[I] [FEATURE REQUEST] - Support S3 STS AssumeRoleWithWebIdentity for on‑prem S3 providers [polaris]

via GitHub Thu, 13 Nov 2025 02:21:30 -0800


michal-kuzak opened a new issue, #3038:
URL: https://github.com/apache/polaris/issues/3038


   ### Is your feature request related to a problem? Please describe.
   
   Polaris currently supports S3 access via STS AssumeRole (role ARN + optional 
external ID). Please add first‑class support for STS AssumeRoleWithWebIdentity 
(ARWI). Many enterprise S3‑compatible object stores deployed on‑prem rely on 
OIDC federation and expose an STS endpoint that accepts ARWI, rather than 
operating a native IAM service. Examples include Pure Storage FlashBlade, or 
Dell S3 storage among others. Adding ARWI unlocks secure, short‑lived, 
IdP‑federated access to S3‑compatible stores without long‑lived keys. 
   
   On‑prem S3 providers often delegate authentication to external IdPs (Okta, 
Microsoft Entra ID, etc.) and expect clients to obtain credentials via 
AssumeRoleWithWebIdentity to their STS endpoint. Polaris today documents 
role‑arn/region/external‑id and custom S3/STS endpoints, but not ARWI. 
Supporting ARWI would let Polaris run in OIDC‑first environments (Kubernetes, 
corporate SSO) and still vend short‑lived credentials to engines.
   
   ### Describe the solution you'd like
   
   Add a storage auth selector for S3 catalogs, e.g. stsAuthMethod with values:
    - assumeRole (current default/behavior)
   -  webIdentity (new)
   
   When stsAuthMethod=webIdentity:
   - Use AWS SDK’s ARWI credentials provider (e.g., 
StsAssumeRoleWithWebIdentity… in AWS SDK v2) against the  configured 
sts-endpoint (already supported). 
([polaris.incubator.apache.org](https://polaris.incubator.apache.org/in-dev/unreleased/command-line-interface/?utm_source=openai))
   - Accept inputs via CLI and REST model:
     - role-arn (unchanged)
     - role-session-name (optional)
     - web-identity-token-file (path to OIDC/JWT file)
     - region (optional; also allow via env)
     - sts-endpoint (already documented)
   
   
   ### Describe alternatives you've considered
   
   _No response_
   
   ### Additional context
   
   Default remains stsAuthMethod=assumeRole; existing catalogs and clients are 
unaffected.
   IMPLICIT mode continues to work; ARWI simply adds another supported path to 
obtain base credentials.
   
   Ref:
   
https://support.purestorage.com/bundle/FlashBlade_Admin_Guide_4.6.4/resource/FlashBlade_Admin_Guide_4.6.4.pdf
  (p.462)
   
   
https://support.purestorage.com/bundle/m_purityfb_rest_api/page/FlashBlade/Purity_FB/PurityFB_REST_API/S3_Object_Store_REST_API/topics/concept/c_flashblade_object_store_documentation_s3_api.html


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

[I] [FEATURE REQUEST] - Support S3 STS AssumeRoleWithWebIdentity for on‑prem S3 providers [polaris]

Reply via email to