Hi Dmitri,

That's an excellent idea, and I went ahead and created a PR that
generates documentation for vended credentials automatically. These
are sourced directly from the StorageAccessProperty enum constants:

https://github.com/apache/polaris/pull/5070

While working on this, I realized that we probably have a spurious
credential being vended: "expiration-time". To my best knowledge, this
does not correspond to any known credential, and is redundant with
other expiration-time properties, like
"s3.session-token-expires-at-ms", "gcs.oauth2.token-expires-at" and
"adls.sas-token-expires-at-ms". I removed that property.

Thanks,
Alex

On Wed, Jul 8, 2026 at 5:27 AM Dmitri Bourlatchkov <[email protected]> wrote:
>
> Hi All,
>
> Following up on the discussion in PR about ADLS and PyIceberg [1].
>
> Apparently, there is no specification to define common property names for
> vended credentials. Various clients seem to have different expectations.
>
> I wonder if it might be worth starting a doc page in Polaris to enumerate
> at least what Polaris will vend for each supported storage type.
>
> WDYT?
>
> [1] https://github.com/apache/polaris/pull/4991#issuecomment-4910638048
>
> Thanks,
> Dmitri.

Reply via email to