
-//			PutObjectTaggingFunc: func(contextMoqParam context.Context, bucket string, object string, tags map[string]string) error {
+//			PutObjectTaggingFunc: func(contextMoqParam context.Context, bucket string, object string, versionId string, tags map[string]string) error {
 //				panic("mock out the PutObjectTagging method")
 //			},
 //			RestoreObjectFunc: func(contextMoqParam context.Context, restoreObjectInput *s3.RestoreObjectInput) error {
@@ -196,7 +196,7 @@ type BackendMock struct {
 	AbortMultipartUploadFunc func(contextMoqParam context.Context, abortMultipartUploadInput *s3.AbortMultipartUploadInput) error

 	// ChangeBucketOwnerFunc mocks the ChangeBucketOwner method.
-	ChangeBucketOwnerFunc func(contextMoqParam context.Context, bucket string, acl []byte) error
+	ChangeBucketOwnerFunc func(contextMoqParam context.Context, bucket string, owner string) error

 	// CompleteMultipartUploadFunc mocks the CompleteMultipartUpload method.
 	CompleteMultipartUploadFunc func(contextMoqParam context.Context, completeMultipartUploadInput *s3.CompleteMultipartUploadInput) (s3response.CompleteMultipartUploadResult, string, error)
@@ -229,7 +229,7 @@ type BackendMock struct {
 	DeleteObjectFunc func(contextMoqParam context.Context, deleteObjectInput *s3.DeleteObjectInput) (*s3.DeleteObjectOutput, error)

 	// DeleteObjectTaggingFunc mocks the DeleteObjectTagging method.
-	DeleteObjectTaggingFunc func(contextMoqParam context.Context, bucket string, object string) error
+	DeleteObjectTaggingFunc func(contextMoqParam context.Context, bucket string, object string, versionId string) error

 	// DeleteObjectsFunc mocks the DeleteObjects method.
 	DeleteObjectsFunc func(contextMoqParam context.Context, deleteObjectsInput *s3.DeleteObjectsInput) (s3response.DeleteResult, error)
@@ -271,7 +271,7 @@ type BackendMock struct {
 	GetObjectRetentionFunc func(contextMoqParam context.Context, bucket string, object string, versionId string) ([]byte, error)

 	// GetObjectTaggingFunc mocks the GetObjectTagging method.
-	GetObjectTaggingFunc func(contextMoqParam context.Context, bucket string, object string) (map[string]string, error)
+	GetObjectTaggingFunc func(contextMoqParam context.Context, bucket string, object string, versionId string) (map[string]string, error)

 	// HeadBucketFunc mocks the HeadBucket method.
 	HeadBucketFunc func(contextMoqParam context.Context, headBucketInput *s3.HeadBucketInput) (*s3.HeadBucketOutput, error)
@@ -304,7 +304,7 @@ type BackendMock struct {
 	PutBucketAclFunc func(contextMoqParam context.Context, bucket string, data []byte) error

 	// PutBucketCorsFunc mocks the PutBucketCors method.
-	PutBucketCorsFunc func(contextMoqParam context.Context, bytes []byte) error
+	PutBucketCorsFunc func(contextMoqParam context.Context, bucket string, cors []byte) error

 	// PutBucketOwnershipControlsFunc mocks the PutBucketOwnershipControls method.
 	PutBucketOwnershipControlsFunc func(contextMoqParam context.Context, bucket string, ownership types.ObjectOwnership) error
@@ -331,10 +331,10 @@ type BackendMock struct {
 	PutObjectLockConfigurationFunc func(contextMoqParam context.Context, bucket string, config []byte) error

 	// PutObjectRetentionFunc mocks the PutObjectRetention method.
-	PutObjectRetentionFunc func(contextMoqParam context.Context, bucket string, object string, versionId string, bypass bool, retention []byte) error
+	PutObjectRetentionFunc func(contextMoqParam context.Context, bucket string, object string, versionId string, retention []byte) error

 	// PutObjectTaggingFunc mocks the PutObjectTagging method.
-	PutObjectTaggingFunc func(contextMoqParam context.Context, bucket string, object string, tags map[string]string) error
+	PutObjectTaggingFunc func(contextMoqParam context.Context, bucket string, object string, versionId string, tags map[string]string) error

 	// RestoreObjectFunc mocks the RestoreObject method.
 	RestoreObjectFunc func(contextMoqParam context.Context, restoreObjectInput *s3.RestoreObjectInput) error
@@ -369,8 +369,8 @@ type BackendMock struct {
 			ContextMoqParam context.Context
 			// Bucket is the bucket argument value.
 			Bucket string
-			// ACL is the acl argument value.
-			ACL []byte
+			// Owner is the owner argument value.
+			Owner string
 		}
 		// CompleteMultipartUpload holds details about calls to the CompleteMultipartUpload method.
 		CompleteMultipartUpload []struct {
@@ -452,6 +452,8 @@ type BackendMock struct {
 			Bucket string
 			// Object is the object argument value.
 			Object string
+			// VersionId is the versionId argument value.
+			VersionId string
 		}
 		// DeleteObjects holds details about calls to the DeleteObjects method.
 		DeleteObjects []struct {
@@ -560,6 +562,8 @@ type BackendMock struct {
 			Bucket string
 			// Object is the object argument value.
 			Object string
+			// VersionId is the versionId argument value.
+			VersionId string
 		}
 		// HeadBucket holds details about calls to the HeadBucket method.
 		HeadBucket []struct {
@@ -635,8 +639,10 @@ type BackendMock struct {
 		PutBucketCors []struct {
 			// ContextMoqParam is the contextMoqParam argument value.
 			ContextMoqParam context.Context
-			// Bytes is the bytes argument value.
-			Bytes []byte
+			// Bucket is the bucket argument value.
+			Bucket string
+			// Cors is the cors argument value.
+			Cors []byte
 		}
 		// PutBucketOwnershipControls holds details about calls to the PutBucketOwnershipControls method.
 		PutBucketOwnershipControls []struct {
@@ -720,8 +726,6 @@ type BackendMock struct {
 			Object string
 			// VersionId is the versionId argument value.
 			VersionId string
-			// Bypass is the bypass argument value.
-			Bypass bool
 			// Retention is the retention argument value.
 			Retention []byte
 		}
@@ -733,6 +737,8 @@ type BackendMock struct {
 			Bucket string
 			// Object is the object argument value.
 			Object string
+			// VersionId is the versionId argument value.
+			VersionId string
 			// Tags is the tags argument value.
 			Tags map[string]string
 		}
@@ -864,23 +870,23 @@ func (mock *BackendMock) AbortMultipartUploadCalls() []struct {
 }

 // ChangeBucketOwner calls ChangeBucketOwnerFunc.
-func (mock *BackendMock) ChangeBucketOwner(contextMoqParam context.Context, bucket string, acl []byte) error {
+func (mock *BackendMock) ChangeBucketOwner(contextMoqParam context.Context, bucket string, owner string) error {
 	if mock.ChangeBucketOwnerFunc == nil {
 		panic("BackendMock.ChangeBucketOwnerFunc: method is nil but Backend.ChangeBucketOwner was just called")
 	}
 	callInfo := struct {
 		ContextMoqParam context.Context
 		Bucket          string
-		ACL             []byte
+		Owner           string
 	}{
 		ContextMoqParam: contextMoqParam,
 		Bucket:          bucket,
-		ACL:             acl,
+		Owner:           owner,
 	}
 	mock.lockChangeBucketOwner.Lock()
 	mock.calls.ChangeBucketOwner = append(mock.calls.ChangeBucketOwner, callInfo)
 	mock.lockChangeBucketOwner.Unlock()
-	return mock.ChangeBucketOwnerFunc(contextMoqParam, bucket, acl)
+	return mock.ChangeBucketOwnerFunc(contextMoqParam, bucket, owner)
 }

 // ChangeBucketOwnerCalls gets all the calls that were made to ChangeBucketOwner.
@@ -890,12 +896,12 @@ func (mock *BackendMock) ChangeBucketOwner(contextMoqParam context.Context, buck
 func (mock *BackendMock) ChangeBucketOwnerCalls() []struct {
 	ContextMoqParam context.Context
 	Bucket          string
-	ACL             []byte
+	Owner           string
 } {
 	var calls []struct {
 		ContextMoqParam context.Context
 		Bucket          string
-		ACL             []byte
+		Owner           string
 	}
 	mock.lockChangeBucketOwner.RLock()
 	calls = mock.calls.ChangeBucketOwner
@@ -1268,7 +1274,7 @@ func (mock *BackendMock) DeleteObjectCalls() []struct {
 }

 // DeleteObjectTagging calls DeleteObjectTaggingFunc.
-func (mock *BackendMock) DeleteObjectTagging(contextMoqParam context.Context, bucket string, object string) error {
+func (mock *BackendMock) DeleteObjectTagging(contextMoqParam context.Context, bucket string, object string, versionId string) error {
 	if mock.DeleteObjectTaggingFunc == nil {
 		panic("BackendMock.DeleteObjectTaggingFunc: method is nil but Backend.DeleteObjectTagging was just called")
 	}
@@ -1276,15 +1282,17 @@ func (mock *BackendMock) DeleteObjectTagging(contextMoqParam context.Context, bu
 		ContextMoqParam context.Context
 		Bucket          string
 		Object          string
+		VersionId       string
 	}{
 		ContextMoqParam: contextMoqParam,
 		Bucket:          bucket,
 		Object:          object,
+		VersionId:       versionId,
 	}
 	mock.lockDeleteObjectTagging.Lock()
 	mock.calls.DeleteObjectTagging = append(mock.calls.DeleteObjectTagging, callInfo)
 	mock.lockDeleteObjectTagging.Unlock()
-	return mock.DeleteObjectTaggingFunc(contextMoqParam, bucket, object)
+	return mock.DeleteObjectTaggingFunc(contextMoqParam, bucket, object, versionId)
 }

 // DeleteObjectTaggingCalls gets all the calls that were made to DeleteObjectTagging.
@@ -1295,11 +1303,13 @@ func (mock *BackendMock) DeleteObjectTaggingCalls() []struct {
 	ContextMoqParam context.Context
 	Bucket          string
 	Object          string
+	VersionId       string
 } {
 	var calls []struct {
 		ContextMoqParam context.Context
 		Bucket          string
 		Object          string
+		VersionId       string
 	}
 	mock.lockDeleteObjectTagging.RLock()
 	calls = mock.calls.DeleteObjectTagging
@@ -1792,7 +1802,7 @@ func (mock *BackendMock) GetObjectRetentionCalls() []struct {
 }

 // GetObjectTagging calls GetObjectTaggingFunc.
-func (mock *BackendMock) GetObjectTagging(contextMoqParam context.Context, bucket string, object string) (map[string]string, error) {
+func (mock *BackendMock) GetObjectTagging(contextMoqParam context.Context, bucket string, object string, versionId string) (map[string]string, error) {
 	if mock.GetObjectTaggingFunc == nil {
 		panic("BackendMock.GetObjectTaggingFunc: method is nil but Backend.GetObjectTagging was just called")
 	}
@@ -1800,15 +1810,17 @@ func (mock *BackendMock) GetObjectTagging(contextMoqParam context.Context, bucke
 		ContextMoqParam context.Context
 		Bucket          string
 		Object          string
+		VersionId       string
 	}{
 		ContextMoqParam: contextMoqParam,
 		Bucket:          bucket,
 		Object:          object,
+		VersionId:       versionId,
 	}
 	mock.lockGetObjectTagging.Lock()
 	mock.calls.GetObjectTagging = append(mock.calls.GetObjectTagging, callInfo)
 	mock.lockGetObjectTagging.Unlock()
-	return mock.GetObjectTaggingFunc(contextMoqParam, bucket, object)
+	return mock.GetObjectTaggingFunc(contextMoqParam, bucket, object, versionId)
 }

 // GetObjectTaggingCalls gets all the calls that were made to GetObjectTagging.
@@ -1819,11 +1831,13 @@ func (mock *BackendMock) GetObjectTaggingCalls() []struct {
 	ContextMoqParam context.Context
 	Bucket          string
 	Object          string
+	VersionId       string
 } {
 	var calls []struct {
 		ContextMoqParam context.Context
 		Bucket          string
 		Object          string
+		VersionId       string
 	}
 	mock.lockGetObjectTagging.RLock()
 	calls = mock.calls.GetObjectTagging
@@ -2192,21 +2206,23 @@ func (mock *BackendMock) PutBucketAclCalls() []struct {
 }

 // PutBucketCors calls PutBucketCorsFunc.
-func (mock *BackendMock) PutBucketCors(contextMoqParam context.Context, bytes []byte) error {
+func (mock *BackendMock) PutBucketCors(contextMoqParam context.Context, bucket string, cors []byte) error {
 	if mock.PutBucketCorsFunc == nil {
 		panic("BackendMock.PutBucketCorsFunc: method is nil but Backend.PutBucketCors was just called")
 	}
 	callInfo := struct {
 		ContextMoqParam context.Context
-		Bytes           []byte
+		Bucket          string
+		Cors            []byte
 	}{
 		ContextMoqParam: contextMoqParam,
-		Bytes:           bytes,
+		Bucket:          bucket,
+		Cors:            cors,
 	}
 	mock.lockPutBucketCors.Lock()
 	mock.calls.PutBucketCors = append(mock.calls.PutBucketCors, callInfo)
 	mock.lockPutBucketCors.Unlock()
-	return mock.PutBucketCorsFunc(contextMoqParam, bytes)
+	return mock.PutBucketCorsFunc(contextMoqParam, bucket, cors)
 }

 // PutBucketCorsCalls gets all the calls that were made to PutBucketCors.
@@ -2215,11 +2231,13 @@ func (mock *BackendMock) PutBucketCors(contextMoqParam context.Context, bytes []
 //	len(mockedBackend.PutBucketCorsCalls())
 func (mock *BackendMock) PutBucketCorsCalls() []struct {
 	ContextMoqParam context.Context
-	Bytes           []byte
+	Bucket          string
+	Cors            []byte
 } {
 	var calls []struct {
 		ContextMoqParam context.Context
-		Bytes           []byte
+		Bucket          string
+		Cors            []byte
 	}
 	mock.lockPutBucketCors.RLock()
 	calls = mock.calls.PutBucketCors
@@ -2548,7 +2566,7 @@ func (mock *BackendMock) PutObjectLockConfigurationCalls() []struct {
 }

 // PutObjectRetention calls PutObjectRetentionFunc.
-func (mock *BackendMock) PutObjectRetention(contextMoqParam context.Context, bucket string, object string, versionId string, bypass bool, retention []byte) error {
+func (mock *BackendMock) PutObjectRetention(contextMoqParam context.Context, bucket string, object string, versionId string, retention []byte) error {
 	if mock.PutObjectRetentionFunc == nil {
 		panic("BackendMock.PutObjectRetentionFunc: method is nil but Backend.PutObjectRetention was just called")
 	}
@@ -2557,20 +2575,18 @@ func (mock *BackendMock) PutObjectRetention(contextMoqParam context.Context, buc
 		Bucket          string
 		Object          string
 		VersionId       string
-		Bypass          bool
 		Retention       []byte
 	}{
 		ContextMoqParam: contextMoqParam,
 		Bucket:          bucket,
 		Object:          object,
 		VersionId:       versionId,
-		Bypass:          bypass,
 		Retention:       retention,
 	}
 	mock.lockPutObjectRetention.Lock()
 	mock.calls.PutObjectRetention = append(mock.calls.PutObjectRetention, callInfo)
 	mock.lockPutObjectRetention.Unlock()
-	return mock.PutObjectRetentionFunc(contextMoqParam, bucket, object, versionId, bypass, retention)
+	return mock.PutObjectRetentionFunc(contextMoqParam, bucket, object, versionId, retention)
 }

 // PutObjectRetentionCalls gets all the calls that were made to PutObjectRetention.
@@ -2582,7 +2598,6 @@ func (mock *BackendMock) PutObjectRetentionCalls() []struct {
 	Bucket          string
 	Object          string
 	VersionId       string
-	Bypass          bool
 	Retention       []byte
 } {
 	var calls []struct {
@@ -2590,7 +2605,6 @@ func (mock *BackendMock) PutObjectRetentionCalls() []struct {
 		Bucket          string
 		Object          string
 		VersionId       string
-		Bypass          bool
 		Retention       []byte
 	}
 	mock.lockPutObjectRetention.RLock()
@@ -2600,7 +2614,7 @@ func (mock *BackendMock) PutObjectRetentionCalls() []struct {
 }

 // PutObjectTagging calls PutObjectTaggingFunc.
-func (mock *BackendMock) PutObjectTagging(contextMoqParam context.Context, bucket string, object string, tags map[string]string) error {
+func (mock *BackendMock) PutObjectTagging(contextMoqParam context.Context, bucket string, object string, versionId string, tags map[string]string) error {
 	if mock.PutObjectTaggingFunc == nil {
 		panic("BackendMock.PutObjectTaggingFunc: method is nil but Backend.PutObjectTagging was just called")
 	}
@@ -2608,17 +2622,19 @@ func (mock *BackendMock) PutObjectTagging(contextMoqParam context.Context, bucke
 		ContextMoqParam context.Context
 		Bucket          string
 		Object          string
+		VersionId       string
 		Tags            map[string]string
 	}{
 		ContextMoqParam: contextMoqParam,
 		Bucket:          bucket,
 		Object:          object,
+		VersionId:       versionId,
 		Tags:            tags,
 	}
 	mock.lockPutObjectTagging.Lock()
 	mock.calls.PutObjectTagging = append(mock.calls.PutObjectTagging, callInfo)
 	mock.lockPutObjectTagging.Unlock()
-	return mock.PutObjectTaggingFunc(contextMoqParam, bucket, object, tags)
+	return mock.PutObjectTaggingFunc(contextMoqParam, bucket, object, versionId, tags)
 }

