diff --git a/weed/s3api/chunked_reader_v4.go b/weed/s3api/chunked_reader_v4.go
index b163ec2f6..ec26f693a 100644
--- a/weed/s3api/chunked_reader_v4.go
+++ b/weed/s3api/chunked_reader_v4.go
@@ -85,11 +85,17 @@ func (iam *IdentityAccessManagement) calculateSeedSignature(r *http.Request) (cr
 		return nil, "", "", time.Time{}, errCode
 	}
 	// Verify if the access key id matches.
-	_, cred, found := iam.lookupByAccessKey(signV4Values.Credential.accessKey)
+	identity, cred, found := iam.lookupByAccessKey(signV4Values.Credential.accessKey)
 	if !found {
 		return nil, "", "", time.Time{}, s3err.ErrInvalidAccessKeyID
 	}
 
+	bucket, _ := getBucketAndObject(r)
+	if !identity.canDo("Write", bucket) {
+		errCode = s3err.ErrAccessDenied
+		return
+	}
+
 	// Verify if region is valid.
 	region = signV4Values.Credential.scope.region