Re: [PR] adding support to use a kms key for s3 buckets data encryption (AWS only) [polaris]

via GitHub Wed, 22 Oct 2025 08:02:51 -0700


dimas-b commented on code in PR #2802:
URL: https://github.com/apache/polaris/pull/2802#discussion_r2452413397



##########
polaris-core/src/main/java/org/apache/polaris/core/storage/aws/AwsCredentialsStorageIntegration.java:
##########
@@ -75,11 +80,15 @@ public AccessConfig getSubscopedCreds(
       boolean allowListOperation,
       @Nonnull Set<String> allowedReadLocations,
       @Nonnull Set<String> allowedWriteLocations,
-      Optional<String> refreshCredentialsEndpoint) {
+      Optional<String> refreshCredentialsEndpoint,
+      Map props) {
+    LOGGER.info("Getting subscoped creds props: {}", props);
+    String kmsKey = props.get("s3.sse.key") != null ? 
props.get("s3.sse.key").toString() : null;

Review Comment:
   Before we discuss `arnKeyAll` (and I do not have any objections there), I 
think we need to resolve the conceptual issue of using metadata properties for 
generating `AccessConfig`. Polaris may need `AccessConfig` in order to read 
metadata JSON files (which have table properties)... How can this work in 
principle?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Re: [PR] adding support to use a kms key for s3 buckets data encryption (AWS only) [polaris]

Reply via email to