 // PutObjectTaggingCalls gets all the calls that were made to PutObjectTagging.
@@ -2629,12 +2645,14 @@ func (mock *BackendMock) PutObjectTaggingCalls() []struct {
 	ContextMoqParam context.Context
 	Bucket          string
 	Object          string
+	VersionId       string
 	Tags            map[string]string
 } {
 	var calls []struct {
 		ContextMoqParam context.Context
 		Bucket          string
 		Object          string
+		VersionId       string
 		Tags            map[string]string
 	}
 	mock.lockPutObjectTagging.RLock()
--- a/s3api/controllers/base.go
+++ b/s3api/controllers/base.go
--- a/s3api/controllers/base_test.go
+++ b/s3api/controllers/base_test.go
--- a/s3api/controllers/bucket-delete.go
+++ b/s3api/controllers/bucket-delete.go
@@ -0,0 +1,194 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package controllers
+
+import (
+	"net/http"
+
+	"github.com/gofiber/fiber/v2"
+	"github.com/versity/versitygw/auth"
+	"github.com/versity/versitygw/s3api/utils"
+)
+
+func (c S3ApiController) DeleteBucketTagging(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+	IsBucketPublic := utils.ContextKeyPublicBucket.IsSet(ctx)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be,
+		auth.AccessOptions{
+			Readonly:        c.readonly,
+			Acl:             parsedAcl,
+			AclPermission:   auth.PermissionWrite,
+			IsRoot:          isRoot,
+			Acc:             acct,
+			Bucket:          bucket,
+			Action:          auth.PutBucketTaggingAction,
+			IsPublicRequest: IsBucketPublic,
+		})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	err = c.be.DeleteBucketTagging(ctx.Context(), bucket)
+	return &Response{
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+			Status:      http.StatusNoContent,
+		},
+	}, err
+}
+
+func (c S3ApiController) DeleteBucketOwnershipControls(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be,
+		auth.AccessOptions{
+			Readonly:      c.readonly,
+			Acl:           parsedAcl,
+			AclPermission: auth.PermissionWrite,
+			IsRoot:        isRoot,
+			Acc:           acct,
+			Bucket:        bucket,
+			Action:        auth.PutBucketOwnershipControlsAction,
+		})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	err = c.be.DeleteBucketOwnershipControls(ctx.Context(), bucket)
+	return &Response{
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+			Status:      http.StatusNoContent,
+		},
+	}, err
+}
+
+func (c S3ApiController) DeleteBucketPolicy(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be,
+		auth.AccessOptions{
+			Readonly:      c.readonly,
+			Acl:           parsedAcl,
+			AclPermission: auth.PermissionWrite,
+			IsRoot:        isRoot,
+			Acc:           acct,
+			Bucket:        bucket,
+			Action:        auth.DeleteBucketPolicyAction,
+		})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	err = c.be.DeleteBucketPolicy(ctx.Context(), bucket)
+	return &Response{
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+			Status:      http.StatusNoContent,
+		},
+	}, err
+}
+
+func (c S3ApiController) DeleteBucketCors(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+	IsBucketPublic := utils.ContextKeyPublicBucket.IsSet(ctx)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be,
+		auth.AccessOptions{
+			Readonly:        c.readonly,
+			Acl:             parsedAcl,
+			AclPermission:   auth.PermissionWrite,
+			IsRoot:          isRoot,
+			Acc:             acct,
+			Bucket:          bucket,
+			Action:          auth.PutBucketCorsAction,
+			IsPublicRequest: IsBucketPublic,
+		})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	err = c.be.DeleteBucketCors(ctx.Context(), bucket)
+	return &Response{
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+			Status:      http.StatusNoContent,
+		},
+	}, err
+}
+
+func (c S3ApiController) DeleteBucket(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+	IsBucketPublic := utils.ContextKeyPublicBucket.IsSet(ctx)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be,
+		auth.AccessOptions{
+			Readonly:        c.readonly,
+			Acl:             parsedAcl,
+			AclPermission:   auth.PermissionWrite,
+			IsRoot:          isRoot,
+			Acc:             acct,
+			Bucket:          bucket,
+			Action:          auth.DeleteBucketAction,
+			IsPublicRequest: IsBucketPublic,
+		})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	err = c.be.DeleteBucket(ctx.Context(), bucket)
+	return &Response{
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+			Status:      http.StatusNoContent,
+		},
+	}, err
+}
--- a/s3api/controllers/bucket-delete_test.go
+++ b/s3api/controllers/bucket-delete_test.go
@@ -0,0 +1,413 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package controllers
+
+import (
+	"context"
+	"net/http"
+	"testing"
+
+	"github.com/versity/versitygw/s3err"
+)
+
+func TestS3ApiController_DeleteBucketTagging(t *testing.T) {
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "backend returns error",
+			input: testInput{
+				locals: defaultLocals,
+				beErr:  s3err.GetAPIError(s3err.ErrAclNotSupported),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						Status:      http.StatusNoContent,
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAclNotSupported),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				locals: defaultLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						Status:      http.StatusNoContent,
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				DeleteBucketTaggingFunc: func(_ context.Context, _ string) error {
+					return tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.DeleteBucketTagging,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals: tt.input.locals,
+				})
+		})
+	}
+}
+
+func TestS3ApiController_DeleteBucketOwnershipControls(t *testing.T) {
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "backend returns error",
+			input: testInput{
+				locals: defaultLocals,
+				beErr:  s3err.GetAPIError(s3err.ErrInvalidAccessKeyID),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						Status:      http.StatusNoContent,
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidAccessKeyID),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				locals: defaultLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						Status:      http.StatusNoContent,
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				DeleteBucketOwnershipControlsFunc: func(contextMoqParam context.Context, bucket string) error {
+					return tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.DeleteBucketOwnershipControls,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals: tt.input.locals,
+				})
+		})
+	}
+}
+
+func TestS3ApiController_DeleteBucketPolicy(t *testing.T) {
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "backend returns error",
+			input: testInput{
+				locals: defaultLocals,
+				beErr:  s3err.GetAPIError(s3err.ErrInvalidDigest),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						Status:      http.StatusNoContent,
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidDigest),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				locals: defaultLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						Status:      http.StatusNoContent,
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				DeleteBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) error {
+					return tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.DeleteBucketPolicy,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals: tt.input.locals,
+				})
+		})
+	}
+}
+
+func TestS3ApiController_DeleteBucketCors(t *testing.T) {
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "backend returns error",
+			input: testInput{
+				locals: defaultLocals,
+				beErr:  s3err.GetAPIError(s3err.ErrAdminMethodNotSupported),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						Status:      http.StatusNoContent,
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAdminMethodNotSupported),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				locals: defaultLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						Status:      http.StatusNoContent,
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				DeleteBucketCorsFunc: func(contextMoqParam context.Context, bucket string) error {
+					return tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.DeleteBucketCors,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals: tt.input.locals,
+				})
+		})
+	}
+}
+
+func TestS3ApiController_DeleteBucket(t *testing.T) {
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "backend returns error",
+			input: testInput{
+				locals: defaultLocals,
+				beErr:  s3err.GetAPIError(s3err.ErrInvalidDigest),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						Status:      http.StatusNoContent,
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidDigest),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				locals: defaultLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						Status:      http.StatusNoContent,
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				DeleteBucketFunc: func(contextMoqParam context.Context, bucket string) error {
+					return tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.DeleteBucket,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals: tt.input.locals,
+				})
+		})
+	}
+}
--- a/s3api/controllers/bucket-get.go
+++ b/s3api/controllers/bucket-get.go
@@ -0,0 +1,674 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package controllers
+
+import (
+	"strings"
+
+	"github.com/aws/aws-sdk-go-v2/service/s3"
+	"github.com/aws/aws-sdk-go-v2/service/s3/types"
+	"github.com/gofiber/fiber/v2"
+	"github.com/versity/versitygw/auth"
+	"github.com/versity/versitygw/debuglogger"
+	"github.com/versity/versitygw/s3api/utils"
+	"github.com/versity/versitygw/s3err"
+	"github.com/versity/versitygw/s3response"
+)
+
+func (c S3ApiController) GetBucketTagging(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	isPublicBucket := utils.ContextKeyPublicBucket.IsSet(ctx)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:        c.readonly,
+		Acl:             parsedAcl,
+		AclPermission:   auth.PermissionRead,
+		IsRoot:          isRoot,
+		Acc:             acct,
+		Bucket:          bucket,
+		Action:          auth.GetBucketTaggingAction,
+		IsPublicRequest: isPublicBucket,
+	})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	tags, err := c.be.GetBucketTagging(ctx.Context(), bucket)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+	resp := s3response.Tagging{
+		TagSet: s3response.TagSet{
+			Tags: make([]s3response.Tag, 0, len(tags)),
+		},
+	}
+
+	for key, val := range tags {
+		resp.TagSet.Tags = append(resp.TagSet.Tags,
+			s3response.Tag{Key: key, Value: val})
+	}
+
+	return &Response{
+		Data: resp,
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, err
+}
+
+func (c S3ApiController) GetBucketOwnershipControls(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	isPublicBucket := utils.ContextKeyPublicBucket.IsSet(ctx)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:        c.readonly,
+		Acl:             parsedAcl,
+		AclPermission:   auth.PermissionRead,
+		IsRoot:          isRoot,
+		Acc:             acct,
+		Bucket:          bucket,
+		Action:          auth.GetBucketOwnershipControlsAction,
+		IsPublicRequest: isPublicBucket,
+	})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	data, err := c.be.GetBucketOwnershipControls(ctx.Context(), bucket)
+	return &Response{
+		Data: s3response.OwnershipControls{
+			Rules: []types.OwnershipControlsRule{
+				{
+					ObjectOwnership: data,
+				},
+			},
+		},
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, err
+}
+
+func (c S3ApiController) GetBucketVersioning(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	isPublicBucket := utils.ContextKeyPublicBucket.IsSet(ctx)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:        c.readonly,
+		Acl:             parsedAcl,
+		AclPermission:   auth.PermissionRead,
+		IsRoot:          isRoot,
+		Acc:             acct,
+		Bucket:          bucket,
+		Action:          auth.GetBucketVersioningAction,
+		IsPublicRequest: isPublicBucket,
+	})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+	// Only admin users and the bucket owner are allowed to get the versioning state of a bucket.
+	if err := auth.IsAdminOrOwner(acct, isRoot, parsedAcl); err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	data, err := c.be.GetBucketVersioning(ctx.Context(), bucket)
+	return &Response{
+		Data: data,
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, err
+}
+
+func (c S3ApiController) GetBucketCors(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	isPublicBucket := utils.ContextKeyPublicBucket.IsSet(ctx)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:        c.readonly,
+		Acl:             parsedAcl,
+		AclPermission:   auth.PermissionRead,
+		IsRoot:          isRoot,
+		Acc:             acct,
+		Bucket:          bucket,
+		Action:          auth.GetBucketCorsAction,
+		IsPublicRequest: isPublicBucket,
+	})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	data, err := c.be.GetBucketCors(ctx.Context(), bucket)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	output, err := auth.ParseCORSOutput(data)
+	return &Response{
+		Data: output,
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, err
+}
+
+func (c S3ApiController) GetBucketPolicy(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	isPublicBucket := utils.ContextKeyPublicBucket.IsSet(ctx)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:        c.readonly,
+		Acl:             parsedAcl,
+		AclPermission:   auth.PermissionRead,
+		IsRoot:          isRoot,
+		Acc:             acct,
+		Bucket:          bucket,
+		Action:          auth.GetBucketPolicyAction,
+		IsPublicRequest: isPublicBucket,
+	})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	data, err := c.be.GetBucketPolicy(ctx.Context(), bucket)
+	return &Response{
+		Data: data,
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, err
+}
+
+func (c S3ApiController) GetBucketPolicyStatus(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	isPublicBucket := utils.ContextKeyPublicBucket.IsSet(ctx)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:        c.readonly,
+		Acl:             parsedAcl,
+		AclPermission:   auth.PermissionRead,
+		IsRoot:          isRoot,
+		Acc:             acct,
+		Bucket:          bucket,
+		Action:          auth.GetBucketPolicyStatusAction,
+		IsPublicRequest: isPublicBucket,
+	})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	policyRaw, err := c.be.GetBucketPolicy(ctx.Context(), bucket)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	policy, err := auth.ParsePolicyDocument(policyRaw)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+	isPublic := policy.IsPublic()
+
+	return &Response{
+		Data: types.PolicyStatus{
+			IsPublic: &isPublic,
+		},
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, nil
+}
+
+func (c S3ApiController) ListObjectVersions(ctx *fiber.Ctx) (*Response, error) {
+	// url values
+	bucket := ctx.Params("bucket")
+	prefix := ctx.Query("prefix")
+	delimiter := ctx.Query("delimiter")
+	maxkeysStr := ctx.Query("max-keys")
+	keyMarker := ctx.Query("key-marker")
+	versionIdMarker := ctx.Query("version-id-marker")
+	// context keys
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	isPublicBucket := utils.ContextKeyPublicBucket.IsSet(ctx)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:        c.readonly,
+		Acl:             parsedAcl,
+		AclPermission:   auth.PermissionRead,
+		IsRoot:          isRoot,
+		Acc:             acct,
+		Bucket:          bucket,
+		Action:          auth.ListBucketVersionsAction,
+		IsPublicRequest: isPublicBucket,
+	})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	maxkeys, err := utils.ParseUint(maxkeysStr)
+	if err != nil {
+		debuglogger.Logf("error parsing max keys %q: %v",
+			maxkeysStr, err)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrInvalidMaxKeys)
+	}
+
+	data, err := c.be.ListObjectVersions(ctx.Context(),
+		&s3.ListObjectVersionsInput{
+			Bucket:          &bucket,
+			Delimiter:       &delimiter,
+			KeyMarker:       &keyMarker,
+			MaxKeys:         &maxkeys,
+			Prefix:          &prefix,
+			VersionIdMarker: &versionIdMarker,
+		})
+	return &Response{
+		Data: data,
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, err
+}
+
+func (c S3ApiController) GetObjectLockConfiguration(ctx *fiber.Ctx) (*Response, error) {
+	// url values
+	bucket := ctx.Params("bucket")
+	// context keys
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	isPublicBucket := utils.ContextKeyPublicBucket.IsSet(ctx)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:        c.readonly,
+		Acl:             parsedAcl,
+		AclPermission:   auth.PermissionRead,
+		IsRoot:          isRoot,
+		Acc:             acct,
+		Bucket:          bucket,
+		Action:          auth.GetBucketObjectLockConfigurationAction,
+		IsPublicRequest: isPublicBucket,
+	})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	data, err := c.be.GetObjectLockConfiguration(ctx.Context(), bucket)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	resp, err := auth.ParseBucketLockConfigurationOutput(data)
+	return &Response{
+		Data: resp,
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, err
+}
+
+func (c S3ApiController) GetBucketAcl(ctx *fiber.Ctx) (*Response, error) {
+	// url values
+	bucket := ctx.Params("bucket")
+	// context keys
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	isPublicBucket := utils.ContextKeyPublicBucket.IsSet(ctx)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:        c.readonly,
+		Acl:             parsedAcl,
+		AclPermission:   auth.PermissionReadAcp,
+		IsRoot:          isRoot,
+		Acc:             acct,
+		Bucket:          bucket,
+		Action:          auth.GetBucketAclAction,
+		IsPublicRequest: isPublicBucket,
+	})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	data, err := c.be.GetBucketAcl(ctx.Context(),
+		&s3.GetBucketAclInput{Bucket: &bucket})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	res, err := auth.ParseACLOutput(data, parsedAcl.Owner)
+	return &Response{
+		Data: res,
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, err
+}
+
+func (c S3ApiController) ListMultipartUploads(ctx *fiber.Ctx) (*Response, error) {
+	// url values
+	bucket := ctx.Params("bucket")
+	prefix := ctx.Query("prefix")
+	delimiter := ctx.Query("delimiter")
+	keyMarker := ctx.Query("key-marker")
+	maxUploadsStr := ctx.Query("max-uploads")
+	uploadIdMarker := ctx.Query("upload-id-marker")
+	// context keys
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	isPublicBucket := utils.ContextKeyPublicBucket.IsSet(ctx)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:        c.readonly,
+		Acl:             parsedAcl,
+		AclPermission:   auth.PermissionRead,
+		IsRoot:          isRoot,
+		Acc:             acct,
+		Bucket:          bucket,
+		Action:          auth.ListBucketMultipartUploadsAction,
+		IsPublicRequest: isPublicBucket,
+	})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+	maxUploads, err := utils.ParseUint(maxUploadsStr)
+	if err != nil {
+		debuglogger.Logf("error parsing max uploads %q: %v",
+			maxUploadsStr, err)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrInvalidMaxUploads)
+	}
+	res, err := c.be.ListMultipartUploads(ctx.Context(),
+		&s3.ListMultipartUploadsInput{
+			Bucket:         &bucket,
+			Delimiter:      &delimiter,
+			Prefix:         &prefix,
+			UploadIdMarker: &uploadIdMarker,
+			MaxUploads:     &maxUploads,
+			KeyMarker:      &keyMarker,
+		})
+	return &Response{
+		Data: res,
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, err
+}
+
+func (c S3ApiController) ListObjectsV2(ctx *fiber.Ctx) (*Response, error) {
+	// url values
+	bucket := ctx.Params("bucket")
+	prefix := ctx.Query("prefix")
+	cToken := ctx.Query("continuation-token")
+	sAfter := ctx.Query("start-after")
+	delimiter := ctx.Query("delimiter")
+	maxkeysStr := ctx.Query("max-keys")
+	fetchOwner := strings.EqualFold(ctx.Query("fetch-owner"), "true")
+	// context locals
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	isPublicBucket := utils.ContextKeyPublicBucket.IsSet(ctx)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:        c.readonly,
+		Acl:             parsedAcl,
+		AclPermission:   auth.PermissionRead,
+		IsRoot:          isRoot,
+		Acc:             acct,
+		Bucket:          bucket,
+		Action:          auth.ListBucketAction,
+		IsPublicRequest: isPublicBucket,
+	})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+	maxkeys, err := utils.ParseUint(maxkeysStr)
+	if err != nil {
+		debuglogger.Logf("error parsing max keys %q: %v",
+			maxkeysStr, err)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrInvalidMaxKeys)
+	}
+
+	res, err := c.be.ListObjectsV2(ctx.Context(),
+		&s3.ListObjectsV2Input{
+			Bucket:            &bucket,
+			Prefix:            &prefix,
+			ContinuationToken: &cToken,
+			Delimiter:         &delimiter,
+			MaxKeys:           &maxkeys,
+			StartAfter:        &sAfter,
+			FetchOwner:        &fetchOwner,
+		})
+	return &Response{
+		Data: res,
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, err
+}
+
+func (c S3ApiController) ListObjects(ctx *fiber.Ctx) (*Response, error) {
+	// url values
+	bucket := ctx.Params("bucket")
+	prefix := ctx.Query("prefix")
+	marker := ctx.Query("marker")
+	delimiter := ctx.Query("delimiter")
+	maxkeysStr := ctx.Query("max-keys")
+	// context locals
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	isPublicBucket := utils.ContextKeyPublicBucket.IsSet(ctx)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:        c.readonly,
+		Acl:             parsedAcl,
+		AclPermission:   auth.PermissionRead,
+		IsRoot:          isRoot,
+		Acc:             acct,
+		Bucket:          bucket,
+		Action:          auth.ListBucketAction,
+		IsPublicRequest: isPublicBucket,
+	})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	maxkeys, err := utils.ParseUint(maxkeysStr)
+	if err != nil {
+		debuglogger.Logf("error parsing max keys %q: %v",
+			maxkeysStr, err)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrInvalidMaxKeys)
+	}
+
+	res, err := c.be.ListObjects(ctx.Context(),
+		&s3.ListObjectsInput{
+			Bucket:    &bucket,
+			Prefix:    &prefix,
+			Marker:    &marker,
+			Delimiter: &delimiter,
+			MaxKeys:   &maxkeys,
+		})
+	return &Response{
+		Data: res,
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, err
+}
+
+// GetBucketLocation handles GET /:bucket?location
+func (c S3ApiController) GetBucketLocation(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	isPublicBucket := utils.ContextKeyPublicBucket.IsSet(ctx)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:        c.readonly,
+		Acl:             parsedAcl,
+		AclPermission:   auth.PermissionRead,
+		IsRoot:          isRoot,
+		Acc:             acct,
+		Bucket:          bucket,
+		Action:          auth.GetBucketLocationAction,
+		IsPublicRequest: isPublicBucket,
+	})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	// verify bucket existence/access via backend HeadBucket
+	_, err = c.be.HeadBucket(ctx.Context(), &s3.HeadBucketInput{Bucket: &bucket})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	// pick up configured region from locals (set by router middleware)
+	region, _ := ctx.Locals("region").(string)
+	value := &region
+	if region == "us-east-1" {
+		value = nil
+	}
+
+	return &Response{
+		Data: s3response.LocationConstraint{
+			Value: value,
+		},
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, nil
+}
--- a/s3api/controllers/bucket-get_test.go
+++ b/s3api/controllers/bucket-get_test.go
--- a/s3api/controllers/bucket-head.go
+++ b/s3api/controllers/bucket-head.go
@@ -0,0 +1,90 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package controllers
+
+import (
+	"errors"
+
+	"github.com/aws/aws-sdk-go-v2/service/s3"
+	"github.com/gofiber/fiber/v2"
+	"github.com/versity/versitygw/auth"
+	"github.com/versity/versitygw/s3api/utils"
+	"github.com/versity/versitygw/s3err"
+)
+
+func (c S3ApiController) HeadBucket(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	region := utils.ContextKeyRegion.Get(ctx).(string)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+	isPublicBucket := utils.ContextKeyPublicBucket.IsSet(ctx)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be,
+		auth.AccessOptions{
+			Readonly:        c.readonly,
+			Acl:             parsedAcl,
+			AclPermission:   auth.PermissionRead,
+			IsRoot:          isRoot,
+			Acc:             acct,
+			Bucket:          bucket,
+			Action:          auth.ListBucketAction,
+			IsPublicRequest: isPublicBucket,
+		})
+	if err != nil {
+		return &Response{
+			Headers: map[string]*string{
+				"x-amz-bucket-region": utils.GetStringPtr(region),
+			},
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	_, err = c.be.HeadBucket(ctx.Context(),
+		&s3.HeadBucketInput{
+			Bucket: &bucket,
+		})
+
+	if err != nil {
+		if errors.Is(err, s3err.GetAPIError(s3err.ErrAccessDenied)) {
+			return &Response{
+				// access denied for head object still returns region header
+				Headers: map[string]*string{
+					"x-amz-bucket-region": utils.GetStringPtr(region),
+				},
+				MetaOpts: &MetaOptions{
+					BucketOwner: parsedAcl.Owner,
+				},
+			}, err
+		}
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	return &Response{
+		Headers: map[string]*string{
+			"x-amz-access-point-alias": utils.GetStringPtr("false"),
+			"x-amz-bucket-region":      utils.GetStringPtr(region),
+		},
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, nil
+}
--- a/s3api/controllers/bucket-head_test.go
+++ b/s3api/controllers/bucket-head_test.go
@@ -0,0 +1,139 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package controllers
+
+import (
+	"context"
+	"testing"
+
+	"github.com/aws/aws-sdk-go-v2/service/s3"
+	"github.com/versity/versitygw/auth"
+	"github.com/versity/versitygw/s3api/utils"
+	"github.com/versity/versitygw/s3err"
+)
+
+func TestS3ApiController_HeadBucket(t *testing.T) {
+	region := "us-east-1"
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: map[utils.ContextKey]any{
+					utils.ContextKeyIsRoot: false,
+					utils.ContextKeyParsedAcl: auth.ACL{
+						Owner: "root",
+					},
+					utils.ContextKeyAccount: auth.Account{
+						Access: "user",
+						Role:   auth.RoleUser,
+					},
+					utils.ContextKeyRegion: region,
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					Headers: map[string]*string{
+						"x-amz-bucket-region": utils.GetStringPtr(region),
+					},
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "backend returns error",
+			input: testInput{
+				locals: map[utils.ContextKey]any{
+					utils.ContextKeyIsRoot: true,
+					utils.ContextKeyParsedAcl: auth.ACL{
+						Owner: "root",
+					},
+					utils.ContextKeyAccount: auth.Account{
+						Access: "root",
+						Role:   auth.RoleAdmin,
+					},
+					utils.ContextKeyRegion: region,
+				},
+				beErr: s3err.GetAPIError(s3err.ErrInvalidAccessKeyID),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidAccessKeyID),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				locals: map[utils.ContextKey]any{
+					utils.ContextKeyIsRoot: true,
+					utils.ContextKeyParsedAcl: auth.ACL{
+						Owner: "root",
+					},
+					utils.ContextKeyAccount: auth.Account{
+						Access: "root",
+						Role:   auth.RoleAdmin,
+					},
+					utils.ContextKeyRegion: region,
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					Headers: map[string]*string{
+						"x-amz-access-point-alias": utils.GetStringPtr("false"),
+						"x-amz-bucket-region":      utils.GetStringPtr(region),
+					},
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				HeadBucketFunc: func(contextMoqParam context.Context, headBucketInput *s3.HeadBucketInput) (*s3.HeadBucketOutput, error) {
+					return &s3.HeadBucketOutput{}, tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.HeadBucket,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals: tt.input.locals,
+				})
+		})
+	}
+}
--- a/s3api/controllers/bucket-list.go
+++ b/s3api/controllers/bucket-list.go
@@ -0,0 +1,69 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package controllers
+
+import (
+	"strconv"
+
+	"github.com/gofiber/fiber/v2"
+	"github.com/versity/versitygw/auth"
+	"github.com/versity/versitygw/debuglogger"
+	"github.com/versity/versitygw/s3api/utils"
+	"github.com/versity/versitygw/s3err"
+	"github.com/versity/versitygw/s3response"
+)
+
+func (c S3ApiController) ListBuckets(ctx *fiber.Ctx) (*Response, error) {
+	cToken := ctx.Query("continuation-token")
+	prefix := ctx.Query("prefix")
+	maxBucketsStr := ctx.Query("max-buckets")
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	region, ok := utils.ContextKeyRegion.Get(ctx).(string)
+	if !ok {
+		region = defaultRegion
+	}
+
+	maxBuckets := defaultMaxBuckets
+	if maxBucketsStr != "" {
+		maxBucketsParsed, err := strconv.ParseInt(maxBucketsStr, 10, 32)
+		if err != nil || maxBucketsParsed < 0 || maxBucketsParsed > int64(defaultMaxBuckets) {
+			debuglogger.Logf("error parsing max-buckets %q: %v", maxBucketsStr, err)
+			return &Response{
+				MetaOpts: &MetaOptions{},
+			}, s3err.GetAPIError(s3err.ErrInvalidMaxBuckets)
+		}
+		maxBuckets = int32(maxBucketsParsed)
+	}
+
+	res, err := c.be.ListBuckets(ctx.Context(),
+		s3response.ListBucketsInput{
+			Owner:             acct.Access,
+			IsAdmin:           acct.Role == auth.RoleAdmin,
+			MaxBuckets:        maxBuckets,
+			ContinuationToken: cToken,
+			Prefix:            prefix,
+		})
+	if err != nil {
+		return &Response{}, err
+	}
+
+	for i := range res.Buckets.Bucket {
+		res.Buckets.Bucket[i].BucketRegion = region
+	}
+
+	return &Response{
+		Data: res,
+	}, nil
+}
--- a/s3api/controllers/bucket-list_test.go
+++ b/s3api/controllers/bucket-list_test.go
@@ -0,0 +1,108 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package controllers
+
+import (
+	"context"
+	"testing"
+
+	"github.com/versity/versitygw/s3err"
+	"github.com/versity/versitygw/s3response"
+)
+
+func TestS3ApiController_ListBuckets(t *testing.T) {
+	validRes := s3response.ListAllMyBucketsResult{
+		Owner: s3response.CanonicalUser{
+			ID: "root",
+		},
+		Buckets: s3response.ListAllMyBucketsList{
+			Bucket: []s3response.ListAllMyBucketsEntry{
+				{Name: "test"},
+			},
+		},
+	}
+
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "invalid max buckets",
+			input: testInput{
+				locals: defaultLocals,
+				queries: map[string]string{
+					"max-buckets": "-1",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidMaxBuckets),
+			},
+		},
+		{
+			name: "backend returns error",
+			input: testInput{
+				locals: defaultLocals,
+				beErr:  s3err.GetAPIError(s3err.ErrNoSuchBucket),
+				beRes:  s3response.ListAllMyBucketsResult{},
+			},
+			output: testOutput{
+				response: &Response{},
+				err:      s3err.GetAPIError(s3err.ErrNoSuchBucket),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				locals: defaultLocals,
+				beRes:  validRes,
+				queries: map[string]string{
