jbonofre opened a new issue, #480: URL: https://github.com/apache/polaris/issues/480
### Is this a possible security vulnerability? - [X] This is NOT a possible security vulnerability ### Describe the bug When using Polaris with S3 (without KMS), everything is working fine (I can create Iceberg table from spark-sql on Polaris). However, when I enable S3 KMS, I get: ``` ServerError: S3Exception: User: arn:aws:sts::601864557682:assumed-role/cep-analytics-platform-role-dev-polaris-catalog/snowflake is not authorized to perform: kms:GenerateDataKey on resource: arn:aws:kms:eu-west-1:601864557682:key/401edca7-d545-4907-9c9f-2695305beb5e because no session policy allows the kms:GenerateDataKey action (Service: S3, Status Code: 403, Request ID: C0MA61C4VYNS88CP, Extended Request ID: ZboVDdn8eh4YBIjMUbG8X6fDT4oq6OFFqDcq/dKbVsrNDGW3IIhojELznwkyWhMDmSxO376I5o0=) ``` It seems that we have a missing security configuration to use with KMS. ### To Reproduce Just use S3 KMS with Polaris. ### Actual Behavior It works fine without KMW, but fails with S3 KMS enabled: ``` ServerError: S3Exception: User: arn:aws:sts::601864557682:assumed-role/cep-analytics-platform-role-dev-polaris-catalog/snowflake is not authorized to perform: kms:GenerateDataKey on resource: arn:aws:kms:eu-west-1:601864557682:key/401edca7-d545-4907-9c9f-2695305beb5e because no session policy allows the kms:GenerateDataKey action (Service: S3, Status Code: 403, Request ID: C0MA61C4VYNS88CP, Extended Request ID: ZboVDdn8eh4YBIjMUbG8X6fDT4oq6OFFqDcq/dKbVsrNDGW3IIhojELznwkyWhMDmSxO376I5o0=) ``` ### Expected Behavior _No response_ ### Additional context _No response_ ### System information _No response_ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
