Re: [PR] Enforce that S3 credentials are vended when requested [polaris]

via GitHub Wed, 01 Oct 2025 16:40:59 -0700


HonahX commented on code in PR #2711:
URL: https://github.com/apache/polaris/pull/2711#discussion_r2396270160



##########
polaris-core/src/main/java/org/apache/polaris/core/storage/aws/AwsCredentialsStorageIntegration.java:
##########
@@ -70,19 +71,25 @@ public AwsCredentialsStorageIntegration(
 
   /** {@inheritDoc} */
   @Override
-  public AccessConfig getSubscopedCreds(
+  public AccessConfig getAccessConfig(
       @Nonnull RealmConfig realmConfig,
       boolean allowListOperation,
       @Nonnull Set<String> allowedReadLocations,
       @Nonnull Set<String> allowedWriteLocations,
-      Optional<String> refreshCredentialsEndpoint) {
+      Optional<String> refreshCredentialsEndpoint,
+      boolean credentialsRequired) {
     int storageCredentialDurationSeconds =
         realmConfig.getConfig(STORAGE_CREDENTIAL_DURATION_SECONDS);
     AwsStorageConfigurationInfo storageConfig = config();
     String region = storageConfig.getRegion();
     AccessConfig.Builder accessConfig = AccessConfig.builder();
 
-    if (shouldUseSts(storageConfig)) {
+    boolean shouldUseSts = shouldUseSts(storageConfig);
+    Preconditions.checkArgument(

Review Comment:
   Sorry to clarify, I think this is ok since 422 implies the same error will 
occur again if client retries, which is the current case. But in the PR 
description
   
   >  Add checks to AwsCredentialsStorageIntegration (leading to 400) that S3 
storage credentials are vended when requested.
   
   It says this check will lead to 400. So just point out in case it is 
intended to be 400 : )



##########
polaris-core/src/main/java/org/apache/polaris/core/storage/aws/AwsCredentialsStorageIntegration.java:
##########
@@ -70,19 +71,25 @@ public AwsCredentialsStorageIntegration(
 
   /** {@inheritDoc} */
   @Override
-  public AccessConfig getSubscopedCreds(
+  public AccessConfig getAccessConfig(
       @Nonnull RealmConfig realmConfig,
       boolean allowListOperation,
       @Nonnull Set<String> allowedReadLocations,
       @Nonnull Set<String> allowedWriteLocations,
-      Optional<String> refreshCredentialsEndpoint) {
+      Optional<String> refreshCredentialsEndpoint,
+      boolean credentialsRequired) {
     int storageCredentialDurationSeconds =
         realmConfig.getConfig(STORAGE_CREDENTIAL_DURATION_SECONDS);
     AwsStorageConfigurationInfo storageConfig = config();
     String region = storageConfig.getRegion();
     AccessConfig.Builder accessConfig = AccessConfig.builder();
 
-    if (shouldUseSts(storageConfig)) {
+    boolean shouldUseSts = shouldUseSts(storageConfig);
+    Preconditions.checkArgument(

Review Comment:
   Sorry to clarify, I think this is ok since 422 implies the same error will 
occur again if client retries, which is the current case. But in the PR 
description
   
   >  Add checks to AwsCredentialsStorageIntegration (leading to 400) that S3 
storage credentials are vended when requested.
   
   says this check will lead to 400. So just point out in case it is intended 
to be 400 : )



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Re: [PR] Enforce that S3 credentials are vended when requested [polaris]

Reply via email to