+					"max-buckets": "3",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					Data: validRes,
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				ListBucketsFunc: func(contextMoqParam context.Context, listBucketsInput s3response.ListBucketsInput) (s3response.ListAllMyBucketsResult, error) {
+					return tt.input.beRes.(s3response.ListAllMyBucketsResult), tt.input.beErr
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.ListBuckets,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals:  tt.input.locals,
+					queries: tt.input.queries,
+				})
+		})
+	}
+}
--- a/s3api/controllers/bucket-post.go
+++ b/s3api/controllers/bucket-post.go
@@ -0,0 +1,94 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package controllers
+
+import (
+	"encoding/xml"
+	"strings"
+
+	"github.com/aws/aws-sdk-go-v2/service/s3"
+	"github.com/aws/aws-sdk-go-v2/service/s3/types"
+	"github.com/gofiber/fiber/v2"
+	"github.com/versity/versitygw/auth"
+	"github.com/versity/versitygw/debuglogger"
+	"github.com/versity/versitygw/s3api/utils"
+	"github.com/versity/versitygw/s3err"
+	"github.com/versity/versitygw/s3event"
+	"github.com/versity/versitygw/s3response"
+)
+
+func (c S3ApiController) DeleteObjects(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	bypass := strings.EqualFold(ctx.Get("X-Amz-Bypass-Governance-Retention"), "true")
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+	IsBucketPublic := utils.ContextKeyPublicBucket.IsSet(ctx)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be,
+		auth.AccessOptions{
+			Readonly:        c.readonly,
+			Acl:             parsedAcl,
+			AclPermission:   auth.PermissionWrite,
+			IsRoot:          isRoot,
+			Acc:             acct,
+			Bucket:          bucket,
+			Action:          auth.DeleteObjectAction,
+			IsPublicRequest: IsBucketPublic,
+		})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	var dObj s3response.DeleteObjects
+	err = xml.Unmarshal(ctx.Body(), &dObj)
+	if err != nil {
+		debuglogger.Logf("error unmarshalling delete objects: %v", err)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrInvalidRequest)
+	}
+
+	err = auth.CheckObjectAccess(ctx.Context(), bucket, acct.Access, dObj.Objects, bypass, IsBucketPublic, c.be, false)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	res, err := c.be.DeleteObjects(ctx.Context(),
+		&s3.DeleteObjectsInput{
+			Bucket: &bucket,
+			Delete: &types.Delete{
+				Objects: dObj.Objects,
+			},
+		})
+	return &Response{
+		Data: res,
+		MetaOpts: &MetaOptions{
+			ObjectCount: int64(len(dObj.Objects)),
+			BucketOwner: parsedAcl.Owner,
+			EventName:   s3event.EventObjectRemovedDeleteObjects,
+		},
+	}, err
+}
--- a/s3api/controllers/bucket-post_test.go
+++ b/s3api/controllers/bucket-post_test.go
@@ -0,0 +1,165 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package controllers
+
+import (
+	"context"
+	"encoding/xml"
+	"testing"
+
+	"github.com/aws/aws-sdk-go-v2/service/s3"
+	"github.com/aws/aws-sdk-go-v2/service/s3/types"
+	"github.com/stretchr/testify/assert"
+	"github.com/versity/versitygw/s3api/utils"
+	"github.com/versity/versitygw/s3err"
+	"github.com/versity/versitygw/s3event"
+	"github.com/versity/versitygw/s3response"
+)
+
+func TestS3ApiController_DeleteObjects(t *testing.T) {
+	validBody, err := xml.Marshal(s3response.DeleteObjects{
+		Objects: []types.ObjectIdentifier{
+			{Key: utils.GetStringPtr("obj")},
+		},
+	})
+	assert.NoError(t, err)
+
+	validRes := s3response.DeleteResult{
+		Deleted: []types.DeletedObject{
+			{Key: utils.GetStringPtr("key")},
+		},
+	}
+
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "invalid request body",
+			input: testInput{
+				locals: defaultLocals,
+				body:   []byte("invalid_body"),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidRequest),
+			},
+		},
+		{
+			name: "check object access returns error",
+			input: testInput{
+				locals:       defaultLocals,
+				body:         validBody,
+				extraMockErr: s3err.GetAPIError(s3err.ErrObjectLocked),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrObjectLocked),
+			},
+		},
+		{
+			name: "backend returns error",
+			input: testInput{
+				locals:       defaultLocals,
+				beRes:        s3response.DeleteResult{},
+				beErr:        s3err.GetAPIError(s3err.ErrNoSuchBucket),
+				body:         validBody,
+				extraMockErr: s3err.GetAPIError(s3err.ErrObjectLockConfigurationNotFound),
+			},
+			output: testOutput{
+				response: &Response{
+					Data: s3response.DeleteResult{},
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						EventName:   s3event.EventObjectRemovedDeleteObjects,
+						ObjectCount: 1,
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrNoSuchBucket),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				locals:       defaultLocals,
+				body:         validBody,
+				beRes:        validRes,
+				extraMockErr: s3err.GetAPIError(s3err.ErrObjectLockConfigurationNotFound),
+			},
+			output: testOutput{
+				response: &Response{
+					Data: validRes,
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						EventName:   s3event.EventObjectRemovedDeleteObjects,
+						ObjectCount: 1,
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				DeleteObjectsFunc: func(contextMoqParam context.Context, deleteObjectsInput *s3.DeleteObjectsInput) (s3response.DeleteResult, error) {
+					return tt.input.beRes.(s3response.DeleteResult), tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+				GetObjectLockConfigurationFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, tt.input.extraMockErr
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.DeleteObjects,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals: tt.input.locals,
+					body:   tt.input.body,
+				})
+		})
+	}
+}
--- a/s3api/controllers/bucket-put.go
+++ b/s3api/controllers/bucket-put.go
@@ -0,0 +1,627 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package controllers
+
+import (
+	"encoding/xml"
+	"errors"
+	"fmt"
+	"net/http"
+	"strings"
+
+	"github.com/aws/aws-sdk-go-v2/service/s3"
+	"github.com/aws/aws-sdk-go-v2/service/s3/types"
+	"github.com/gofiber/fiber/v2"
+	"github.com/versity/versitygw/auth"
+	"github.com/versity/versitygw/debuglogger"
+	"github.com/versity/versitygw/s3api/utils"
+	"github.com/versity/versitygw/s3err"
+	"github.com/versity/versitygw/s3response"
+)
+
+func (c S3ApiController) PutBucketTagging(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	isPublicBucket := utils.ContextKeyPublicBucket.IsSet(ctx)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:        c.readonly,
+		Acl:             parsedAcl,
+		AclPermission:   auth.PermissionWrite,
+		IsRoot:          isRoot,
+		Acc:             acct,
+		Bucket:          bucket,
+		Action:          auth.PutBucketTaggingAction,
+		IsPublicRequest: isPublicBucket,
+	})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	tagging, err := utils.ParseTagging(ctx.Body(), utils.TagLimitBucket)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	err = c.be.PutBucketTagging(ctx.Context(), bucket, tagging)
+	return &Response{
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+			Status:      http.StatusNoContent,
+		},
+	}, err
+}
+
+func (c S3ApiController) PutBucketOwnershipControls(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+
+	if err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:      c.readonly,
+		Acl:           parsedAcl,
+		AclPermission: auth.PermissionWrite,
+		IsRoot:        isRoot,
+		Acc:           acct,
+		Bucket:        bucket,
+		Action:        auth.PutBucketOwnershipControlsAction,
+	}); err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	var ownershipControls s3response.OwnershipControls
+	if err := xml.Unmarshal(ctx.Body(), &ownershipControls); err != nil {
+		debuglogger.Logf("failed to unmarshal request body: %v", err)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrMalformedXML)
+	}
+
+	rulesCount := len(ownershipControls.Rules)
+	isValidOwnership := utils.IsValidOwnership(ownershipControls.Rules[0].ObjectOwnership)
+	if rulesCount != 1 || !isValidOwnership {
+		if rulesCount != 1 {
+			debuglogger.Logf("ownership control rules should be 1, got %v", rulesCount)
+		}
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrMalformedXML)
+	}
+
+	err := c.be.PutBucketOwnershipControls(ctx.Context(), bucket, ownershipControls.Rules[0].ObjectOwnership)
+	return &Response{
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, err
+}
+
+func (c S3ApiController) PutBucketVersioning(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	isPublicBucket := utils.ContextKeyPublicBucket.IsSet(ctx)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:        c.readonly,
+		Acl:             parsedAcl,
+		AclPermission:   auth.PermissionWrite,
+		IsRoot:          isRoot,
+		Acc:             acct,
+		Bucket:          bucket,
+		Action:          auth.PutBucketVersioningAction,
+		IsPublicRequest: isPublicBucket,
+	})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	var versioningConf types.VersioningConfiguration
+	err = xml.Unmarshal(ctx.Body(), &versioningConf)
+	if err != nil {
+		debuglogger.Logf("error unmarshalling versioning configuration: %v", err)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrInvalidRequest)
+	}
+
+	if versioningConf.Status != types.BucketVersioningStatusEnabled &&
+		versioningConf.Status != types.BucketVersioningStatusSuspended {
+		debuglogger.Logf("invalid versioning configuration status: %v", versioningConf.Status)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrMalformedXML)
+	}
+
+	err = c.be.PutBucketVersioning(ctx.Context(), bucket, versioningConf.Status)
+	return &Response{
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, err
+}
+
+func (c S3ApiController) PutObjectLockConfiguration(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	isPublicBucket := utils.ContextKeyPublicBucket.IsSet(ctx)
+
+	if err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:        c.readonly,
+		Acl:             parsedAcl,
+		AclPermission:   auth.PermissionWrite,
+		IsRoot:          isRoot,
+		Acc:             acct,
+		Bucket:          bucket,
+		Action:          auth.PutBucketObjectLockConfigurationAction,
+		IsPublicRequest: isPublicBucket,
+	}); err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	config, err := auth.ParseBucketLockConfigurationInput(ctx.Body())
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	err = c.be.PutObjectLockConfiguration(ctx.Context(), bucket, config)
+	return &Response{
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, err
+}
+
+func (c S3ApiController) PutBucketCors(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	isPublicBucket := utils.ContextKeyPublicBucket.IsSet(ctx)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:        c.readonly,
+		Acl:             parsedAcl,
+		AclPermission:   auth.PermissionWrite,
+		IsRoot:          isRoot,
+		Acc:             acct,
+		Bucket:          bucket,
+		Action:          auth.PutBucketCorsAction,
+		IsPublicRequest: isPublicBucket,
+	})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	body := ctx.Body()
+
+	var corsConfig auth.CORSConfiguration
+	err = xml.Unmarshal(body, &corsConfig)
+	if err != nil {
+		debuglogger.Logf("invalid CORS request body: %v", err)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrMalformedXML)
+	}
+
+	// validate the CORS configuration rules
+	err = corsConfig.Validate()
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	err = c.be.PutBucketCors(ctx.Context(), bucket, body)
+	return &Response{
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, err
+}
+
+func (c S3ApiController) PutBucketPolicy(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:      c.readonly,
+		Acl:           parsedAcl,
+		AclPermission: auth.PermissionWrite,
+		IsRoot:        isRoot,
+		Acc:           acct,
+		Bucket:        bucket,
+		Action:        auth.PutBucketPolicyAction,
+	})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	err = auth.ValidatePolicyDocument(ctx.Body(), bucket, c.iam)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	err = c.be.PutBucketPolicy(ctx.Context(), bucket, ctx.Body())
+	return &Response{
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+			Status:      http.StatusNoContent,
+		},
+	}, err
+}
+
+func (c S3ApiController) PutBucketAcl(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	acl := ctx.Get("X-Amz-Acl")
+	grantFullControl := ctx.Get("X-Amz-Grant-Full-Control")
+	grantRead := ctx.Get("X-Amz-Grant-Read")
+	grantReadACP := ctx.Get("X-Amz-Grant-Read-Acp")
+	grantWrite := ctx.Get("X-Amz-Grant-Write")
+	grantWriteACP := ctx.Get("X-Amz-Grant-Write-Acp")
+	// context locals
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+
+	grants := grantFullControl + grantRead + grantReadACP + grantWrite + grantWriteACP
+	var input *auth.PutBucketAclInput
+
+	err := auth.VerifyAccess(ctx.Context(), c.be,
+		auth.AccessOptions{
+			Readonly:      c.readonly,
+			Acl:           parsedAcl,
+			AclPermission: auth.PermissionWriteAcp,
+			IsRoot:        isRoot,
+			Acc:           acct,
+			Bucket:        bucket,
+			Action:        auth.PutBucketAclAction,
+		})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	err = auth.ValidateCannedACL(acl)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	ownership, err := c.be.GetBucketOwnershipControls(ctx.Context(), bucket)
+	if err != nil && !errors.Is(err, s3err.GetAPIError(s3err.ErrOwnershipControlsNotFound)) {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+	if ownership == types.ObjectOwnershipBucketOwnerEnforced {
+		debuglogger.Logf("bucket acls are disabled")
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrAclNotSupported)
+	}
+
+	if len(ctx.Body()) > 0 {
+		var accessControlPolicy auth.AccessControlPolicy
+		err := xml.Unmarshal(ctx.Body(), &accessControlPolicy)
+		if err != nil {
+			debuglogger.Logf("error unmarshalling access control policy: %v", err)
+			return &Response{
+				MetaOpts: &MetaOptions{
+					BucketOwner: parsedAcl.Owner,
+				},
+			}, s3err.GetAPIError(s3err.ErrMalformedACL)
+		}
+
+		err = accessControlPolicy.Validate()
+		if err != nil {
+			debuglogger.Logf("invalid access control policy: %v", err)
+			return &Response{
+				MetaOpts: &MetaOptions{
+					BucketOwner: parsedAcl.Owner,
+				},
+			}, err
+		}
+
+		if *accessControlPolicy.Owner.ID != parsedAcl.Owner {
+			debuglogger.Logf("invalid access control policy owner id: %v, expected %v", *accessControlPolicy.Owner.ID, parsedAcl.Owner)
+			return &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: parsedAcl.Owner,
+					},
+				}, s3err.APIError{
+					Code:           "InvalidArgument",
+					Description:    "Invalid id",
+					HTTPStatusCode: http.StatusBadRequest,
+				}
+		}
+
+		if grants+acl != "" {
+			debuglogger.Logf("invalid request: %q (grants) %q (acl)",
+				grants, acl)
+			return &Response{
+				MetaOpts: &MetaOptions{
+					BucketOwner: parsedAcl.Owner,
+				},
+			}, s3err.GetAPIError(s3err.ErrUnexpectedContent)
+		}
+
+		input = &auth.PutBucketAclInput{
+			Bucket:              &bucket,
+			AccessControlPolicy: &accessControlPolicy,
+		}
+	} else if acl != "" {
+		if grants != "" {
+			debuglogger.Logf("invalid request: %q (grants) %q (acl)",
+				grants, acl)
+			return &Response{
+				MetaOpts: &MetaOptions{
+					BucketOwner: parsedAcl.Owner,
+				},
+			}, s3err.GetAPIError(s3err.ErrBothCannedAndHeaderGrants)
+		}
+
+		input = &auth.PutBucketAclInput{
+			Bucket: &bucket,
+			ACL:    types.BucketCannedACL(acl),
+		}
+	} else if grants != "" {
+		input = &auth.PutBucketAclInput{
+			Bucket:           &bucket,
+			GrantFullControl: &grantFullControl,
+			GrantRead:        &grantRead,
+			GrantReadACP:     &grantReadACP,
+			GrantWrite:       &grantWrite,
+			GrantWriteACP:    &grantWriteACP,
+		}
+	} else {
+		debuglogger.Logf("none of the bucket acl options has been specified: canned, req headers, req body")
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrMissingSecurityHeader)
+	}
+
+	updAcl, err := auth.UpdateACL(input, parsedAcl, c.iam)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	err = c.be.PutBucketAcl(ctx.Context(), bucket, updAcl)
+	return &Response{
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, err
+}
+
+func (c S3ApiController) CreateBucket(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	acl := ctx.Get("X-Amz-Acl")
+	grantFullControl := ctx.Get("X-Amz-Grant-Full-Control")
+	grantRead := ctx.Get("X-Amz-Grant-Read")
+	grantReadACP := ctx.Get("X-Amz-Grant-Read-Acp")
+	grantWrite := ctx.Get("X-Amz-Grant-Write")
+	grantWriteACP := ctx.Get("X-Amz-Grant-Write-Acp")
+	lockEnabled := strings.EqualFold(ctx.Get("X-Amz-Bucket-Object-Lock-Enabled"), "true")
+	grants := grantFullControl + grantRead + grantReadACP + grantWrite + grantWriteACP
+	objectOwnership := types.ObjectOwnership(
+		ctx.Get("X-Amz-Object-Ownership", string(types.ObjectOwnershipBucketOwnerEnforced)),
+	)
+
+	if c.readonly {
+		return &Response{
+			MetaOpts: &MetaOptions{},
+		}, s3err.GetAPIError(s3err.ErrAccessDenied)
+	}
+
+	creator := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	if !utils.ContextKeyBucketOwner.IsSet(ctx) {
+		utils.ContextKeyBucketOwner.Set(ctx, creator)
+	}
+	bucketOwner := utils.ContextKeyBucketOwner.Get(ctx).(auth.Account)
+
+	if creator.Role != auth.RoleAdmin && creator.Role != auth.RoleUserPlus {
+		return &Response{
+			MetaOpts: &MetaOptions{},
+		}, s3err.GetAPIError(s3err.ErrAccessDenied)
+	}
+
+	// validate the bucket name
+	if ok := utils.IsValidBucketName(bucket); !ok {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: bucketOwner.Access,
+			},
+		}, s3err.GetAPIError(s3err.ErrInvalidBucketName)
+	}
+
+	// validate bucket canned acl
+	err := auth.ValidateCannedACL(acl)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: bucketOwner.Access,
+			},
+		}, err
+	}
+
+	// validate the object ownership value
+	if ok := utils.IsValidOwnership(objectOwnership); !ok {
+		return &Response{
+				MetaOpts: &MetaOptions{
+					BucketOwner: bucketOwner.Access,
+				},
+			}, s3err.APIError{
+				Code:           "InvalidArgument",
+				Description:    fmt.Sprintf("Invalid x-amz-object-ownership header: %v", objectOwnership),
+				HTTPStatusCode: http.StatusBadRequest,
+			}
+	}
+
+	if acl+grants != "" && objectOwnership == types.ObjectOwnershipBucketOwnerEnforced {
+		debuglogger.Logf("bucket acls are disabled for %v object ownership", objectOwnership)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: bucketOwner.Access,
+			},
+		}, s3err.GetAPIError(s3err.ErrInvalidBucketAclWithObjectOwnership)
+	}
+
+	if acl != "" && grants != "" {
+		debuglogger.Logf("invalid request: %q (grants) %q (acl)", grants, acl)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: bucketOwner.Access,
+			},
+		}, s3err.GetAPIError(s3err.ErrBothCannedAndHeaderGrants)
+	}
+
+	var body s3response.CreateBucketConfiguration
+	if len(ctx.Body()) != 0 {
+		// request body is optional for CreateBucket
+		err := xml.Unmarshal(ctx.Body(), &body)
+		if err != nil {
+			debuglogger.Logf("failed to parse the request body: %v", err)
+			return &Response{
+				MetaOpts: &MetaOptions{
+					BucketOwner: bucketOwner.Access,
+				},
+			}, s3err.GetAPIError(s3err.ErrMalformedXML)
+		}
+
+		if body.LocationConstraint != nil {
+			region := utils.ContextKeyRegion.Get(ctx).(string)
+			if *body.LocationConstraint != region || *body.LocationConstraint == "us-east-1" {
+				debuglogger.Logf("invalid location constraint: %s", *body.LocationConstraint)
+				return &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: bucketOwner.Access,
+					},
+				}, s3err.GetAPIError(s3err.ErrInvalidLocationConstraint)
+			}
+		}
+	}
+
+	defACL := auth.ACL{
+		Owner: bucketOwner.Access,
+	}
+
+	updAcl, err := auth.UpdateACL(&auth.PutBucketAclInput{
+		GrantFullControl: &grantFullControl,
+		GrantRead:        &grantRead,
+		GrantReadACP:     &grantReadACP,
+		GrantWrite:       &grantWrite,
+		GrantWriteACP:    &grantWriteACP,
+		AccessControlPolicy: &auth.AccessControlPolicy{
+			Owner: &types.Owner{
+				ID: &bucketOwner.Access,
+			}},
+		ACL: types.BucketCannedACL(acl),
+	}, defACL, c.iam)
+	if err != nil {
+		debuglogger.Logf("failed to update bucket acl: %v", err)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: bucketOwner.Access,
+			},
+		}, err
+	}
+
+	err = c.be.CreateBucket(ctx.Context(), &s3.CreateBucketInput{
+		Bucket:                     &bucket,
+		ObjectOwnership:            objectOwnership,
+		ObjectLockEnabledForBucket: &lockEnabled,
+		CreateBucketConfiguration: &types.CreateBucketConfiguration{
+			Tags: body.TagSet,
+		},
+	}, updAcl)
+	return &Response{
+		MetaOpts: &MetaOptions{
+			BucketOwner: bucketOwner.Access,
+		},
+	}, err
+}
--- a/s3api/controllers/bucket-put_test.go
+++ b/s3api/controllers/bucket-put_test.go
--- a/s3api/controllers/cors_default_origin_test.go
+++ b/s3api/controllers/cors_default_origin_test.go
@@ -0,0 +1,92 @@
+// Copyright 2026 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package controllers
+
+import (
+	"context"
+	"net/http"
+	"testing"
+
+	"github.com/gofiber/fiber/v2"
+	"github.com/versity/versitygw/s3api/middlewares"
+	"github.com/versity/versitygw/s3err"
+)
+
+func TestApplyBucketCORS_FallbackOrigin_NoBucketCors_NoRequestOrigin(t *testing.T) {
+	origin := "https://example.com"
+
+	mockedBackend := &BackendMock{
+		GetBucketCorsFunc: func(ctx context.Context, bucket string) ([]byte, error) {
+			return nil, s3err.GetAPIError(s3err.ErrNoSuchCORSConfiguration)
+		},
+	}
+
+	app := fiber.New()
+	app.Get("/:bucket/test",
+		middlewares.ApplyBucketCORS(mockedBackend, origin),
+		func(c *fiber.Ctx) error {
+			return c.SendStatus(http.StatusOK)
+		},
+	)
+
+	req, err := http.NewRequest(http.MethodGet, "/mybucket/test", nil)
+	if err != nil {
+		t.Fatalf("new request: %v", err)
+	}
+
+	resp, err := app.Test(req)
+	if err != nil {
+		t.Fatalf("app.Test: %v", err)
+	}
+
+	if got := resp.Header.Get("Access-Control-Allow-Origin"); got != origin {
+		t.Fatalf("expected Access-Control-Allow-Origin to be set to fallback, got %q", got)
+	}
+	if got := resp.Header.Get("Access-Control-Expose-Headers"); got != "ETag" {
+		t.Fatalf("expected Access-Control-Expose-Headers to include ETag, got %q", got)
+	}
+}
+
+func TestApplyBucketCORS_FallbackOrigin_NotAppliedWhenBucketCorsExists(t *testing.T) {
+	origin := "https://example.com"
+
+	mockedBackend := &BackendMock{
+		GetBucketCorsFunc: func(ctx context.Context, bucket string) ([]byte, error) {
+			return []byte("not-parsed"), nil
+		},
+	}
+
+	app := fiber.New()
+	app.Get("/:bucket/test",
+		middlewares.ApplyBucketCORS(mockedBackend, origin),
+		func(c *fiber.Ctx) error {
+			return c.SendStatus(http.StatusOK)
+		},
+	)
+
+	req, err := http.NewRequest(http.MethodGet, "/mybucket/test", nil)
+	if err != nil {
+		t.Fatalf("new request: %v", err)
+	}
+
+	resp, err := app.Test(req)
+	if err != nil {
+		t.Fatalf("app.Test: %v", err)
+	}
+
+	if got := resp.Header.Get("Access-Control-Allow-Origin"); got != "" {
+		t.Fatalf("expected no Access-Control-Allow-Origin when bucket CORS exists, got %q", got)
+	}
+}
--- a/s3api/controllers/object-delete.go
+++ b/s3api/controllers/object-delete.go
@@ -0,0 +1,237 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package controllers
+
+import (
+	"fmt"
+	"net/http"
+	"strings"
+
+	"github.com/aws/aws-sdk-go-v2/service/s3"
+	"github.com/aws/aws-sdk-go-v2/service/s3/types"
+	"github.com/gofiber/fiber/v2"
+	"github.com/versity/versitygw/auth"
+	"github.com/versity/versitygw/s3api/utils"
+	"github.com/versity/versitygw/s3event"
+)
+
+func (c S3ApiController) DeleteObjectTagging(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	key := strings.TrimPrefix(ctx.Path(), fmt.Sprintf("/%s/", bucket))
+	versionId := ctx.Query("versionId")
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	isBucketPublic := utils.ContextKeyPublicBucket.IsSet(ctx)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	action := auth.DeleteObjectTaggingAction
+	if versionId != "" {
+		action = auth.DeleteObjectVersionTaggingAction
+	}
+
+	err := auth.VerifyAccess(ctx.Context(), c.be,
+		auth.AccessOptions{
+			Readonly:        c.readonly,
+			Acl:             parsedAcl,
+			AclPermission:   auth.PermissionWrite,
+			IsRoot:          isRoot,
+			Acc:             acct,
+			Bucket:          bucket,
+			Object:          key,
+			Action:          action,
+			IsPublicRequest: isBucketPublic,
+		})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	err = utils.ValidateVersionId(versionId)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	err = c.be.DeleteObjectTagging(ctx.Context(), bucket, key, versionId)
+	return &Response{
+		Headers: map[string]*string{
+			"x-amz-version-id": &versionId,
+		},
+		MetaOpts: &MetaOptions{
+			Status:      http.StatusNoContent,
+			BucketOwner: parsedAcl.Owner,
+			EventName:   s3event.EventObjectTaggingDelete,
+		},
+	}, err
+}
+
+func (c S3ApiController) AbortMultipartUpload(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	key := strings.TrimPrefix(ctx.Path(), fmt.Sprintf("/%s/", bucket))
+	uploadId := ctx.Query("uploadId")
+	ifMatchInitiatedTime := utils.ParsePreconditionDateHeader(ctx.Get("X-Amz-If-Match-Initiated-Time"))
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	isBucketPublic := utils.ContextKeyPublicBucket.IsSet(ctx)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be,
+		auth.AccessOptions{
+			Readonly:        c.readonly,
+			Acl:             parsedAcl,
+			AclPermission:   auth.PermissionWrite,
+			IsRoot:          isRoot,
+			Acc:             acct,
+			Bucket:          bucket,
+			Object:          key,
+			Action:          auth.AbortMultipartUploadAction,
+			IsPublicRequest: isBucketPublic,
+		})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	err = c.be.AbortMultipartUpload(ctx.Context(),
+		&s3.AbortMultipartUploadInput{
+			UploadId:             &uploadId,
+			Bucket:               &bucket,
+			Key:                  &key,
+			IfMatchInitiatedTime: ifMatchInitiatedTime,
+		})
+	return &Response{
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+			Status:      http.StatusNoContent,
+		},
+	}, err
+}
+
+func (c S3ApiController) DeleteObject(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	key := strings.TrimPrefix(ctx.Path(), fmt.Sprintf("/%s/", bucket))
+	versionId := ctx.Query("versionId")
+	bypass := strings.EqualFold(ctx.Get("X-Amz-Bypass-Governance-Retention"), "true")
+	ifMatch := utils.GetStringPtr(ctx.Get("If-Match"))
+	ifMatchLastModTime := utils.ParsePreconditionDateHeader(ctx.Get("X-Amz-If-Match-Last-Modified-Time"))
+	ifMatchSize := utils.ParseIfMatchSize(ctx)
+	// context locals
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	isBucketPublic := utils.ContextKeyPublicBucket.IsSet(ctx)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	action := auth.DeleteObjectAction
+	if versionId != "" {
+		action = auth.DeleteObjectVersionAction
+	}
+
+	err := auth.VerifyAccess(ctx.Context(), c.be,
+		auth.AccessOptions{
+			Readonly:        c.readonly,
+			Acl:             parsedAcl,
+			AclPermission:   auth.PermissionWrite,
+			IsRoot:          isRoot,
+			Acc:             acct,
+			Bucket:          bucket,
+			Object:          key,
+			Action:          action,
+			IsPublicRequest: isBucketPublic,
+		})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	err = utils.ValidateVersionId(versionId)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	err = auth.CheckObjectAccess(
+		ctx.Context(),
+		bucket,
+		acct.Access,
+		[]types.ObjectIdentifier{
+			{
+				Key:       &key,
+				VersionId: &versionId,
+			},
+		},
+		bypass,
+		isBucketPublic,
+		c.be,
+		false,
+	)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	res, err := c.be.DeleteObject(ctx.Context(),
+		&s3.DeleteObjectInput{
+			Bucket:                  &bucket,
+			Key:                     &key,
+			VersionId:               &versionId,
+			IfMatch:                 ifMatch,
+			IfMatchLastModifiedTime: ifMatchLastModTime,
+			IfMatchSize:             ifMatchSize,
+		})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+				EventName:   s3event.EventObjectRemovedDelete,
+				Status:      http.StatusNoContent,
+			},
+		}, err
+	}
+
+	headers := map[string]*string{
+		"x-amz-version-id": res.VersionId,
+	}
+
+	if res.DeleteMarker != nil && *res.DeleteMarker {
+		headers["x-amz-delete-marker"] = utils.GetStringPtr("true")
+	}
+
+	return &Response{
+		Headers: headers,
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+			EventName:   s3event.EventObjectRemovedDelete,
+			Status:      http.StatusNoContent,
+		},
+	}, nil
+}
--- a/s3api/controllers/object-delete_test.go
+++ b/s3api/controllers/object-delete_test.go
@@ -0,0 +1,346 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package controllers
+
+import (
+	"context"
+	"net/http"
+	"testing"
+
+	"github.com/aws/aws-sdk-go-v2/service/s3"
+	"github.com/oklog/ulid/v2"
+	"github.com/versity/versitygw/s3api/utils"
+	"github.com/versity/versitygw/s3err"
+	"github.com/versity/versitygw/s3event"
+)
+
+func TestS3ApiController_DeleteObjectTagging(t *testing.T) {
+	versionId := ulid.Make().String()
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "invalid versionId",
+			input: testInput{
+				locals: defaultLocals,
+				queries: map[string]string{
+					"versionId": "invalid_versionId",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidVersionId),
+			},
+		},
+		{
+			name: "backend returns error",
+			input: testInput{
+				queries: map[string]string{
+					"versionId": versionId,
+				},
+				locals: defaultLocals,
+				beErr:  s3err.GetAPIError(s3err.ErrInvalidRequest),
+			},
+			output: testOutput{
+				response: &Response{
+					Headers: map[string]*string{
+						"x-amz-version-id": &versionId,
+					},
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						Status:      http.StatusNoContent,
+						EventName:   s3event.EventObjectTaggingDelete,
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidRequest),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				locals: defaultLocals,
+				queries: map[string]string{
+					"versionId": versionId,
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					Headers: map[string]*string{
+						"x-amz-version-id": &versionId,
+					},
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						Status:      http.StatusNoContent,
+						EventName:   s3event.EventObjectTaggingDelete,
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				DeleteObjectTaggingFunc: func(contextMoqParam context.Context, bucket, object, versionId string) error {
+					return tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.DeleteObjectTagging,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals:  tt.input.locals,
+					queries: tt.input.queries,
+				})
+		})
+	}
+}
+
+func TestS3ApiController_AbortMultipartUpload(t *testing.T) {
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "backend returns error",
+			input: testInput{
+				locals: defaultLocals,
+				beErr:  s3err.GetAPIError(s3err.ErrInvalidRequest),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						Status:      http.StatusNoContent,
