collado-mike commented on code in PR #2802:
URL: https://github.com/apache/polaris/pull/2802#discussion_r2429990328
##########
polaris-core/src/main/java/org/apache/polaris/core/storage/aws/AwsCredentialsStorageIntegration.java:
##########
@@ -242,6 +244,21 @@ private IamPolicy policyString(
return
policyBuilder.addStatement(allowGetObjectStatementBuilder.build()).build();
}
+ private static void addKmsKeyPolicy(String kmsKeyArn, IamPolicy.Builder
policyBuilder) {
+ if (kmsKeyArn != null) {
+ IamStatement.Builder allowKms =
+ IamStatement.builder()
+ .effect(IamEffect.ALLOW)
+ .addAction("kms:GenerateDataKeyWithoutPlaintext")
+ .addAction("kms:Encrypt")
+ .addAction("kms:DescribeKey")
+ .addAction("kms:Decrypt")
+ .addAction("kms:GenerateDataKey");
Review Comment:
No, I mean for SSE, the encryption context is always the path to the file.
In our IAM policy statement, we can specify that the key can be used only to
en/decrypt files in the encrpytion context pattern we specify - e.g., see
https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html
and
https://docs.aws.amazon.com/kms/latest/developerguide/encrypt_context.html#encryption-context-authorization
. The user doesn't need to specify this parameter - it's automatic.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
