diff --git a/weed/s3api/auth_credentials.go b/weed/s3api/auth_credentials.go
index 5b5075d78..6a7d83919 100644
--- a/weed/s3api/auth_credentials.go
+++ b/weed/s3api/auth_credentials.go
@@ -320,6 +320,7 @@ func (identity *Identity) canDo(action Action, bucket string, objectKey string)
 		return false
 	}
 	target := string(action) + ":" + bucket + objectKey
+	adminTarget := s3_constants.ACTION_ADMIN + ":" + bucket + objectKey
 	limitedByBucket := string(action) + ":" + bucket
 	adminLimitedByBucket := s3_constants.ACTION_ADMIN + ":" + bucket
 	for _, a := range identity.Actions {
@@ -328,6 +329,9 @@ func (identity *Identity) canDo(action Action, bucket string, objectKey string)
 			if strings.HasPrefix(target, act[:len(act)-1]) {
 				return true
 			}
+			if strings.HasPrefix(adminTarget, act[:len(act)-1]) {
+				return true
+			}
 		} else {
 			if act == limitedByBucket {
 				return true
diff --git a/weed/s3api/auth_credentials_test.go b/weed/s3api/auth_credentials_test.go
index 94479b4f5..4545d13bc 100644
--- a/weed/s3api/auth_credentials_test.go
+++ b/weed/s3api/auth_credentials_test.go
@@ -115,4 +115,14 @@ func TestCanDo(t *testing.T) {
 	assert.Equal(t, true, ident4.canDo(ACTION_READ, "special_bucket", "/a/b/c/d.txt"))
 	assert.Equal(t, false, ident4.canDo(ACTION_READ, "bucket1", "/a/b/c/d.txt"))
 
+	// admin buckets
+	ident5 := &Identity{
+		Name: "anything",
+		Actions: []Action{
+			"Admin:special_*",
+		},
+	}
+	assert.Equal(t, true, ident5.canDo(ACTION_READ, "special_bucket", "/a/b/c/d.txt"))
+	assert.Equal(t, true, ident5.canDo(ACTION_WRITE, "special_bucket", "/a/b/c/d.txt"))
+
 }