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidRequest),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				locals: defaultLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						Status:      http.StatusNoContent,
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				AbortMultipartUploadFunc: func(contextMoqParam context.Context, abortMultipartUploadInput *s3.AbortMultipartUploadInput) error {
+					return tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.AbortMultipartUpload,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals: tt.input.locals,
+				})
+		})
+	}
+}
+
+func TestS3ApiController_DeleteObject(t *testing.T) {
+	delMarker, versionId := true, "versionId"
+	var emptyRes *s3.DeleteObjectOutput
+
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "invalid versionId",
+			input: testInput{
+				locals: defaultLocals,
+				queries: map[string]string{
+					"versionId": "invalid_versionId",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidVersionId),
+			},
+		},
+		{
+			name: "object locked",
+			input: testInput{
+				locals:       defaultLocals,
+				extraMockErr: s3err.GetAPIError(s3err.ErrObjectLocked),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrObjectLocked),
+			},
+		},
+		{
+			name: "backend returns error",
+			input: testInput{
+				locals:       defaultLocals,
+				beErr:        s3err.GetAPIError(s3err.ErrInvalidRequest),
+				extraMockErr: s3err.GetAPIError(s3err.ErrObjectLockConfigurationNotFound),
+				beRes:        emptyRes,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						Status:      http.StatusNoContent,
+						EventName:   s3event.EventObjectRemovedDelete,
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidRequest),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				locals:       defaultLocals,
+				extraMockErr: s3err.GetAPIError(s3err.ErrObjectLockConfigurationNotFound),
+				beRes: &s3.DeleteObjectOutput{
+					DeleteMarker: &delMarker,
+					VersionId:    &versionId,
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					Headers: map[string]*string{
+						"x-amz-delete-marker": utils.GetStringPtr("true"),
+						"x-amz-version-id":    &versionId,
+					},
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						Status:      http.StatusNoContent,
+						EventName:   s3event.EventObjectRemovedDelete,
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				DeleteObjectFunc: func(contextMoqParam context.Context, deleteObjectInput *s3.DeleteObjectInput) (*s3.DeleteObjectOutput, error) {
+					return tt.input.beRes.(*s3.DeleteObjectOutput), tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+				GetObjectLockConfigurationFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, tt.input.extraMockErr
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.DeleteObject,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals:  tt.input.locals,
+					queries: tt.input.queries,
+				})
+		})
+	}
+}
--- a/s3api/controllers/object-get.go
+++ b/s3api/controllers/object-get.go
@@ -0,0 +1,619 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package controllers
+
+import (
+	"fmt"
+	"math"
+	"net/http"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/aws/aws-sdk-go-v2/service/s3"
+	"github.com/aws/aws-sdk-go-v2/service/s3/types"
+	"github.com/gofiber/fiber/v2"
+	"github.com/versity/versitygw/auth"
+	"github.com/versity/versitygw/debuglogger"
+	"github.com/versity/versitygw/s3api/utils"
+	"github.com/versity/versitygw/s3err"
+	"github.com/versity/versitygw/s3response"
+)
+
+func (c S3ApiController) GetObjectTagging(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	key := strings.TrimPrefix(ctx.Path(), fmt.Sprintf("/%s/", bucket))
+	versionId := ctx.Query("versionId")
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+	isPublicBucket := utils.ContextKeyPublicBucket.IsSet(ctx)
+
+	action := auth.GetObjectTaggingAction
+	if versionId != "" {
+		action = auth.GetObjectVersionTaggingAction
+	}
+
+	err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:        c.readonly,
+		Acl:             parsedAcl,
+		AclPermission:   auth.PermissionRead,
+		IsRoot:          isRoot,
+		Acc:             acct,
+		Bucket:          bucket,
+		Object:          key,
+		Action:          action,
+		IsPublicRequest: isPublicBucket,
+	})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	err = utils.ValidateVersionId(versionId)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	data, err := c.be.GetObjectTagging(ctx.Context(), bucket, key, versionId)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+	tags := s3response.Tagging{
+		TagSet: s3response.TagSet{Tags: []s3response.Tag{}},
+	}
+
+	for key, val := range data {
+		tags.TagSet.Tags = append(tags.TagSet.Tags,
+			s3response.Tag{Key: key, Value: val})
+	}
+
+	return &Response{
+		Data: tags,
+		Headers: map[string]*string{
+			"x-amz-version-id": &versionId,
+		},
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, nil
+}
+
+func (c S3ApiController) GetObjectRetention(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	key := strings.TrimPrefix(ctx.Path(), fmt.Sprintf("/%s/", bucket))
+	versionId := ctx.Query("versionId")
+	// context locals
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+	isPublicBucket := utils.ContextKeyPublicBucket.IsSet(ctx)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:        c.readonly,
+		Acl:             parsedAcl,
+		AclPermission:   auth.PermissionRead,
+		IsRoot:          isRoot,
+		Acc:             acct,
+		Bucket:          bucket,
+		Object:          key,
+		Action:          auth.GetObjectRetentionAction,
+		IsPublicRequest: isPublicBucket,
+	})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	err = utils.ValidateVersionId(versionId)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	data, err := c.be.GetObjectRetention(ctx.Context(), bucket, key, versionId)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	retention, err := auth.ParseObjectLockRetentionOutput(data)
+	return &Response{
+		Data: retention,
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, err
+}
+
+func (c S3ApiController) GetObjectLegalHold(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	key := strings.TrimPrefix(ctx.Path(), fmt.Sprintf("/%s/", bucket))
+	versionId := ctx.Query("versionId")
+	// context locals
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+	isPublicBucket := utils.ContextKeyPublicBucket.IsSet(ctx)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:        c.readonly,
+		Acl:             parsedAcl,
+		AclPermission:   auth.PermissionRead,
+		IsRoot:          isRoot,
+		Acc:             acct,
+		Bucket:          bucket,
+		Object:          key,
+		Action:          auth.GetObjectLegalHoldAction,
+		IsPublicRequest: isPublicBucket,
+	})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	err = utils.ValidateVersionId(versionId)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	data, err := c.be.GetObjectLegalHold(ctx.Context(), bucket, key, versionId)
+	return &Response{
+		Data: auth.ParseObjectLegalHoldOutput(data),
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, err
+}
+
+func (c S3ApiController) GetObjectAcl(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	key := strings.TrimPrefix(ctx.Path(), fmt.Sprintf("/%s/", bucket))
+	// context locals
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+	isPublicBucket := utils.ContextKeyPublicBucket.IsSet(ctx)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:        c.readonly,
+		Acl:             parsedAcl,
+		AclPermission:   auth.PermissionReadAcp,
+		IsRoot:          isRoot,
+		Acc:             acct,
+		Bucket:          bucket,
+		Object:          key,
+		Action:          auth.GetObjectAclAction,
+		IsPublicRequest: isPublicBucket,
+	})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+	res, err := c.be.GetObjectAcl(ctx.Context(), &s3.GetObjectAclInput{
+		Bucket: &bucket,
+		Key:    &key,
+	})
+	return &Response{
+		Data: res,
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, err
+}
+
+func (c S3ApiController) ListParts(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	key := strings.TrimPrefix(ctx.Path(), fmt.Sprintf("/%s/", bucket))
+	uploadId := ctx.Query("uploadId")
+	partNumberMarker := ctx.Query("part-number-marker")
+	maxPartsStr := ctx.Query("max-parts")
+	// context locals
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+	isPublicBucket := utils.ContextKeyPublicBucket.IsSet(ctx)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:        c.readonly,
+		Acl:             parsedAcl,
+		AclPermission:   auth.PermissionRead,
+		IsRoot:          isRoot,
+		Acc:             acct,
+		Bucket:          bucket,
+		Object:          key,
+		Action:          auth.ListMultipartUploadPartsAction,
+		IsPublicRequest: isPublicBucket,
+	})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	// parse the part number marker
+	if partNumberMarker != "" {
+		n, err := strconv.Atoi(partNumberMarker)
+		if err != nil || n < 0 {
+			debuglogger.Logf("invalid part number marker %q: %v",
+				partNumberMarker, err)
+
+			return &Response{
+				MetaOpts: &MetaOptions{
+					BucketOwner: parsedAcl.Owner,
+				},
+			}, s3err.GetAPIError(s3err.ErrInvalidPartNumberMarker)
+		}
+	}
+
+	// parse the max parts
+	maxParts, err := utils.ParseUint(maxPartsStr)
+	if err != nil {
+		debuglogger.Logf("error parsing max parts %q: %v",
+			maxPartsStr, err)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrInvalidMaxParts)
+	}
+
+	res, err := c.be.ListParts(ctx.Context(), &s3.ListPartsInput{
+		Bucket:           &bucket,
+		Key:              &key,
+		UploadId:         &uploadId,
+		PartNumberMarker: &partNumberMarker,
+		MaxParts:         &maxParts,
+	})
+	return &Response{
+		Data: res,
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, err
+}
+
+func (c S3ApiController) GetObjectAttributes(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	key := strings.TrimPrefix(ctx.Path(), fmt.Sprintf("/%s/", bucket))
+	versionId := ctx.Query("versionId")
+	maxPartsStr := ctx.Get("X-Amz-Max-Parts")
+	partNumberMarker := ctx.Get("X-Amz-Part-Number-Marker")
+	// context locals
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+	isPublicBucket := utils.ContextKeyPublicBucket.IsSet(ctx)
+
+	action := auth.GetObjectAttributesAction
+	if versionId != "" {
+		action = auth.GetObjectVersionAttributesAction
+	}
+
+	err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:        c.readonly,
+		Acl:             parsedAcl,
+		AclPermission:   auth.PermissionRead,
+		IsRoot:          isRoot,
+		Acc:             acct,
+		Bucket:          bucket,
+		Object:          key,
+		Action:          action,
+		IsPublicRequest: isPublicBucket,
+	})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	err = utils.ValidateVersionId(versionId)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	// parse max parts
+	maxParts, err := utils.ParseUint(maxPartsStr)
+	if err != nil {
+		debuglogger.Logf("error parsing max parts %q: %v",
+			maxPartsStr, err)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrInvalidMaxParts)
+	}
+
+	// parse the object attributes
+	attrs, err := utils.ParseObjectAttributes(ctx)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	res, err := c.be.GetObjectAttributes(ctx.Context(),
+		&s3.GetObjectAttributesInput{
+			Bucket:           &bucket,
+			Key:              &key,
+			PartNumberMarker: &partNumberMarker,
+			MaxParts:         &maxParts,
+			VersionId:        &versionId,
+		})
+	if err != nil {
+		headers := map[string]*string{
+			"x-amz-version-id": res.VersionId,
+		}
+		if res.DeleteMarker != nil && *res.DeleteMarker {
+			headers["x-amz-delete-marker"] = utils.GetStringPtr("true")
+		}
+		return &Response{
+			Headers: headers,
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	headers := map[string]*string{
+		"x-amz-version-id": res.VersionId,
+		"Last-Modified":    utils.FormatDatePtrToString(res.LastModified, iso8601TimeFormatExtended),
+	}
+	if res.DeleteMarker != nil && *res.DeleteMarker {
+		headers["x-amz-delete-marker"] = utils.GetStringPtr("true")
+	}
+
+	return &Response{
+		Headers: headers,
+		Data:    utils.FilterObjectAttributes(attrs, res),
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, err
+}
+
+func (c S3ApiController) GetObject(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	key := strings.TrimPrefix(ctx.Path(), fmt.Sprintf("/%s/", bucket))
+	versionId := ctx.Query("versionId")
+	acceptRange := ctx.Get("Range")
+	checksumMode := types.ChecksumMode(strings.ToUpper(ctx.Get("x-amz-checksum-mode")))
+	partNumberQuery := int32(ctx.QueryInt("partNumber", -1))
+
+	// Extract response override query parameters
+	responseOverrides := map[string]*string{
+		"Cache-Control":       utils.GetQueryParam(ctx, "response-cache-control"),
+		"Content-Disposition": utils.GetQueryParam(ctx, "response-content-disposition"),
+		"Content-Encoding":    utils.GetQueryParam(ctx, "response-content-encoding"),
+		"Content-Language":    utils.GetQueryParam(ctx, "response-content-language"),
+		"Content-Type":        utils.GetQueryParam(ctx, "response-content-type"),
+		"Expires":             utils.GetQueryParam(ctx, "response-expires"),
+	}
+
+	// Check if any response override parameters are present
+	hasResponseOverrides := false
+	for _, override := range responseOverrides {
+		if override != nil {
+			hasResponseOverrides = true
+			break
+		}
+	}
+
+	// context locals
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+	isPublicBucketRequest := utils.ContextKeyPublicBucket.IsSet(ctx)
+	utils.ContextKeySkipResBodyLog.Set(ctx, true)
+
+	// Validate that response override parameters are not used with anonymous requests
+	if hasResponseOverrides && isPublicBucketRequest {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrAnonymousResponseHeaders)
+	}
+
+	action := auth.GetObjectAction
+	if ctx.Request().URI().QueryArgs().Has("versionId") {
+		action = auth.GetObjectVersionAction
+	}
+
+	err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:        c.readonly,
+		Acl:             parsedAcl,
+		AclPermission:   auth.PermissionRead,
+		IsRoot:          isRoot,
+		Acc:             acct,
+		Bucket:          bucket,
+		Object:          key,
+		Action:          action,
+		IsPublicRequest: isPublicBucketRequest,
+	})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	var partNumber *int32
+	if ctx.Request().URI().QueryArgs().Has("partNumber") {
+		if partNumberQuery < minPartNumber || partNumberQuery > maxPartNumber {
+			debuglogger.Logf("invalid part number: %d", partNumberQuery)
+			return &Response{
+				MetaOpts: &MetaOptions{
+					BucketOwner: parsedAcl.Owner,
+				},
+			}, s3err.GetAPIError(s3err.ErrInvalidPartNumber)
+		}
+
+		partNumber = &partNumberQuery
+	}
+
+	err = utils.ValidateVersionId(versionId)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	// validate the checksum mode
+	if checksumMode != "" && checksumMode != types.ChecksumModeEnabled {
+		debuglogger.Logf("invalid x-amz-checksum-mode header value: %v", checksumMode)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetInvalidChecksumHeaderErr("x-amz-checksum-mode")
+	}
+
+	conditionalHeaders := utils.ParsePreconditionHeaders(ctx)
+
+	res, err := c.be.GetObject(ctx.Context(), &s3.GetObjectInput{
+		Bucket:            &bucket,
+		Key:               &key,
+		Range:             &acceptRange,
+		IfMatch:           conditionalHeaders.IfMatch,
+		IfNoneMatch:       conditionalHeaders.IfNoneMatch,
+		IfModifiedSince:   conditionalHeaders.IfModSince,
+		IfUnmodifiedSince: conditionalHeaders.IfUnmodeSince,
+		VersionId:         &versionId,
+		ChecksumMode:      checksumMode,
+		PartNumber:        partNumber,
+	})
+	if err != nil {
+		var headers map[string]*string
+		if res != nil {
+			headers = map[string]*string{
+				"x-amz-delete-marker": utils.GetStringPtr("true"),
+				"Last-Modified":       utils.FormatDatePtrToString(res.LastModified, timefmt),
+			}
+		}
+		return &Response{
+			Headers: headers,
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	// Set x-amz-meta-... headers
+	utils.SetMetaHeaders(ctx, res.Metadata)
+
+	status := http.StatusOK
+	if acceptRange != "" {
+		status = http.StatusPartialContent
+	}
+
+	if res.Body != nil {
+		// -1 will stream response body until EOF if content length not set
+		contentLen := -1
+		if res.ContentLength != nil {
+			if *res.ContentLength > int64(math.MaxInt) {
+				debuglogger.Logf("content length %v int overflow",
+					*res.ContentLength)
+				return &Response{
+					MetaOpts: &MetaOptions{
+						ContentLength: utils.GetInt64(res.ContentLength),
+						BucketOwner:   parsedAcl.Owner,
+						Status:        status,
+					},
+				}, s3err.GetAPIError(s3err.ErrInvalidRange)
+			}
+			contentLen = int(*res.ContentLength)
+		}
+		utils.StreamResponseBody(ctx, res.Body, contentLen)
+	}
+
+	return &Response{
+		Headers: map[string]*string{
+			"ETag":                                res.ETag,
+			"x-amz-restore":                       res.Restore,
+			"accept-ranges":                       res.AcceptRanges,
+			"Content-Range":                       res.ContentRange,
+			"Content-Disposition":                 utils.ApplyOverride(res.ContentDisposition, responseOverrides["Content-Disposition"]),
+			"Content-Encoding":                    utils.ApplyOverride(res.ContentEncoding, responseOverrides["Content-Encoding"]),
+			"Content-Language":                    utils.ApplyOverride(res.ContentLanguage, responseOverrides["Content-Language"]),
+			"Cache-Control":                       utils.ApplyOverride(res.CacheControl, responseOverrides["Cache-Control"]),
+			"Expires":                             utils.ApplyOverride(res.ExpiresString, responseOverrides["Expires"]),
+			"x-amz-checksum-crc32":                res.ChecksumCRC32,
+			"x-amz-checksum-crc64nvme":            res.ChecksumCRC64NVME,
+			"x-amz-checksum-crc32c":               res.ChecksumCRC32C,
+			"x-amz-checksum-sha1":                 res.ChecksumSHA1,
+			"x-amz-checksum-sha256":               res.ChecksumSHA256,
+			"Content-Type":                        utils.ApplyOverride(res.ContentType, responseOverrides["Content-Type"]),
+			"x-amz-version-id":                    res.VersionId,
+			"Content-Length":                      utils.ConvertPtrToStringPtr(res.ContentLength),
+			"x-amz-mp-parts-count":                utils.ConvertPtrToStringPtr(res.PartsCount),
+			"x-amz-tagging-count":                 utils.ConvertPtrToStringPtr(res.TagCount),
+			"x-amz-object-lock-mode":              utils.ConvertToStringPtr(res.ObjectLockMode),
+			"x-amz-object-lock-legal-hold":        utils.ConvertToStringPtr(res.ObjectLockLegalHoldStatus),
+			"x-amz-storage-class":                 utils.ConvertToStringPtr(res.StorageClass),
+			"x-amz-checksum-type":                 utils.ConvertToStringPtr(res.ChecksumType),
+			"x-amz-object-lock-retain-until-date": utils.FormatDatePtrToString(res.ObjectLockRetainUntilDate, time.RFC3339),
+			"Last-Modified":                       utils.FormatDatePtrToString(res.LastModified, timefmt),
+		},
+		MetaOpts: &MetaOptions{
+			ContentLength: utils.GetInt64(res.ContentLength),
+			BucketOwner:   parsedAcl.Owner,
+			Status:        status,
+		},
+	}, nil
+}
--- a/s3api/controllers/object-get_test.go
+++ b/s3api/controllers/object-get_test.go
@@ -0,0 +1,932 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package controllers
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/aws/aws-sdk-go-v2/service/s3"
+	"github.com/aws/aws-sdk-go-v2/service/s3/types"
+	"github.com/oklog/ulid/v2"
+	"github.com/stretchr/testify/assert"
+	"github.com/versity/versitygw/s3api/utils"
+	"github.com/versity/versitygw/s3err"
+	"github.com/versity/versitygw/s3response"
+)
+
+func TestS3ApiController_GetObjectTagging(t *testing.T) {
+	versionId := ulid.Make().String()
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "invalid versionId",
+			input: testInput{
+				locals: defaultLocals,
+				queries: map[string]string{
+					"versionId": "invalid_versionId",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidVersionId),
+			},
+		},
+		{
+			name: "backend returns error",
+			input: testInput{
+				locals: defaultLocals,
+				beRes:  map[string]string{},
+				beErr:  s3err.GetAPIError(s3err.ErrNoSuchBucket),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrNoSuchBucket),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				queries: map[string]string{
+					"versionId": versionId,
+				},
+				locals: defaultLocals,
+				beRes: map[string]string{
+					"key": "val",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					Headers: map[string]*string{
+						"x-amz-version-id": utils.GetStringPtr(versionId),
+					},
+					Data: s3response.Tagging{
+						TagSet: s3response.TagSet{
+							Tags: []s3response.Tag{
+								{Key: "key", Value: "val"},
+							},
+						},
+					},
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				GetObjectTaggingFunc: func(contextMoqParam context.Context, bucket, object, versionId string) (map[string]string, error) {
+					return tt.input.beRes.(map[string]string), tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.GetObjectTagging,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals:  tt.input.locals,
+					body:    tt.input.body,
+					queries: tt.input.queries,
+				})
+		})
+	}
+}
+
+func TestS3ApiController_GetObjectRetention(t *testing.T) {
+	retBytes, err := json.Marshal(types.ObjectLockRetention{
+		Mode: types.ObjectLockRetentionModeCompliance,
+	})
+	assert.NoError(t, err)
+
+	var retention *types.ObjectLockRetention
+
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "invalid versionId",
+			input: testInput{
+				locals: defaultLocals,
+				queries: map[string]string{
+					"versionId": "invalid_versionId",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidVersionId),
+			},
+		},
+		{
+			name: "backend returns error",
+			input: testInput{
+				locals: defaultLocals,
+				beRes:  []byte{},
+				beErr:  s3err.GetAPIError(s3err.ErrNoSuchBucket),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrNoSuchBucket),
+			},
+		},
+		{
+			name: "invalid data from backend",
+			input: testInput{
+				locals: defaultLocals,
+				beRes:  []byte{},
+			},
+			output: testOutput{
+				response: &Response{
+					Data: retention,
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: fmt.Errorf("parse object lock retention: "),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				locals: defaultLocals,
+				beRes:  retBytes,
+			},
+			output: testOutput{
+				response: &Response{
+					Data: &types.ObjectLockRetention{
+						Mode: types.ObjectLockRetentionModeCompliance,
+					},
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				GetObjectRetentionFunc: func(contextMoqParam context.Context, bucket, object, versionId string) ([]byte, error) {
+					return tt.input.beRes.([]byte), tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.GetObjectRetention,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals:  tt.input.locals,
+					body:    tt.input.body,
+					queries: tt.input.queries,
+				})
+		})
+	}
+}
+
+func TestS3ApiController_GetObjectLegalHold(t *testing.T) {
+	var legalHold *bool
+	var emptyLegalHold *s3response.GetObjectLegalHoldResult
+	status := true
+
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "invalid versionId",
+			input: testInput{
+				locals: defaultLocals,
+				queries: map[string]string{
+					"versionId": "invalid_versionId",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidVersionId),
+			},
+		},
+		{
+			name: "backend returns error",
+			input: testInput{
+				locals: defaultLocals,
+				beRes:  legalHold,
+				beErr:  s3err.GetAPIError(s3err.ErrNoSuchBucket),
+			},
+			output: testOutput{
+				response: &Response{
+					Data: emptyLegalHold,
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrNoSuchBucket),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				locals: defaultLocals,
+				beRes:  &status,
+			},
+			output: testOutput{
+				response: &Response{
+					Data: &s3response.GetObjectLegalHoldResult{
+						Status: types.ObjectLockLegalHoldStatusOn,
+					},
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				GetObjectLegalHoldFunc: func(contextMoqParam context.Context, bucket, object, versionId string) (*bool, error) {
+					return tt.input.beRes.(*bool), tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.GetObjectLegalHold,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals:  tt.input.locals,
+					body:    tt.input.body,
+					queries: tt.input.queries,
+				})
+		})
+	}
+}
+
+func TestS3ApiController_GetObjectAcl(t *testing.T) {
+	var emptyRes *s3.GetObjectAclOutput
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "backend returns error",
+			input: testInput{
+				locals: defaultLocals,
+				beRes:  emptyRes,
+				beErr:  s3err.GetAPIError(s3err.ErrNotImplemented),
+			},
+			output: testOutput{
+				response: &Response{
+					Data: emptyRes,
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrNotImplemented),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				locals: defaultLocals,
+				beRes: &s3.GetObjectAclOutput{
+					Owner: &types.Owner{
+						ID: utils.GetStringPtr("something"),
+					},
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					Data: &s3.GetObjectAclOutput{
+						Owner: &types.Owner{
+							ID: utils.GetStringPtr("something"),
+						},
+					},
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				GetObjectAclFunc: func(contextMoqParam context.Context, getObjectAclInput *s3.GetObjectAclInput) (*s3.GetObjectAclOutput, error) {
+					return tt.input.beRes.(*s3.GetObjectAclOutput), tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.GetObjectAcl,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals: tt.input.locals,
+					body:   tt.input.body,
+				})
+		})
+	}
+}
+
+func TestS3ApiController_ListParts(t *testing.T) {
+	listPartsResult := s3response.ListPartsResult{
+		Bucket:      "my-bucket",
+		Key:         "obj",
+		IsTruncated: false,
+		Parts: []s3response.Part{
+			{ETag: "ETag"},
+		},
+	}
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "invalid part number marker",
+			input: testInput{
+				locals: defaultLocals,
+				queries: map[string]string{
+					"part-number-marker": "-1",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidPartNumberMarker),
+			},
+		},
+		{
+			name: "invalid max parts",
+			input: testInput{
+				locals: defaultLocals,
+				queries: map[string]string{
+					"max-parts": "-1",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidMaxParts),
+			},
+		},
+		{
+			name: "backend returns error",
+			input: testInput{
+				locals: defaultLocals,
+				beRes:  s3response.ListPartsResult{},
+				beErr:  s3err.GetAPIError(s3err.ErrNoSuchBucket),
+			},
+			output: testOutput{
+				response: &Response{
+					Data: s3response.ListPartsResult{},
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrNoSuchBucket),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				locals: defaultLocals,
+				beRes:  listPartsResult,
+			},
+			output: testOutput{
+				response: &Response{
+					Data: listPartsResult,
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				ListPartsFunc: func(contextMoqParam context.Context, listPartsInput *s3.ListPartsInput) (s3response.ListPartsResult, error) {
+					return tt.input.beRes.(s3response.ListPartsResult), tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.ListParts,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals:  tt.input.locals,
+					body:    tt.input.body,
+					queries: tt.input.queries,
+				})
+		})
+	}
+}
+
+func TestS3ApiController_GetObjectAttributes(t *testing.T) {
+	delMarker, lastModTime, etag := true, time.Now(), "ETag"
+	timeFormatted := lastModTime.UTC().Format(iso8601TimeFormatExtended)
+
+	validRes := s3response.GetObjectAttributesResponse{
+		DeleteMarker: &delMarker,
+		LastModified: &lastModTime,
+		VersionId:    utils.GetStringPtr("versionId"),
+		ETag:         &etag,
+	}
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "invalid versionId",
+			input: testInput{
+				locals: defaultLocals,
+				queries: map[string]string{
+					"versionId": "invalid_versionId",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidVersionId),
+			},
+		},
+		{
+			name: "invalid max parts",
+			input: testInput{
+				locals: defaultLocals,
+				headers: map[string]string{
+					"X-Amz-Max-Parts": "-1",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidMaxParts),
+			},
+		},
+		{
+			name: "invalid object attributes",
+			input: testInput{
+				locals: defaultLocals,
+				headers: map[string]string{
+					"X-Amz-Object-Attributes": "invalid_attribute",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidObjectAttributes),
+			},
+		},
+		{
+			name: "backend returns error",
+			input: testInput{
+				locals: defaultLocals,
+				beRes:  validRes,
+				beErr:  s3err.GetAPIError(s3err.ErrNoSuchBucket),
+				headers: map[string]string{
+					"X-Amz-Object-Attributes": "ETag",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					Headers: map[string]*string{
+						"x-amz-version-id":    utils.GetStringPtr("versionId"),
+						"x-amz-delete-marker": utils.GetStringPtr("true"),
+					},
+					Data: nil,
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrNoSuchBucket),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				locals: defaultLocals,
+				beRes:  validRes,
+				headers: map[string]string{
+					"X-Amz-Object-Attributes": "ETag",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					Headers: map[string]*string{
+						"x-amz-version-id":    utils.GetStringPtr("versionId"),
+						"x-amz-delete-marker": utils.GetStringPtr("true"),
+						"Last-Modified":       &timeFormatted,
+					},
+					Data: s3response.GetObjectAttributesResponse{
+						ETag: &etag,
+					},
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				GetObjectAttributesFunc: func(contextMoqParam context.Context, getObjectAttributesInput *s3.GetObjectAttributesInput) (s3response.GetObjectAttributesResponse, error) {
+					return tt.input.beRes.(s3response.GetObjectAttributesResponse), tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.GetObjectAttributes,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals:  tt.input.locals,
+					body:    tt.input.body,
+					headers: tt.input.headers,
+					queries: tt.input.queries,
+				})
+		})
+	}
+}
+
+func TestS3ApiController_GetObject(t *testing.T) {
+	tm := time.Now()
+	cLength := int64(11)
+	rdr := io.NopCloser(strings.NewReader("hello world"))
+	delMarker := true
+
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "invalid versionId",
+			input: testInput{
+				locals: defaultLocals,
+				queries: map[string]string{
+					"versionId": "invalid_versionId",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidVersionId),
+			},
+		},
+		{
+			name: "invalid checksum mode",
+			input: testInput{
+				locals: defaultLocals,
+				headers: map[string]string{
