adutra commented on code in PR #3170:
URL: https://github.com/apache/polaris/pull/3170#discussion_r2585136936
##########
polaris-core/src/main/java/org/apache/polaris/core/storage/aws/AwsCredentialsStorageIntegration.java:
##########
@@ -90,35 +96,46 @@ public StorageAccessConfig getSubscopedCreds(
StorageAccessConfig.Builder accessConfig = StorageAccessConfig.builder();
if (shouldUseSts(storageConfig)) {
- AssumeRoleRequest.Builder request =
- AssumeRoleRequest.builder()
- .externalId(storageConfig.getExternalId())
- .roleArn(storageConfig.getRoleARN())
- .roleSessionName("PolarisAwsCredentialsStorageIntegration")
- .policy(
- policyString(
- storageConfig,
- allowListOperation,
- allowedReadLocations,
- allowedWriteLocations,
- region,
- accountId)
- .toJson())
- .durationSeconds(storageCredentialDurationSeconds);
- credentialsProvider.ifPresent(
- cp -> request.overrideConfiguration(b -> b.credentialsProvider(cp)));
@SuppressWarnings("resource")
// Note: stsClientProvider returns "thin" clients that do not need
closing
StsClient stsClient =
stsClientProvider.stsClient(StsDestination.of(storageConfig.getStsEndpointUri(),
region));
-
- AssumeRoleResponse response = stsClient.assumeRole(request.build());
- accessConfig.put(StorageAccessProperty.AWS_KEY_ID,
response.credentials().accessKeyId());
- accessConfig.put(
- StorageAccessProperty.AWS_SECRET_KEY,
response.credentials().secretAccessKey());
- accessConfig.put(StorageAccessProperty.AWS_TOKEN,
response.credentials().sessionToken());
- Optional.ofNullable(response.credentials().expiration())
+ Credentials credentials;
+ if (storageConfig.getUserTokenSTS()) {
+ AssumeRoleWithWebIdentityRequest.Builder request =
+ AssumeRoleWithWebIdentityRequest.builder()
+ .webIdentityToken(
Review Comment:
> I'm not sure I understand this part properly (I read through the email
thread as well) - are we passing in the user's token directly to STS? If so,
what type of token is this: a Polaris authN token or a WebIdentityToken?
It's the authenticated principal's OAuth2 access token, as provided by the
authentication layer.
> how does STS translate between this token and an IAM trust policy
enforcement - which should state which users are allowed to assume this role?
And if such a translation does exist, where in Polaris is this logic?
The IAM role being assumed must have a pre-configured trust policy that
explicitly trusts the IDP and potentially specifies conditions like the
expected audience and subject of the token. The STS service is supposed to
validate the signature and claims of the provided token against the registered
IDP before issuing credentials.
> this seems to be breaking the general architecture of Polaris where
Polaris serves as a trusted credential broker and clients are assumed to not be
able to bypass Polaris in order to get storage credentials.
It's not that simple. The remote client may be in possession of valid OAuth2
credentials for WebIdentity, but you still need an STS client to issue the
`AssumeRoleWithWebIdentityRequest`. The STS client requires its own
credentials. If the remote client doesn't have those credentials, it cannot
talk to STS.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
