Re: [PR] feat: pass principal name as part of aws subscoped credentials session [polaris]

Tue, 09 Dec 2025 11:28:53 -0800 


tokoko commented on code in PR #3224:
URL: https://github.com/apache/polaris/pull/3224#discussion_r2604051277


##########
polaris-core/src/test/java/org/apache/polaris/service/storage/aws/AwsCredentialsStorageIntegrationTest.java:
##########
@@ -97,6 +124,54 @@ public void testGetSubscopedCreds(String scheme) {
                 true,
                 Set.of(warehouseDir + "/namespace/table"),
                 Set.of(warehouseDir + "/namespace/table"),
+                POLARIS_PRINCIPAL,
+                Optional.of("/namespace/table/credentials"));
+    assertThat(storageAccessConfig.credentials())
+        .isNotEmpty()
+        .containsEntry(StorageAccessProperty.AWS_TOKEN.getPropertyName(), 
"sess")
+        .containsEntry(StorageAccessProperty.AWS_KEY_ID.getPropertyName(), 
"accessKey")
+        .containsEntry(StorageAccessProperty.AWS_SECRET_KEY.getPropertyName(), 
"secretKey")
+        .containsEntry(
+            
StorageAccessProperty.AWS_SESSION_TOKEN_EXPIRES_AT_MS.getPropertyName(),
+            String.valueOf(EXPIRE_TIME.toEpochMilli()));
+    assertThat(storageAccessConfig.extraProperties())
+        .containsEntry(
+            
StorageAccessProperty.AWS_REFRESH_CREDENTIALS_ENDPOINT.getPropertyName(),
+            "/namespace/table/credentials");
+  }
+
+  @Test
+  public void testGetSubscopedCredsWithNameInclude() {
+    StsClient stsClient = Mockito.mock(StsClient.class);
+    String roleARN = "arn:aws:iam::012345678901:role/jdoe";
+    String externalId = "externalId";
+
+    Mockito.when(stsClient.assumeRole(Mockito.isA(AssumeRoleRequest.class)))
+        .thenAnswer(
+            invocation -> {
+              assertThat(invocation.getArguments()[0])
+                  .isInstanceOf(AssumeRoleRequest.class)
+                  
.asInstanceOf(InstanceOfAssertFactories.type(AssumeRoleRequest.class))
+                  .returns(externalId, AssumeRoleRequest::externalId)
+                  .returns(roleARN, AssumeRoleRequest::roleArn)
+                  .returns("polaris-test-principal", 
AssumeRoleRequest::roleSessionName);
+              return ASSUME_ROLE_RESPONSE;
+            });
+    String warehouseDir = "s3://bucket/path/to/warehouse";
+    StorageAccessConfig storageAccessConfig =
+        new AwsCredentialsStorageIntegration(
+                AwsStorageConfigurationInfo.builder()
+                    .addAllowedLocation(warehouseDir)
+                    .roleARN(roleARN)
+                    .externalId(externalId)
+                    .build(),
+                stsClient)
+            .getSubscopedCreds(
+                PRINCIPAL_INCLUDER_REALM_CONFIG,

Review Comment:
   I did my best to make the purpose clearer



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to