+					"x-amz-checksum-mode": "invalid_checksum_mode",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetInvalidChecksumHeaderErr("x-amz-checksum-mode"),
+			},
+		},
+		{
+			name: "invalid part number",
+			input: testInput{
+				locals: defaultLocals,
+				queries: map[string]string{
+					"partNumber": "-2",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidPartNumber),
+			},
+		},
+		{
+			name: "backend returns error",
+			input: testInput{
+				locals: defaultLocals,
+				beErr:  s3err.GetAPIError(s3err.ErrInvalidAccessKeyID),
+				beRes: &s3.GetObjectOutput{
+					DeleteMarker: &delMarker,
+					LastModified: &tm,
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					Headers: map[string]*string{
+						"x-amz-delete-marker": utils.GetStringPtr("true"),
+						"Last-Modified":       utils.GetStringPtr(tm.UTC().Format(timefmt)),
+					},
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidAccessKeyID),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				headers: map[string]string{
+					"Range": "100-200",
+				},
+				queries: map[string]string{
+					"versionId": "01BX5ZZKBKACTAV9WEVGEMMVRZ",
+				},
+				locals: defaultLocals,
+				beRes: &s3.GetObjectOutput{
+					ETag:          utils.GetStringPtr("ETag"),
+					ContentType:   utils.GetStringPtr("application/xml"),
+					ContentLength: &cLength,
+					Body:          rdr,
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					Headers: map[string]*string{
+						"ETag":                                utils.GetStringPtr("ETag"),
+						"x-amz-restore":                       nil,
+						"accept-ranges":                       nil,
+						"Content-Range":                       nil,
+						"Content-Disposition":                 nil,
+						"Content-Encoding":                    nil,
+						"Content-Language":                    nil,
+						"Cache-Control":                       nil,
+						"Expires":                             nil,
+						"x-amz-checksum-crc32":                nil,
+						"x-amz-checksum-crc64nvme":            nil,
+						"x-amz-checksum-crc32c":               nil,
+						"x-amz-checksum-sha1":                 nil,
+						"x-amz-checksum-sha256":               nil,
+						"x-amz-version-id":                    nil,
+						"x-amz-mp-parts-count":                nil,
+						"x-amz-object-lock-mode":              nil,
+						"x-amz-object-lock-legal-hold":        nil,
+						"x-amz-storage-class":                 nil,
+						"x-amz-checksum-type":                 nil,
+						"x-amz-object-lock-retain-until-date": nil,
+						"Last-Modified":                       nil,
+						"x-amz-tagging-count":                 nil,
+						"Content-Type":                        utils.GetStringPtr("application/xml"),
+						"Content-Length":                      utils.GetStringPtr("11"),
+					},
+					MetaOpts: &MetaOptions{
+						BucketOwner:   "root",
+						Status:        http.StatusPartialContent,
+						ContentLength: cLength,
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				GetObjectFunc: func(contextMoqParam context.Context, getObjectInput *s3.GetObjectInput) (*s3.GetObjectOutput, error) {
+					return tt.input.beRes.(*s3.GetObjectOutput), tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.GetObject,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals:  tt.input.locals,
+					headers: tt.input.headers,
+					queries: tt.input.queries,
+				})
+		})
+	}
+}
--- a/s3api/controllers/object-head.go
+++ b/s3api/controllers/object-head.go
@@ -0,0 +1,168 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package controllers
+
+import (
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/aws/aws-sdk-go-v2/service/s3"
+	"github.com/aws/aws-sdk-go-v2/service/s3/types"
+	"github.com/gofiber/fiber/v2"
+	"github.com/versity/versitygw/auth"
+	"github.com/versity/versitygw/debuglogger"
+	"github.com/versity/versitygw/s3api/utils"
+	"github.com/versity/versitygw/s3err"
+)
+
+func (c S3ApiController) HeadObject(ctx *fiber.Ctx) (*Response, error) {
+	// context locals
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+	isPublicBucket := utils.ContextKeyPublicBucket.IsSet(ctx)
+	// url values
+	bucket := ctx.Params("bucket")
+	partNumberQuery := int32(ctx.QueryInt("partNumber", -1))
+	versionId := ctx.Query("versionId")
+	objRange := ctx.Get("Range")
+	key := strings.TrimPrefix(ctx.Path(), fmt.Sprintf("/%s/", bucket))
+
+	action := auth.GetObjectAction
+	if ctx.Request().URI().QueryArgs().Has("versionId") {
+		action = auth.GetObjectVersionAction
+	}
+
+	err := auth.VerifyAccess(ctx.Context(), c.be,
+		auth.AccessOptions{
+			Readonly:        c.readonly,
+			Acl:             parsedAcl,
+			AclPermission:   auth.PermissionRead,
+			IsRoot:          isRoot,
+			Acc:             acct,
+			Bucket:          bucket,
+			Object:          key,
+			Action:          action,
+			IsPublicRequest: isPublicBucket,
+		})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	var partNumber *int32
+	if ctx.Request().URI().QueryArgs().Has("partNumber") {
+		if partNumberQuery < minPartNumber || partNumberQuery > maxPartNumber {
+			debuglogger.Logf("invalid part number: %d", partNumberQuery)
+			return &Response{
+				MetaOpts: &MetaOptions{
+					BucketOwner: parsedAcl.Owner,
+				},
+			}, s3err.GetAPIError(s3err.ErrInvalidPartNumber)
+		}
+
+		partNumber = &partNumberQuery
+	}
+
+	err = utils.ValidateVersionId(versionId)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	checksumMode := types.ChecksumMode(strings.ToUpper(ctx.Get("x-amz-checksum-mode")))
+	if checksumMode != "" && checksumMode != types.ChecksumModeEnabled {
+		debuglogger.Logf("invalid x-amz-checksum-mode header value: %v", checksumMode)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetInvalidChecksumHeaderErr("x-amz-checksum-mode")
+	}
+
+	conditionalHeaders := utils.ParsePreconditionHeaders(ctx)
+
+	res, err := c.be.HeadObject(ctx.Context(),
+		&s3.HeadObjectInput{
+			Bucket:            &bucket,
+			Key:               &key,
+			PartNumber:        partNumber,
+			VersionId:         &versionId,
+			ChecksumMode:      checksumMode,
+			Range:             &objRange,
+			IfMatch:           conditionalHeaders.IfMatch,
+			IfNoneMatch:       conditionalHeaders.IfNoneMatch,
+			IfModifiedSince:   conditionalHeaders.IfModSince,
+			IfUnmodifiedSince: conditionalHeaders.IfUnmodeSince,
+		})
+	if err != nil {
+		var headers map[string]*string
+		if res != nil {
+			headers = map[string]*string{
+				"x-amz-delete-marker": utils.GetStringPtr("true"),
+				"Last-Modified":       utils.GetStringPtr(res.LastModified.UTC().Format(timefmt)),
+			}
+		}
+		return &Response{
+			Headers: headers,
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	// Set the metadata headers
+	utils.SetMetaHeaders(ctx, res.Metadata)
+
+	return &Response{
+		Headers: map[string]*string{
+			"Content-Range":                       res.ContentRange,
+			"Content-Disposition":                 res.ContentDisposition,
+			"Content-Encoding":                    res.ContentEncoding,
+			"Content-Language":                    res.ContentLanguage,
+			"Cache-Control":                       res.CacheControl,
+			"Content-Length":                      utils.ConvertPtrToStringPtr(res.ContentLength),
+			"Content-Type":                        res.ContentType,
+			"Expires":                             res.ExpiresString,
+			"ETag":                                res.ETag,
+			"Last-Modified":                       utils.FormatDatePtrToString(res.LastModified, timefmt),
+			"x-amz-restore":                       res.Restore,
+			"accept-ranges":                       res.AcceptRanges,
+			"x-amz-checksum-crc32":                res.ChecksumCRC32,
+			"x-amz-checksum-crc64nvme":            res.ChecksumCRC64NVME,
+			"x-amz-checksum-crc32c":               res.ChecksumCRC32C,
+			"x-amz-checksum-sha1":                 res.ChecksumSHA1,
+			"x-amz-checksum-sha256":               res.ChecksumSHA256,
+			"x-amz-version-id":                    res.VersionId,
+			"x-amz-mp-parts-count":                utils.ConvertPtrToStringPtr(res.PartsCount),
+			"x-amz-object-lock-mode":              utils.ConvertToStringPtr(res.ObjectLockMode),
+			"x-amz-object-lock-legal-hold":        utils.ConvertToStringPtr(res.ObjectLockLegalHoldStatus),
+			"x-amz-storage-class":                 utils.ConvertToStringPtr(res.StorageClass),
+			"x-amz-checksum-type":                 utils.ConvertToStringPtr(res.ChecksumType),
+			"x-amz-object-lock-retain-until-date": utils.FormatDatePtrToString(res.ObjectLockRetainUntilDate, time.RFC3339),
+			"x-amz-tagging-count":                 utils.ConvertPtrToStringPtr(res.TagCount),
+		},
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, nil
+}
--- a/s3api/controllers/object-head_test.go
+++ b/s3api/controllers/object-head_test.go
@@ -0,0 +1,205 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package controllers
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/aws/aws-sdk-go-v2/service/s3"
+	"github.com/versity/versitygw/s3api/utils"
+	"github.com/versity/versitygw/s3err"
+)
+
+func TestS3ApiController_HeadObject(t *testing.T) {
+	tm := time.Now()
+	cLength := int64(100)
+
+	failingBeRes := &s3.HeadObjectOutput{
+		LastModified: &tm,
+	}
+
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "invalid versionId",
+			input: testInput{
+				locals: defaultLocals,
+				queries: map[string]string{
+					"versionId": "invalid_versionId",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidVersionId),
+			},
+		},
+		{
+			name: "invalid part number",
+			input: testInput{
+				locals: defaultLocals,
+				queries: map[string]string{
+					"partNumber": "-4",
+					"versionId":  "01BX5ZZKBKACTAV9WEVGEMMVRZ",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidPartNumber),
+			},
+		},
+		{
+			name: "invalid checksum mode",
+			input: testInput{
+				locals: defaultLocals,
+				headers: map[string]string{
+					"x-amz-checksum-mode": "invalid_checksum_mode",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetInvalidChecksumHeaderErr("x-amz-checksum-mode"),
+			},
+		},
+		{
+			name: "backend returns error",
+			input: testInput{
+				locals: defaultLocals,
+				beErr:  s3err.GetAPIError(s3err.ErrInvalidAccessKeyID),
+				beRes:  failingBeRes,
+			},
+			output: testOutput{
+				response: &Response{
+					Headers: map[string]*string{
+						"x-amz-delete-marker": utils.GetStringPtr("true"),
+						"Last-Modified":       utils.GetStringPtr(tm.UTC().Format(timefmt)),
+					},
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidAccessKeyID),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				queries: map[string]string{
+					"partNumber": "4",
+				},
+				locals: defaultLocals,
+				headers: map[string]string{
+					"x-amz-checksum-mode": "enabled",
+				},
+				beRes: &s3.HeadObjectOutput{
+					ETag:          utils.GetStringPtr("ETag"),
+					ContentType:   utils.GetStringPtr("application/xml"),
+					ContentLength: &cLength,
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					Headers: map[string]*string{
+						"ETag":                                utils.GetStringPtr("ETag"),
+						"x-amz-restore":                       nil,
+						"accept-ranges":                       nil,
+						"Content-Range":                       nil,
+						"Content-Disposition":                 nil,
+						"Content-Encoding":                    nil,
+						"Content-Language":                    nil,
+						"Cache-Control":                       nil,
+						"Expires":                             nil,
+						"x-amz-checksum-crc32":                nil,
+						"x-amz-checksum-crc64nvme":            nil,
+						"x-amz-checksum-crc32c":               nil,
+						"x-amz-checksum-sha1":                 nil,
+						"x-amz-checksum-sha256":               nil,
+						"x-amz-version-id":                    nil,
+						"x-amz-mp-parts-count":                nil,
+						"x-amz-object-lock-mode":              nil,
+						"x-amz-object-lock-legal-hold":        nil,
+						"x-amz-storage-class":                 nil,
+						"x-amz-checksum-type":                 nil,
+						"x-amz-object-lock-retain-until-date": nil,
+						"Last-Modified":                       nil,
+						"x-amz-tagging-count":                 nil,
+						"Content-Type":                        utils.GetStringPtr("application/xml"),
+						"Content-Length":                      utils.GetStringPtr("100"),
+					},
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				HeadObjectFunc: func(contextMoqParam context.Context, headObjectInput *s3.HeadObjectInput) (*s3.HeadObjectOutput, error) {
+					return tt.input.beRes.(*s3.HeadObjectOutput), tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.HeadObject,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals:  tt.input.locals,
+					queries: tt.input.queries,
+					headers: tt.input.headers,
+				})
+		})
+	}
+}
--- a/s3api/controllers/object-post.go
+++ b/s3api/controllers/object-post.go
@@ -0,0 +1,371 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package controllers
+
+import (
+	"encoding/xml"
+	"fmt"
+	"strconv"
+	"strings"
+
+	"github.com/aws/aws-sdk-go-v2/service/s3"
+	"github.com/aws/aws-sdk-go-v2/service/s3/types"
+	"github.com/gofiber/fiber/v2"
+	"github.com/versity/versitygw/auth"
+	"github.com/versity/versitygw/debuglogger"
+	"github.com/versity/versitygw/s3api/utils"
+	"github.com/versity/versitygw/s3err"
+	"github.com/versity/versitygw/s3event"
+	"github.com/versity/versitygw/s3response"
+)
+
+func (c S3ApiController) RestoreObject(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	key := strings.TrimPrefix(ctx.Path(), fmt.Sprintf("/%s/", bucket))
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	isBucketPublic := utils.ContextKeyPublicBucket.IsSet(ctx)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be,
+		auth.AccessOptions{
+			Readonly:        c.readonly,
+			Acl:             parsedAcl,
+			AclPermission:   auth.PermissionWrite,
+			IsRoot:          isRoot,
+			Acc:             acct,
+			Bucket:          bucket,
+			Object:          key,
+			Action:          auth.RestoreObjectAction,
+			IsPublicRequest: isBucketPublic,
+		})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	var restoreRequest types.RestoreRequest
+	if err := xml.Unmarshal(ctx.Body(), &restoreRequest); err != nil {
+		debuglogger.Logf("failed to parse the request body: %v", err)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrMalformedXML)
+	}
+
+	err = c.be.RestoreObject(ctx.Context(), &s3.RestoreObjectInput{
+		Bucket:         &bucket,
+		Key:            &key,
+		RestoreRequest: &restoreRequest,
+	})
+	return &Response{
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+			EventName:   s3event.EventObjectRestoreCompleted,
+		},
+	}, err
+}
+
+func (c S3ApiController) SelectObjectContent(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	key := strings.TrimPrefix(ctx.Path(), fmt.Sprintf("/%s/", bucket))
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	isBucketPublic := utils.ContextKeyPublicBucket.IsSet(ctx)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be,
+		auth.AccessOptions{
+			Readonly:        c.readonly,
+			Acl:             parsedAcl,
+			AclPermission:   auth.PermissionRead,
+			IsRoot:          isRoot,
+			Acc:             acct,
+			Bucket:          bucket,
+			Object:          key,
+			Action:          auth.GetObjectAction,
+			IsPublicRequest: isBucketPublic,
+		})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	var payload s3response.SelectObjectContentPayload
+	err = xml.Unmarshal(ctx.Body(), &payload)
+	if err != nil {
+		debuglogger.Logf("error unmarshalling select object content: %v", err)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrMalformedXML)
+	}
+
+	sw := c.be.SelectObjectContent(ctx.Context(),
+		&s3.SelectObjectContentInput{
+			Bucket:              &bucket,
+			Key:                 &key,
+			Expression:          payload.Expression,
+			ExpressionType:      payload.ExpressionType,
+			InputSerialization:  payload.InputSerialization,
+			OutputSerialization: payload.OutputSerialization,
+			RequestProgress:     payload.RequestProgress,
+			ScanRange:           payload.ScanRange,
+		})
+
+	ctx.Context().SetBodyStreamWriter(sw)
+
+	return &Response{
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, nil
+}
+
+func (c S3ApiController) CreateMultipartUpload(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	key := strings.TrimPrefix(ctx.Path(), fmt.Sprintf("/%s/", bucket))
+	contentType := ctx.Get("Content-Type")
+	contentDisposition := ctx.Get("Content-Disposition")
+	contentLanguage := ctx.Get("Content-Language")
+	cacheControl := ctx.Get("Cache-Control")
+	contentEncoding := ctx.Get("Content-Encoding")
+	tagging := ctx.Get("X-Amz-Tagging")
+	expires := ctx.Get("Expires")
+	metadata := utils.GetUserMetaData(&ctx.Request().Header)
+	// context locals
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be,
+		auth.AccessOptions{
+			Readonly:      c.readonly,
+			Acl:           parsedAcl,
+			AclPermission: auth.PermissionWrite,
+			IsRoot:        isRoot,
+			Acc:           acct,
+			Bucket:        bucket,
+			Object:        key,
+			Action:        auth.PutObjectAction,
+		})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	objLockState, err := utils.ParsObjectLockHdrs(ctx)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	checksumAlgorithm, checksumType, err := utils.ParseCreateMpChecksumHeaders(ctx)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	res, err := c.be.CreateMultipartUpload(ctx.Context(),
+		s3response.CreateMultipartUploadInput{
+			Bucket:                    &bucket,
+			Key:                       &key,
+			Tagging:                   &tagging,
+			ContentType:               &contentType,
+			ContentEncoding:           &contentEncoding,
+			ContentDisposition:        &contentDisposition,
+			ContentLanguage:           &contentLanguage,
+			CacheControl:              &cacheControl,
+			Expires:                   &expires,
+			ObjectLockRetainUntilDate: &objLockState.RetainUntilDate,
+			ObjectLockMode:            objLockState.ObjectLockMode,
+			ObjectLockLegalHoldStatus: objLockState.LegalHoldStatus,
+			Metadata:                  metadata,
+			ChecksumAlgorithm:         checksumAlgorithm,
+			ChecksumType:              checksumType,
+		})
+	var headers map[string]*string
+	if err == nil {
+		headers = map[string]*string{
+			"x-amz-checksum-algorithm": utils.ConvertToStringPtr(checksumAlgorithm),
+			"x-amz-checksum-type":      utils.ConvertToStringPtr(checksumType),
+		}
+	}
+	return &Response{
+		Headers: headers,
+		Data:    res,
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, err
+}
+
+func (c S3ApiController) CompleteMultipartUpload(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	key := strings.TrimPrefix(ctx.Path(), fmt.Sprintf("/%s/", bucket))
+	uploadId := ctx.Query("uploadId")
+	mpuObjSizeHdr := ctx.Get("X-Amz-Mp-Object-Size")
+	checksumType := types.ChecksumType(strings.ToUpper(ctx.Get("x-amz-checksum-type")))
+	// context locals
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	isBucketPublic := utils.ContextKeyPublicBucket.IsSet(ctx)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be,
+		auth.AccessOptions{
+			Readonly:        c.readonly,
+			Acl:             parsedAcl,
+			AclPermission:   auth.PermissionWrite,
+			IsRoot:          isRoot,
+			Acc:             acct,
+			Bucket:          bucket,
+			Object:          key,
+			Action:          auth.PutObjectAction,
+			IsPublicRequest: isBucketPublic,
+		})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	var body s3response.CompleteMultipartUploadRequestBody
+	err = xml.Unmarshal(ctx.Body(), &body)
+	if err != nil {
+		debuglogger.Logf("error unmarshalling complete multipart upload: %v", err)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrMalformedXML)
+	}
+
+	if len(body.Parts) == 0 {
+		debuglogger.Logf("empty parts provided for complete multipart upload")
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrMalformedXML)
+	}
+
+	var mpuObjectSize *int64
+	if mpuObjSizeHdr != "" {
+		val, err := strconv.ParseInt(mpuObjSizeHdr, 10, 64)
+		if err != nil {
+			debuglogger.Logf("invalid value for 'x-amz-mp-object-size' header: %v", err)
+			return &Response{
+				MetaOpts: &MetaOptions{
+					BucketOwner: parsedAcl.Owner,
+				},
+			}, s3err.GetInvalidMpObjectSizeErr(mpuObjSizeHdr)
+		}
+
+		if val < 0 {
+			debuglogger.Logf("value for 'x-amz-mp-object-size' header is less than 0: %v", val)
+			return &Response{
+				MetaOpts: &MetaOptions{
+					BucketOwner: parsedAcl.Owner,
+				},
+			}, s3err.GetNegatvieMpObjectSizeErr(val)
+		}
+
+		mpuObjectSize = &val
+	}
+
+	checksums, err := utils.ParseCompleteMpChecksumHeaders(ctx)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	err = utils.IsChecksumTypeValid(checksumType)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	ifMatch, ifNoneMatch := utils.ParsePreconditionMatchHeaders(ctx)
+
+	err = auth.CheckObjectAccess(ctx.Context(), bucket, acct.Access, []types.ObjectIdentifier{{Key: &key}}, true, isBucketPublic, c.be, true)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	res, versid, err := c.be.CompleteMultipartUpload(ctx.Context(),
+		&s3.CompleteMultipartUploadInput{
+			Bucket:   &bucket,
+			Key:      &key,
+			UploadId: &uploadId,
+			MultipartUpload: &types.CompletedMultipartUpload{
+				Parts: body.Parts,
+			},
+			MpuObjectSize:     mpuObjectSize,
+			ChecksumCRC32:     utils.GetStringPtr(checksums[types.ChecksumAlgorithmCrc32]),
+			ChecksumCRC32C:    utils.GetStringPtr(checksums[types.ChecksumAlgorithmCrc32c]),
+			ChecksumSHA1:      utils.GetStringPtr(checksums[types.ChecksumAlgorithmSha1]),
+			ChecksumSHA256:    utils.GetStringPtr(checksums[types.ChecksumAlgorithmSha256]),
+			ChecksumCRC64NVME: utils.GetStringPtr(checksums[types.ChecksumAlgorithmCrc64nvme]),
+			ChecksumType:      checksumType,
+			IfMatch:           ifMatch,
+			IfNoneMatch:       ifNoneMatch,
+		})
+	if err == nil {
+		objUrl := utils.GenerateObjectLocation(ctx, c.virtualDomain, bucket, key)
+		res.Location = &objUrl
+	}
+	return &Response{
+		Data: res,
+		Headers: map[string]*string{
+			"x-amz-version-id": &versid,
+		},
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+			ObjectETag:  res.ETag,
+			EventName:   s3event.EventCompleteMultipartUpload,
+			VersionId:   &versid,
+		},
+	}, err
+}
--- a/s3api/controllers/object-post_test.go
+++ b/s3api/controllers/object-post_test.go
@@ -0,0 +1,588 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package controllers
+
+import (
+	"bufio"
+	"context"
+	"encoding/xml"
+	"testing"
+
+	"github.com/aws/aws-sdk-go-v2/service/s3"
+	"github.com/aws/aws-sdk-go-v2/service/s3/types"
+	"github.com/stretchr/testify/assert"
+	"github.com/versity/versitygw/s3api/utils"
+	"github.com/versity/versitygw/s3err"
+	"github.com/versity/versitygw/s3event"
+	"github.com/versity/versitygw/s3response"
+)
+
+func TestS3ApiController_RestoreObject(t *testing.T) {
+	validRestoreBody, err := xml.Marshal(types.RestoreRequest{
+		Description: utils.GetStringPtr("description"),
+		Type:        types.RestoreRequestTypeSelect,
+	})
+	assert.NoError(t, err)
+
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "invalid request body",
+			input: testInput{
+				locals: defaultLocals,
+				body:   []byte("invalid_body"),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrMalformedXML),
+			},
+		},
+		{
+			name: "backend returns error",
+			input: testInput{
+				locals: defaultLocals,
+				beErr:  s3err.GetAPIError(s3err.ErrNoSuchBucket),
+				body:   validRestoreBody,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						EventName:   s3event.EventObjectRestoreCompleted,
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrNoSuchBucket),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				locals: defaultLocals,
+				body:   validRestoreBody,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						EventName:   s3event.EventObjectRestoreCompleted,
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				RestoreObjectFunc: func(contextMoqParam context.Context, restoreObjectInput *s3.RestoreObjectInput) error {
+					return tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.RestoreObject,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals: tt.input.locals,
+					body:   tt.input.body,
+				})
+		})
+	}
+}
+
+func TestS3ApiController_SelectObjectContent(t *testing.T) {
+	validSelectBody, err := xml.Marshal(s3response.SelectObjectContentPayload{
+		Expression:     utils.GetStringPtr("expression"),
+		ExpressionType: types.ExpressionTypeSql,
+	})
+	assert.NoError(t, err)
+
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "invalid request body",
+			input: testInput{
+				locals: defaultLocals,
+				body:   []byte("invalid_body"),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrMalformedXML),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				locals: defaultLocals,
+				body:   validSelectBody,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				SelectObjectContentFunc: func(ctx context.Context, input *s3.SelectObjectContentInput) func(w *bufio.Writer) {
+					return func(w *bufio.Writer) {}
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.SelectObjectContent,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals: tt.input.locals,
+					body:   tt.input.body,
+				})
+		})
+	}
+}
+
+func TestS3ApiController_CreateMultipartUpload(t *testing.T) {
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "invalid object lock headers",
+			input: testInput{
+				locals: defaultLocals,
+				headers: map[string]string{
+					"X-Amz-Object-Lock-Mode": string(types.ObjectLockModeGovernance),
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrObjectLockInvalidHeaders),
+			},
+		},
+		{
+			name: "invalid checksum headers",
+			input: testInput{
+				locals: defaultLocals,
+				headers: map[string]string{
+					"X-Amz-Checksum-Algorithm": "invalid_checksum_algo",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidChecksumAlgorithm),
+			},
+		},
+		{
+			name: "backend returns error",
+			input: testInput{
+				locals: defaultLocals,
+				beErr:  s3err.GetAPIError(s3err.ErrNoSuchBucket),
+				beRes:  s3response.InitiateMultipartUploadResult{},
+			},
+			output: testOutput{
+				response: &Response{
+					Data: s3response.InitiateMultipartUploadResult{},
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrNoSuchBucket),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				locals: defaultLocals,
+				beRes:  s3response.InitiateMultipartUploadResult{},
+				headers: map[string]string{
+					"x-amz-checksum-algorithm": string(types.ChecksumAlgorithmCrc32),
+					"x-amz-checksum-type":      string(types.ChecksumTypeComposite),
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					Data: s3response.InitiateMultipartUploadResult{},
+					Headers: map[string]*string{
+						"x-amz-checksum-algorithm": utils.ConvertToStringPtr(types.ChecksumAlgorithmCrc32),
+						"x-amz-checksum-type":      utils.ConvertToStringPtr(types.ChecksumTypeComposite),
+					},
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				CreateMultipartUploadFunc: func(contextMoqParam context.Context, createMultipartUploadInput s3response.CreateMultipartUploadInput) (s3response.InitiateMultipartUploadResult, error) {
+					return tt.input.beRes.(s3response.InitiateMultipartUploadResult), tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.CreateMultipartUpload,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals:  tt.input.locals,
+					body:    tt.input.body,
+					headers: tt.input.headers,
+				})
+		})
+	}
+}
+
+func TestS3ApiController_CompleteMultipartUpload(t *testing.T) {
+	emptyMpPartsBody, err := xml.Marshal(s3response.CompleteMultipartUploadRequestBody{
+		Parts: []types.CompletedPart{},
+	})
+	assert.NoError(t, err)
+	pn := int32(1)
+
+	validMpBody, err := xml.Marshal(s3response.CompleteMultipartUploadRequestBody{
+		Parts: []types.CompletedPart{
+			{
+				PartNumber: &pn,
+				ETag:       utils.GetStringPtr("ETag"),
+			},
+		},
+	})
+	assert.NoError(t, err)
+
+	versionId, ETag := "versionId", "mock-ETag"
+
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "invalid request body",
+			input: testInput{
+				locals: defaultLocals,
+				body:   []byte("invalid_body"),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrMalformedXML),
+			},
+		},
+		{
+			name: "request body empty mp parts",
+			input: testInput{
+				locals: defaultLocals,
+				body:   emptyMpPartsBody,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrMalformedXML),
+			},
+		},
+		{
+			name: "invalid mp parts header string",
+			input: testInput{
+				locals: defaultLocals,
+				body:   validMpBody,
+				headers: map[string]string{
+					"X-Amz-Mp-Object-Size": "invalid_mp_object_size",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetInvalidMpObjectSizeErr("invalid_mp_object_size"),
+			},
+		},
+		{
+			name: "negative mp parts header value",
+			input: testInput{
+				locals: defaultLocals,
+				body:   validMpBody,
+				headers: map[string]string{
+					"X-Amz-Mp-Object-Size": "-4",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetNegatvieMpObjectSizeErr(-4),
+			},
+		},
+		{
+			name: "invalid checksum headers",
+			input: testInput{
+				locals: defaultLocals,
+				body:   validMpBody,
+				headers: map[string]string{
+					"X-Amz-Checksum-Crc32": "invalid_checksum",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetInvalidChecksumHeaderErr("x-amz-checksum-crc32"),
+			},
+		},
+		{
+			name: "invalid checksum type",
+			input: testInput{
+				locals: defaultLocals,
+				body:   validMpBody,
+				headers: map[string]string{
+					"X-Amz-Checksum-Type": "invalid_checksum_type",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetInvalidChecksumHeaderErr("x-amz-checksum-type"),
+			},
+		},
+		{
+			name: "object is locked",
+			input: testInput{
+				locals:       defaultLocals,
+				body:         validMpBody,
+				extraMockErr: s3err.GetAPIError(s3err.ErrObjectLocked),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrObjectLocked),
+			},
+		},
+		{
+			name: "backend returns error",
+			input: testInput{
+				locals:       defaultLocals,
+				body:         validMpBody,
+				beErr:        s3err.GetAPIError(s3err.ErrNoSuchBucket),
+				beRes:        s3response.CompleteMultipartUploadResult{},
+				extraMockErr: s3err.GetAPIError(s3err.ErrObjectLockConfigurationNotFound),
+			},
+			output: testOutput{
+				response: &Response{
+					Data: s3response.CompleteMultipartUploadResult{},
+					Headers: map[string]*string{
+						"x-amz-version-id": &versionId,
+					},
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						EventName:   s3event.EventCompleteMultipartUpload,
+						VersionId:   &versionId,
+						ObjectETag:  nil,
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrNoSuchBucket),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				locals: defaultLocals,
+				body:   validMpBody,
