singhpk234 commented on code in PR #3330:
URL: https://github.com/apache/polaris/pull/3330#discussion_r2651545555
##########
client/python/apache_polaris/cli/constants.py:
##########
@@ -258,6 +260,12 @@ class Create:
"(Only for S3) Indicates that Polaris should not use STS (e.g.
if STS is not available)"
)
PATH_STYLE_ACCESS = "(Only for S3) Whether to use
path-style-access for S3"
+ KMS_KEY_CURRENT = (
+ "(Only for AWS S3) The AWS KMS key ARN to be used for
encrypting new S3 data"
Review Comment:
> Polaris does not use KMS keys directly.
wouldn't we be needing this for encrypting / decrypting metadata.json ?
> additional keys are also allowed to be used because they might be required
for dealing with old files
I agree with additional keys but my question was why would Polaris vends
creds for old kms keys for encrypting, files are immutable, so old keys should
be vended for decrypt, similarly new key should have encrypt / decrypt.
Do we vend creds for encryption and decryting for all key in our sts policy
?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
