Hi Dmitry, Thanks again. Sorry I’m in endless meetings at work that I’ve been unable to attend the weekly syncs. These are often customer / partner meetings.
I’ve addressed all the comments. I hope I’ve addressed the testing concerns Adnan had as well. If I missed something, please post a comment in the PR and / or tag me in slack. Get Outlook for iOS<https://aka.ms/o0ukef> ________________________________ From: Anand Kumar Sankaran via dev <[email protected]> Sent: Thursday, 11 June 2026 09:20:48 To: Polaris Dev Mailing List <[email protected]> Cc: Anand Kumar Sankaran <[email protected]> Subject: GCP counterpart to AWS STS session tags https: //urldefense. com/v3/__https: //github. com/apache/polaris/issues/4706__;!!Iz9xO38YGHZK!6xLhQWuslJHADOTEpFgl4Z_iLhcDF6eW3qLENHFnIaalnp1V2PzeWXPPTqemWU5_e4w9aY0ebPuqkx5JrSNJZQ$ https: //urldefense. com/v3/__https: //github. com/apache/polaris/pull/4707__;!!Iz9xO38YGHZK!6xLhQWuslJHADOTEpFgl4Z_iLhcDF6eW3qLENHFnIaalnp1V2PzeWXPPTqemWU5_e4w9aY0ebPuqkx4vd5uy8Q$ https://urldefense.com/v3/__https://github.com/apache/polaris/issues/4706__;!!Iz9xO38YGHZK!6xLhQWuslJHADOTEpFgl4Z_iLhcDF6eW3qLENHFnIaalnp1V2PzeWXPPTqemWU5_e4w9aY0ebPuqkx5JrSNJZQ$ https://urldefense.com/v3/__https://github.com/apache/polaris/pull/4707__;!!Iz9xO38YGHZK!6xLhQWuslJHADOTEpFgl4Z_iLhcDF6eW3qLENHFnIaalnp1V2PzeWXPPTqemWU5_e4w9aY0ebPuqkx4vd5uy8Q$ Polaris can correlate vended-credential data access back to the catalog operation that issued the credentials on AWS — via SESSION_TAGS_IN_SUBSCOPED_CREDENTIAL, which stamps polaris:principal, polaris:realm, polaris:catalog, etc. as AWS STS session tags that then appear in CloudTrail S3 data events. There is no equivalent on GCP. GCS Data Access audit logs cannot today be tied to the Polaris principal that requested the credential, which breaks audit correlation, chargeback/attribution, and incident response for GCS-backed catalogs. This issue and PR provide a way to achieve similar correlation using WIFs in GCP. Please review. - Anand