+				beRes: s3response.CompleteMultipartUploadResult{
+					ETag: &ETag,
+				},
+				headers: map[string]string{
+					"X-Amz-Mp-Object-Size": "3",
+				},
+				extraMockErr: s3err.GetAPIError(s3err.ErrObjectLockConfigurationNotFound),
+			},
+			output: testOutput{
+				response: &Response{
+					Data: s3response.CompleteMultipartUploadResult{
+						ETag:     &ETag,
+						Location: utils.GetStringPtr("http://example.com/bucket/object"),
+					},
+					Headers: map[string]*string{
+						"x-amz-version-id": &versionId,
+					},
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						EventName:   s3event.EventCompleteMultipartUpload,
+						VersionId:   &versionId,
+						ObjectETag:  &ETag,
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				CompleteMultipartUploadFunc: func(contextMoqParam context.Context, completeMultipartUploadInput *s3.CompleteMultipartUploadInput) (s3response.CompleteMultipartUploadResult, string, error) {
+					return tt.input.beRes.(s3response.CompleteMultipartUploadResult), versionId, tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+				GetObjectLockConfigurationFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, tt.input.extraMockErr
+				},
+				GetBucketVersioningFunc: func(contextMoqParam context.Context, bucket string) (s3response.GetBucketVersioningOutput, error) {
+					return s3response.GetBucketVersioningOutput{}, s3err.GetAPIError(s3err.ErrNotImplemented)
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.CompleteMultipartUpload,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals:  tt.input.locals,
+					body:    tt.input.body,
+					headers: tt.input.headers,
+				})
+		})
+	}
+}
--- a/s3api/controllers/object-put.go
+++ b/s3api/controllers/object-put.go
@@ -0,0 +1,790 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package controllers
+
+import (
+	"bytes"
+	"encoding/xml"
+	"fmt"
+	"io"
+	"strconv"
+	"strings"
+
+	"github.com/aws/aws-sdk-go-v2/service/s3"
+	"github.com/aws/aws-sdk-go-v2/service/s3/types"
+	"github.com/gofiber/fiber/v2"
+	"github.com/versity/versitygw/auth"
+	"github.com/versity/versitygw/debuglogger"
+	"github.com/versity/versitygw/s3api/utils"
+	"github.com/versity/versitygw/s3err"
+	"github.com/versity/versitygw/s3event"
+	"github.com/versity/versitygw/s3response"
+)
+
+func (c S3ApiController) PutObjectTagging(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	key := strings.TrimPrefix(ctx.Path(), fmt.Sprintf("/%s/", bucket))
+	versionId := ctx.Query("versionId")
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	IsBucketPublic := utils.ContextKeyPublicBucket.IsSet(ctx)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	action := auth.PutObjectTaggingAction
+	if versionId != "" {
+		action = auth.PutObjectVersionTaggingAction
+	}
+
+	err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:        c.readonly,
+		Acl:             parsedAcl,
+		AclPermission:   auth.PermissionWrite,
+		IsRoot:          isRoot,
+		Acc:             acct,
+		Bucket:          bucket,
+		Object:          key,
+		Action:          action,
+		IsPublicRequest: IsBucketPublic,
+	})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	err = utils.ValidateVersionId(versionId)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	tagging, err := utils.ParseTagging(ctx.Body(), utils.TagLimitObject)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	err = c.be.PutObjectTagging(ctx.Context(), bucket, key, versionId, tagging)
+	return &Response{
+		Headers: map[string]*string{
+			"x-amz-version-id": &versionId,
+		},
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+			EventName:   s3event.EventObjectTaggingPut,
+		},
+	}, err
+}
+
+func (c S3ApiController) PutObjectRetention(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	key := strings.TrimPrefix(ctx.Path(), fmt.Sprintf("/%s/", bucket))
+	versionId := ctx.Query("versionId")
+	bypass := strings.EqualFold(ctx.Get("X-Amz-Bypass-Governance-Retention"), "true")
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	IsBucketPublic := utils.ContextKeyPublicBucket.IsSet(ctx)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:        c.readonly,
+		Acl:             parsedAcl,
+		AclPermission:   auth.PermissionWrite,
+		IsRoot:          isRoot,
+		Acc:             acct,
+		Bucket:          bucket,
+		Object:          key,
+		Action:          auth.PutObjectRetentionAction,
+		IsPublicRequest: IsBucketPublic,
+	})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	err = utils.ValidateVersionId(versionId)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	// parse the request body bytes into a go struct and validate
+	retention, err := auth.ParseObjectLockRetentionInput(ctx.Body())
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	// check if the operation is allowed
+	err = auth.IsObjectLockRetentionPutAllowed(ctx.Context(), c.be, bucket, key, versionId, acct.Access, retention, bypass)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	// parse the retention to JSON
+	data, err := auth.ParseObjectLockRetentionInputToJSON(retention)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	err = c.be.PutObjectRetention(ctx.Context(), bucket, key, versionId, data)
+	return &Response{
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, err
+}
+
+func (c S3ApiController) PutObjectLegalHold(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	key := strings.TrimPrefix(ctx.Path(), fmt.Sprintf("/%s/", bucket))
+	versionId := ctx.Query("versionId")
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	IsBucketPublic := utils.ContextKeyPublicBucket.IsSet(ctx)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
+		Readonly:        c.readonly,
+		Acl:             parsedAcl,
+		AclPermission:   auth.PermissionWrite,
+		IsRoot:          isRoot,
+		Acc:             acct,
+		Bucket:          bucket,
+		Object:          key,
+		Action:          auth.PutObjectLegalHoldAction,
+		IsPublicRequest: IsBucketPublic,
+	})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	err = utils.ValidateVersionId(versionId)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	var legalHold types.ObjectLockLegalHold
+	if err := xml.Unmarshal(ctx.Body(), &legalHold); err != nil {
+		debuglogger.Logf("failed to parse request body: %v", err)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrMalformedXML)
+	}
+
+	if legalHold.Status != types.ObjectLockLegalHoldStatusOff && legalHold.Status != types.ObjectLockLegalHoldStatusOn {
+		debuglogger.Logf("invalid legal hold status: %v", legalHold.Status)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrMalformedXML)
+	}
+
+	err = c.be.PutObjectLegalHold(ctx.Context(), bucket, key, versionId, legalHold.Status == types.ObjectLockLegalHoldStatusOn)
+	return &Response{
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, err
+}
+
+func (c S3ApiController) UploadPart(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	key := strings.TrimPrefix(ctx.Path(), fmt.Sprintf("/%s/", bucket))
+	partNumber := int32(ctx.QueryInt("partNumber", -1))
+	uploadId := ctx.Query("uploadId")
+	// context locals
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	IsBucketPublic := utils.ContextKeyPublicBucket.IsSet(ctx)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	contentLengthStr := ctx.Get("Content-Length")
+	if contentLengthStr == "" {
+		contentLengthStr = "0"
+	}
+	// Use decoded content length if available because the
+	// middleware will decode the chunked transfer encoding
+	decodedLength := ctx.Get("X-Amz-Decoded-Content-Length")
+	if decodedLength != "" {
+		contentLengthStr = decodedLength
+	}
+
+	err := auth.VerifyAccess(ctx.Context(), c.be,
+		auth.AccessOptions{
+			Readonly:        c.readonly,
+			Acl:             parsedAcl,
+			AclPermission:   auth.PermissionWrite,
+			IsRoot:          isRoot,
+			Acc:             acct,
+			Bucket:          bucket,
+			Object:          key,
+			Action:          auth.PutObjectAction,
+			IsPublicRequest: IsBucketPublic,
+		})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	if partNumber < minPartNumber || partNumber > maxPartNumber {
+		debuglogger.Logf("invalid part number: %d", partNumber)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrInvalidPartNumber)
+	}
+
+	contentLength, err := strconv.ParseInt(contentLengthStr, 10, 64)
+	if err != nil {
+		debuglogger.Logf("error parsing content length %q: %v", contentLengthStr, err)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrInvalidRequest)
+	}
+
+	algorithm, checksums, err := utils.ParseChecksumHeadersAndSdkAlgo(ctx)
+	if err != nil {
+		debuglogger.Logf("err parsing checksum headers: %v", err)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	var body io.Reader
+	bodyi := utils.ContextKeyBodyReader.Get(ctx)
+	if bodyi != nil {
+		body = bodyi.(io.Reader)
+	} else {
+		body = bytes.NewReader([]byte{})
+	}
+
+	res, err := c.be.UploadPart(ctx.Context(),
+		&s3.UploadPartInput{
+			Bucket:            &bucket,
+			Key:               &key,
+			UploadId:          &uploadId,
+			PartNumber:        &partNumber,
+			ContentLength:     &contentLength,
+			Body:              body,
+			ChecksumAlgorithm: algorithm,
+			ChecksumCRC32:     utils.GetStringPtr(checksums[types.ChecksumAlgorithmCrc32]),
+			ChecksumCRC32C:    utils.GetStringPtr(checksums[types.ChecksumAlgorithmCrc32c]),
+			ChecksumSHA1:      utils.GetStringPtr(checksums[types.ChecksumAlgorithmSha1]),
+			ChecksumSHA256:    utils.GetStringPtr(checksums[types.ChecksumAlgorithmSha256]),
+			ChecksumCRC64NVME: utils.GetStringPtr(checksums[types.ChecksumAlgorithmCrc64nvme]),
+		})
+	var headers map[string]*string
+	if err == nil {
+		headers = map[string]*string{
+			"ETag":                     res.ETag,
+			"x-amz-checksum-crc32":     res.ChecksumCRC32,
+			"x-amz-checksum-crc32c":    res.ChecksumCRC32C,
+			"x-amz-checksum-crc64nvme": res.ChecksumCRC64NVME,
+			"x-amz-checksum-sha1":      res.ChecksumSHA1,
+			"x-amz-checksum-sha256":    res.ChecksumSHA256,
+		}
+	}
+	return &Response{
+		Headers: headers,
+		MetaOpts: &MetaOptions{
+			ContentLength: contentLength,
+			BucketOwner:   parsedAcl.Owner,
+		},
+	}, err
+
+}
+
+func (c S3ApiController) UploadPartCopy(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	key := strings.TrimPrefix(ctx.Path(), fmt.Sprintf("/%s/", bucket))
+	copySource := strings.TrimPrefix(ctx.Get("X-Amz-Copy-Source"), "/")
+	copySrcRange := ctx.Get("X-Amz-Copy-Source-Range")
+	partNumber := int32(ctx.QueryInt("partNumber", -1))
+	uploadId := ctx.Query("uploadId")
+	// context locals
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	IsBucketPublic := utils.ContextKeyPublicBucket.IsSet(ctx)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	err := utils.ValidateCopySource(copySource)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	err = auth.VerifyObjectCopyAccess(ctx.Context(), c.be, copySource,
+		auth.AccessOptions{
+			Acl:             parsedAcl,
+			AclPermission:   auth.PermissionWrite,
+			IsRoot:          isRoot,
+			Acc:             acct,
+			Bucket:          bucket,
+			Object:          key,
+			Action:          auth.PutObjectAction,
+			IsPublicRequest: IsBucketPublic,
+		})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	if len(ctx.Request().Body()) != 0 {
+		debuglogger.Logf("expected empty request body")
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrNonEmptyRequestBody)
+	}
+
+	if partNumber < minPartNumber || partNumber > maxPartNumber {
+		debuglogger.Logf("invalid part number: %d", partNumber)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrInvalidPartNumber)
+	}
+
+	preconditionHdrs := utils.ParsePreconditionHeaders(ctx, utils.WithCopySource())
+
+	resp, err := c.be.UploadPartCopy(ctx.Context(),
+		&s3.UploadPartCopyInput{
+			Bucket:                      &bucket,
+			Key:                         &key,
+			CopySource:                  &copySource,
+			PartNumber:                  &partNumber,
+			UploadId:                    &uploadId,
+			CopySourceRange:             &copySrcRange,
+			CopySourceIfMatch:           preconditionHdrs.IfMatch,
+			CopySourceIfNoneMatch:       preconditionHdrs.IfNoneMatch,
+			CopySourceIfModifiedSince:   preconditionHdrs.IfModSince,
+			CopySourceIfUnmodifiedSince: preconditionHdrs.IfUnmodeSince,
+		})
+	var headers map[string]*string
+	if err == nil && resp.CopySourceVersionId != "" {
+		headers = map[string]*string{
+			"x-amz-copy-source-version-id": &resp.CopySourceVersionId,
+		}
+	}
+	return &Response{
+		Headers: headers,
+		Data:    resp,
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, err
+}
+
+func (c S3ApiController) PutObjectAcl(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	key := strings.TrimPrefix(ctx.Path(), fmt.Sprintf("/%s/", bucket))
+	acl := ctx.Get("X-Amz-Acl")
+	grantFullControl := ctx.Get("X-Amz-Grant-Full-Control")
+	grantRead := ctx.Get("X-Amz-Grant-Read")
+	grantReadACP := ctx.Get("X-Amz-Grant-Read-Acp")
+	grantWrite := ctx.Get("X-Amz-Grant-Write")
+	grantWriteACP := ctx.Get("X-Amz-Grant-Write-Acp")
+	// context locals
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be,
+		auth.AccessOptions{
+			Readonly:      c.readonly,
+			Acl:           parsedAcl,
+			AclPermission: auth.PermissionWrite,
+			IsRoot:        isRoot,
+			Acc:           acct,
+			Bucket:        bucket,
+			Object:        key,
+			Action:        auth.PutObjectAclAction,
+		})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	err = c.be.PutObjectAcl(ctx.Context(), &s3.PutObjectAclInput{
+		Bucket:           &bucket,
+		Key:              &key,
+		GrantFullControl: &grantFullControl,
+		GrantRead:        &grantRead,
+		GrantWrite:       &grantWrite,
+		ACL:              types.ObjectCannedACL(acl),
+		GrantReadACP:     &grantReadACP,
+		GrantWriteACP:    &grantWriteACP,
+	})
+	return &Response{
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+			EventName:   s3event.EventObjectAclPut,
+		},
+	}, err
+}
+
+func (c S3ApiController) CopyObject(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	key := strings.TrimPrefix(ctx.Path(), fmt.Sprintf("/%s/", bucket))
+	copySource := strings.TrimPrefix(ctx.Get("X-Amz-Copy-Source"), "/")
+	metaDirective := types.MetadataDirective(ctx.Get("X-Amz-Metadata-Directive", string(types.MetadataDirectiveCopy)))
+	taggingDirective := types.TaggingDirective(ctx.Get("X-Amz-Tagging-Directive", string(types.TaggingDirectiveCopy)))
+	contentType := ctx.Get("Content-Type")
+	contentEncoding := ctx.Get("Content-Encoding")
+	contentDisposition := ctx.Get("Content-Disposition")
+	contentLanguage := ctx.Get("Content-Language")
+	cacheControl := ctx.Get("Cache-Control")
+	expires := ctx.Get("Expires")
+	tagging := ctx.Get("x-amz-tagging")
+	storageClass := ctx.Get("X-Amz-Storage-Class")
+	// context locals
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+
+	err := utils.ValidateCopySource(copySource)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	err = auth.VerifyObjectCopyAccess(ctx.Context(), c.be, copySource,
+		auth.AccessOptions{
+			Acl:           parsedAcl,
+			AclPermission: auth.PermissionWrite,
+			IsRoot:        isRoot,
+			Acc:           acct,
+			Bucket:        bucket,
+			Object:        key,
+			Action:        auth.PutObjectAction,
+		})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	if len(ctx.Request().Body()) != 0 {
+		debuglogger.Logf("expected empty request body")
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrNonEmptyRequestBody)
+	}
+
+	metadata := utils.GetUserMetaData(&ctx.Request().Header)
+
+	if metaDirective != "" && metaDirective != types.MetadataDirectiveCopy && metaDirective != types.MetadataDirectiveReplace {
+		debuglogger.Logf("invalid metadata directive: %v", metaDirective)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrInvalidMetadataDirective)
+	}
+
+	if taggingDirective != "" && taggingDirective != types.TaggingDirectiveCopy && taggingDirective != types.TaggingDirectiveReplace {
+		debuglogger.Logf("invalid tagging directive: %v", taggingDirective)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrInvalidTaggingDirective)
+	}
+
+	checksumAlgorithm := types.ChecksumAlgorithm(ctx.Get("x-amz-checksum-algorithm"))
+	err = utils.IsChecksumAlgorithmValid(checksumAlgorithm)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	objLock, err := utils.ParsObjectLockHdrs(ctx)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	preconditionHdrs := utils.ParsePreconditionHeaders(ctx, utils.WithCopySource())
+
+	err = auth.CheckObjectAccess(ctx.Context(), bucket, acct.Access, []types.ObjectIdentifier{{Key: &key}}, true, false, c.be, true)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	res, err := c.be.CopyObject(ctx.Context(),
+		s3response.CopyObjectInput{
+			Bucket:                      &bucket,
+			Key:                         &key,
+			ContentType:                 &contentType,
+			ContentDisposition:          &contentDisposition,
+			ContentEncoding:             &contentEncoding,
+			ContentLanguage:             &contentLanguage,
+			CacheControl:                &cacheControl,
+			Expires:                     &expires,
+			Tagging:                     &tagging,
+			TaggingDirective:            taggingDirective,
+			CopySource:                  &copySource,
+			CopySourceIfMatch:           preconditionHdrs.IfMatch,
+			CopySourceIfNoneMatch:       preconditionHdrs.IfNoneMatch,
+			CopySourceIfModifiedSince:   preconditionHdrs.IfModSince,
+			CopySourceIfUnmodifiedSince: preconditionHdrs.IfUnmodeSince,
+			ExpectedBucketOwner:         &acct.Access,
+			Metadata:                    metadata,
+			MetadataDirective:           metaDirective,
+			StorageClass:                types.StorageClass(storageClass),
+			ChecksumAlgorithm:           checksumAlgorithm,
+			ObjectLockRetainUntilDate:   &objLock.RetainUntilDate,
+			ObjectLockLegalHoldStatus:   objLock.LegalHoldStatus,
+			ObjectLockMode:              objLock.ObjectLockMode,
+		})
+
+	var etag *string
+	if err == nil {
+		etag = res.CopyObjectResult.ETag
+	}
+
+	return &Response{
+		Headers: map[string]*string{
+			"x-amz-version-id":             res.VersionId,
+			"x-amz-copy-source-version-id": res.CopySourceVersionId,
+		},
+		Data: res.CopyObjectResult,
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+			ObjectETag:  etag,
+			VersionId:   res.VersionId,
+			EventName:   s3event.EventObjectCreatedCopy,
+		},
+	}, err
+}
+
+func (c S3ApiController) PutObject(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	key := strings.TrimPrefix(ctx.Path(), fmt.Sprintf("/%s/", bucket))
+	contentType := ctx.Get("Content-Type")
+	contentEncoding := ctx.Get("Content-Encoding")
+	contentDisposition := ctx.Get("Content-Disposition")
+	contentLanguage := ctx.Get("Content-Language")
+	cacheControl := ctx.Get("Cache-Control")
+	expires := ctx.Get("Expires")
+	tagging := ctx.Get("x-amz-tagging")
+	// context locals
+	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
+	isRoot := utils.ContextKeyIsRoot.Get(ctx).(bool)
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+	IsBucketPublic := utils.ContextKeyPublicBucket.IsSet(ctx)
+
+	// Content Length
+	contentLengthStr := ctx.Get("Content-Length")
+	if contentLengthStr == "" {
+		contentLengthStr = "0"
+	}
+	// Use decoded content length if available because the
+	// middleware will decode the chunked transfer encoding
+	decodedLength := ctx.Get("X-Amz-Decoded-Content-Length")
+	if decodedLength != "" {
+		contentLengthStr = decodedLength
+	}
+
+	// load the meta headers
+	metadata := utils.GetUserMetaData(&ctx.Request().Header)
+
+	err := auth.VerifyAccess(ctx.Context(), c.be,
+		auth.AccessOptions{
+			Readonly:        c.readonly,
+			Acl:             parsedAcl,
+			AclPermission:   auth.PermissionWrite,
+			IsRoot:          isRoot,
+			Acc:             acct,
+			Bucket:          bucket,
+			Object:          key,
+			Action:          auth.PutObjectAction,
+			IsPublicRequest: IsBucketPublic,
+		})
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	err = auth.CheckObjectAccess(ctx.Context(), bucket, acct.Access, []types.ObjectIdentifier{{Key: &key}}, true, IsBucketPublic, c.be, true)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	contentLength, err := strconv.ParseInt(contentLengthStr, 10, 64)
+	if err != nil {
+		debuglogger.Logf("error parsing content length %q: %v", contentLengthStr, err)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrInvalidRequest)
+	}
+
+	objLock, err := utils.ParsObjectLockHdrs(ctx)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	algorithm, checksums, err := utils.ParseChecksumHeadersAndSdkAlgo(ctx)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	var body io.Reader
+	bodyi := utils.ContextKeyBodyReader.Get(ctx)
+	if bodyi != nil {
+		body = bodyi.(io.Reader)
+	} else {
+		body = bytes.NewReader([]byte{})
+	}
+
+	ifMatch, ifNoneMatch := utils.ParsePreconditionMatchHeaders(ctx)
+
+	res, err := c.be.PutObject(ctx.Context(),
+		s3response.PutObjectInput{
+			Bucket:                    &bucket,
+			Key:                       &key,
+			ContentLength:             &contentLength,
+			ContentType:               &contentType,
+			ContentEncoding:           &contentEncoding,
+			ContentDisposition:        &contentDisposition,
+			ContentLanguage:           &contentLanguage,
+			CacheControl:              &cacheControl,
+			Expires:                   &expires,
+			Metadata:                  metadata,
+			Body:                      body,
+			Tagging:                   &tagging,
+			ObjectLockRetainUntilDate: &objLock.RetainUntilDate,
+			ObjectLockMode:            objLock.ObjectLockMode,
+			ObjectLockLegalHoldStatus: objLock.LegalHoldStatus,
+			ChecksumAlgorithm:         algorithm,
+			ChecksumCRC32:             utils.GetStringPtr(checksums[types.ChecksumAlgorithmCrc32]),
+			ChecksumCRC32C:            utils.GetStringPtr(checksums[types.ChecksumAlgorithmCrc32c]),
+			ChecksumSHA1:              utils.GetStringPtr(checksums[types.ChecksumAlgorithmSha1]),
+			ChecksumSHA256:            utils.GetStringPtr(checksums[types.ChecksumAlgorithmSha256]),
+			ChecksumCRC64NVME:         utils.GetStringPtr(checksums[types.ChecksumAlgorithmCrc64nvme]),
+			IfMatch:                   ifMatch,
+			IfNoneMatch:               ifNoneMatch,
+		})
+	return &Response{
+		Headers: map[string]*string{
+			"ETag":                     &res.ETag,
+			"x-amz-checksum-crc32":     res.ChecksumCRC32,
+			"x-amz-checksum-crc32c":    res.ChecksumCRC32C,
+			"x-amz-checksum-crc64nvme": res.ChecksumCRC64NVME,
+			"x-amz-checksum-sha1":      res.ChecksumSHA1,
+			"x-amz-checksum-sha256":    res.ChecksumSHA256,
+			"x-amz-checksum-type":      utils.ConvertToStringPtr(res.ChecksumType),
+			"x-amz-version-id":         &res.VersionID,
+			"x-amz-object-size":        utils.ConvertPtrToStringPtr(res.Size),
+		},
+		MetaOpts: &MetaOptions{
+			ContentLength: contentLength,
+			BucketOwner:   parsedAcl.Owner,
+			ObjectETag:    &res.ETag,
+			ObjectSize:    contentLength,
+			EventName:     s3event.EventObjectCreatedPut,
+		},
+	}, err
+}
--- a/s3api/controllers/object-put_test.go
+++ b/s3api/controllers/object-put_test.go
--- a/s3api/controllers/options.go
+++ b/s3api/controllers/options.go
@@ -0,0 +1,113 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package controllers
+
+import (
+	"errors"
+
+	"github.com/gofiber/fiber/v2"
+	"github.com/versity/versitygw/auth"
+	"github.com/versity/versitygw/debuglogger"
+	"github.com/versity/versitygw/s3api/middlewares"
+	"github.com/versity/versitygw/s3api/utils"
+	"github.com/versity/versitygw/s3err"
+)
+
+func (s S3ApiController) CORSOptions(ctx *fiber.Ctx) (*Response, error) {
+	bucket := ctx.Params("bucket")
+	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
+	// get headers
+	origin := ctx.Get("Origin")
+	method := auth.CORSHTTPMethod(ctx.Get("Access-Control-Request-Method"))
+	headers := ctx.Get("Access-Control-Request-Headers")
+
+	// Origin is required
+	if origin == "" {
+		debuglogger.Logf("origin is missing: %v", origin)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrMissingCORSOrigin)
+	}
+
+	// check if allowed method is valid
+	if !method.IsValid() {
+		debuglogger.Logf("invalid cors method: %s", method)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetInvalidCORSMethodErr(method.String())
+	}
+
+	// parse and validate headers
+	parsedHeaders, err := auth.ParseCORSHeaders(headers)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	cors, err := s.be.GetBucketCors(ctx.Context(), bucket)
+	if err != nil {
+		debuglogger.Logf("failed to get bucket cors: %v", err)
+		if errors.Is(err, s3err.GetAPIError(s3err.ErrNoSuchCORSConfiguration)) {
+			err = s3err.GetAPIError(s3err.ErrCORSIsNotEnabled)
+			debuglogger.Logf("bucket cors is not set: %v", err)
+		}
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	corsConfig, err := auth.ParseCORSOutput(cors)
+	if err != nil {
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	allowConfig, err := corsConfig.IsAllowed(origin, method, parsedHeaders)
+	if err != nil {
+		debuglogger.Logf("cors access forbidden: %v", err)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, err
+	}
+
+	return &Response{
+		Headers: map[string]*string{
+			"Access-Control-Allow-Origin":      &allowConfig.Origin,
+			"Access-Control-Allow-Methods":     &allowConfig.Methods,
+			"Access-Control-Expose-Headers":    &allowConfig.ExposedHeaders,
+			"Access-Control-Allow-Credentials": &allowConfig.AllowCredentials,
+			"Access-Control-Allow-Headers":     &allowConfig.AllowHeaders,
+			"Access-Control-Max-Age":           utils.ConvertPtrToStringPtr(allowConfig.MaxAge),
+			"Vary":                             &middlewares.VaryHdr,
+		},
+		MetaOpts: &MetaOptions{
+			BucketOwner: parsedAcl.Owner,
+		},
+	}, nil
+}
--- a/s3api/controllers/options_test.go
+++ b/s3api/controllers/options_test.go
@@ -0,0 +1,241 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package controllers
+
+import (
+	"context"
+	"encoding/xml"
+	"errors"
+	"net/http"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/versity/versitygw/auth"
+	"github.com/versity/versitygw/s3api/middlewares"
+	"github.com/versity/versitygw/s3api/utils"
+	"github.com/versity/versitygw/s3err"
+)
+
+func TestS3ApiController_CORSOptions(t *testing.T) {
+	maxAge := int32(10000)
+	cors, err := xml.Marshal(auth.CORSConfiguration{
+		Rules: []auth.CORSRule{
+			{
+				AllowedOrigins: []string{"example.com"},
+				AllowedMethods: []auth.CORSHTTPMethod{http.MethodGet, http.MethodPost},
+				AllowedHeaders: []auth.CORSHeader{"Content-Type", "Content-Disposition"},
+				ExposeHeaders:  []auth.CORSHeader{"Content-Encoding", "date"},
+				MaxAgeSeconds:  &maxAge,
+			},
+		},
+	})
+	assert.NoError(t, err)
+
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "missing origin",
+			input: testInput{
+				locals: defaultLocals,
+				headers: map[string]string{
+					"Access-Control-Request-Method":  "GET",
+					"Access-Control-Request-Headers": "Content-Type",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrMissingCORSOrigin),
+			},
+		},
+		{
+			name: "invalid method",
+			input: testInput{
+				locals: defaultLocals,
+				headers: map[string]string{
+					"Origin":                         "example.com",
+					"Access-Control-Request-Method":  "invalid_method",
+					"Access-Control-Request-Headers": "Content-Type",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetInvalidCORSMethodErr("invalid_method"),
+			},
+		},
+		{
+			name: "invalid headers",
+			input: testInput{
+				locals: defaultLocals,
+				headers: map[string]string{
+					"Origin":                         "example.com",
+					"Access-Control-Request-Method":  "GET",
+					"Access-Control-Request-Headers": "Content Type",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetInvalidCORSRequestHeaderErr("Content Type"),
+			},
+		},
+		{
+			name: "fails to get bucket cors",
+			input: testInput{
+				locals: defaultLocals,
+				headers: map[string]string{
+					"Origin":                         "example.com",
+					"Access-Control-Request-Method":  "GET",
+					"Access-Control-Request-Headers": "Content-Type",
+				},
+				beRes: []byte{},
+				beErr: s3err.GetAPIError(s3err.ErrNoSuchBucket),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrNoSuchBucket),
+			},
+		},
+		{
+			name: "bucket cors is not enabled",
+			input: testInput{
+				locals: defaultLocals,
+				headers: map[string]string{
+					"Origin":                         "example.com",
+					"Access-Control-Request-Method":  "GET",
+					"Access-Control-Request-Headers": "Content-Type",
+				},
+				beRes: []byte{},
+				beErr: s3err.GetAPIError(s3err.ErrNoSuchCORSConfiguration),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrCORSIsNotEnabled),
+			},
+		},
+		{
+			name: "fails to parse bucket cors",
+			input: testInput{
+				locals: defaultLocals,
+				headers: map[string]string{
+					"Origin":                         "example.com",
+					"Access-Control-Request-Method":  "GET",
+					"Access-Control-Request-Headers": "Content-Type",
+				},
+				beRes: []byte("invalid_cors"),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: errors.New("failed to parse cors config:"),
+			},
+		},
+		{
+			name: "cors is not allowed",
+			input: testInput{
+				locals: defaultLocals,
+				headers: map[string]string{
+					"Origin":                         "example.com",
+					"Access-Control-Request-Method":  "PUT",
+					"Access-Control-Request-Headers": "Content-Type",
+				},
+				beRes: cors,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrCORSForbidden),
+			},
+		},
+		{
+			name: "success: cors is allowed",
+			input: testInput{
+				locals: defaultLocals,
+				headers: map[string]string{
+					"Origin":                         "example.com",
+					"Access-Control-Request-Method":  "GET",
+					"Access-Control-Request-Headers": "content-type, Content-Disposition",
+				},
+				beRes: cors,
+			},
+			output: testOutput{
+				response: &Response{
+					Headers: map[string]*string{
+						"Access-Control-Allow-Origin":      utils.GetStringPtr("example.com"),
+						"Access-Control-Allow-Methods":     utils.GetStringPtr("GET, POST"),
+						"Access-Control-Expose-Headers":    utils.GetStringPtr("Content-Encoding, date"),
+						"Access-Control-Allow-Credentials": utils.GetStringPtr("true"),
+						"Access-Control-Allow-Headers":     utils.GetStringPtr("content-type, content-disposition"),
+						"Access-Control-Max-Age":           utils.ConvertToStringPtr(maxAge),
+						"Vary":                             &middlewares.VaryHdr,
+					},
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				GetBucketCorsFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return tt.input.beRes.([]byte), tt.input.beErr
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.CORSOptions,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals:  tt.input.locals,
+					headers: tt.input.headers,
+				})
+		})
+	}
+}
--- a/s3api/middlewares/acl-parser.go
+++ b/s3api/middlewares/acl-parser.go
@@ -15,72 +15,45 @@
 package middlewares

