Hi Sung, Adnan, It looks like Anand made changes according to the previous reviews. Do you have any more comments?
Thanks, Dmitri. On Tue, Jun 16, 2026 at 10:32 PM Sung Yun <[email protected]> wrote: > Hi Dmitri, thanks for raising the call for review. And thanks Anand for > working on this PR! > > I took a look a look, and I added a clarifying question on whether realm > is the right level to introduce the feature flag. > > Sung > > On 2026/06/16 01:47:05 Dmitri Bourlatchkov wrote: > > Hi All, > > > > I approved PR 4707 in GH. > > > > Any concerns / volunteers for additional review before merging? > > > > Thanks, > > Dmitri. > > > > On Thu, Jun 11, 2026 at 12:22 PM Anand Kumar Sankaran via dev < > > [email protected]> wrote: > > > > > https://github.com/apache/polaris/issues/4706 > > > > > > https://github.com/apache/polaris/pull/4707 > > > > > > Polaris can correlate vended-credential data access back to the catalog > > > operation that issued the credentials on AWS — via > > > SESSION_TAGS_IN_SUBSCOPED_CREDENTIAL, which stamps polaris:principal, > > > polaris:realm, polaris:catalog, etc. as AWS STS session tags that then > > > appear in CloudTrail S3 data events. There is no equivalent on GCP. GCS > > > Data Access audit logs cannot today be tied to the Polaris principal > that > > > requested the credential, which breaks audit correlation, > > > chargeback/attribution, and incident response for GCS-backed catalogs. > > > > > > This issue and PR provide a way to achieve similar correlation using > WIFs > > > in GCP. > > > > > > Please review. > > > > > > - > > > Anand > > > > > >