 import (
-	"net/http"
-	"regexp"
-	"strings"
-
 	"github.com/aws/aws-sdk-go-v2/service/s3"
 	"github.com/gofiber/fiber/v2"
 	"github.com/versity/versitygw/auth"
 	"github.com/versity/versitygw/backend"
-	"github.com/versity/versitygw/s3api/controllers"
+	"github.com/versity/versitygw/s3api/utils"
 	"github.com/versity/versitygw/s3err"
-	"github.com/versity/versitygw/s3log"
 )

-var (
-	singlePath = regexp.MustCompile(`^/[^/]+/?$`)
-)
-
-func AclParser(be backend.Backend, logger s3log.AuditLogger, readonly bool) fiber.Handler {
+// ParseAcl retreives the bucket acl and stores in the context locals
+// if no bucket is found, it returns 'NoSuchBucket'
+func ParseAcl(be backend.Backend) fiber.Handler {
 	return func(ctx *fiber.Ctx) error {
-		isRoot, acct := ctx.Locals("isRoot").(bool), ctx.Locals("account").(auth.Account)
-		path := ctx.Path()
-		pathParts := strings.Split(path, "/")
-		bucket := pathParts[1]
-		if path == "/" && ctx.Method() == http.MethodGet {
-			return ctx.Next()
-		}
-		if ctx.Method() == http.MethodPatch {
-			return ctx.Next()
-		}
-		if singlePath.MatchString(path) &&
-			ctx.Method() == http.MethodPut &&
-			!ctx.Request().URI().QueryArgs().Has("acl") &&
-			!ctx.Request().URI().QueryArgs().Has("tagging") &&
-			!ctx.Request().URI().QueryArgs().Has("versioning") &&
-			!ctx.Request().URI().QueryArgs().Has("policy") &&
-			!ctx.Request().URI().QueryArgs().Has("object-lock") &&
-			!ctx.Request().URI().QueryArgs().Has("ownershipControls") &&
-			!ctx.Request().URI().QueryArgs().Has("cors") {
-			if err := auth.MayCreateBucket(acct, isRoot); err != nil {
-				return controllers.SendXMLResponse(ctx, nil, err, &controllers.MetaOpts{Logger: logger, Action: "CreateBucket"})
-			}
-			if readonly {
-				return controllers.SendXMLResponse(ctx, nil, s3err.GetAPIError(s3err.ErrAccessDenied),
-					&controllers.MetaOpts{
-						Logger: logger,
-						Action: "CreateBucket",
-					})
-			}
-			return ctx.Next()
-		}
+		bucket := ctx.Params("bucket")
 		data, err := be.GetBucketAcl(ctx.Context(), &s3.GetBucketAclInput{Bucket: &bucket})
 		if err != nil {
-			return controllers.SendResponse(ctx, err, &controllers.MetaOpts{Logger: logger})
+			return err
 		}

 		parsedAcl, err := auth.ParseACL(data)
 		if err != nil {
-			return controllers.SendResponse(ctx, err, &controllers.MetaOpts{Logger: logger})
+			return err
 		}

 		// if owner is not set, set default owner to root account
 		if parsedAcl.Owner == "" {
-			parsedAcl.Owner = ctx.Locals("rootAccess").(string)
+			parsedAcl.Owner = utils.ContextKeyRootAccessKey.Get(ctx).(string)
 		}

-		ctx.Locals("parsedAcl", parsedAcl)
-		return ctx.Next()
+		// if expected bucket owner doesn't match the bucket owner
+		// the gateway should return AccessDenied.
+		// This header appears in all actions except 'CreateBucket' and 'ListBuckets'.
+		// 'ParseACL' is also applied to all actions except for 'CreateBucket' and 'ListBuckets',
+		// so it's a perfect place to check the expected bucket owner
+		bucketOwner := ctx.Get("X-Amz-Expected-Bucket-Owner")
+		if bucketOwner != "" && bucketOwner != parsedAcl.Owner {
+			return s3err.GetAPIError(s3err.ErrAccessDenied)
+		}
+
+		utils.ContextKeyParsedAcl.Set(ctx, parsedAcl)
+		return nil
 	}
 }
--- a/Show More
+++ b/Show More