obelix74 commented on code in PR #3327:
URL: https://github.com/apache/polaris/pull/3327#discussion_r2652092657
##########
polaris-core/src/main/java/org/apache/polaris/core/storage/aws/AwsCredentialsStorageIntegration.java:
##########
@@ -366,4 +388,67 @@ private static String arnPrefixForPartition(String
awsPartition) {
}
return path;
}
+
+ /**
+ * Builds a list of AWS STS session tags from the credential vending context
and principal name.
+ * These tags will appear in CloudTrail events for correlation purposes.
+ *
+ * @param principalName the name of the principal requesting credentials
+ * @param context the credential vending context containing catalog,
namespace, table, and roles
+ * @return a list of STS Tags to attach to the AssumeRole request
+ */
+ private List<Tag> buildSessionTags(String principalName,
CredentialVendingContext context) {
+ List<Tag> tags = new ArrayList<>();
+
+ // Always include all tags with "unknown" placeholder for missing values
+ // This ensures consistent tag presence in CloudTrail for correlation
+ tags.add(
+ Tag.builder()
+ .key(CredentialVendingContext.TAG_KEY_PRINCIPAL)
+ .value(truncateTagValue(principalName))
+ .build());
+ tags.add(
+ Tag.builder()
+ .key(CredentialVendingContext.TAG_KEY_CATALOG)
+ .value(truncateTagValue(context.catalogName().orElse(null)))
Review Comment:
Pros:
* Consistent tag presence in CloudTrail makes querying/filtering easier
* You can always filter by tag key without worrying about missing tags
* Makes it clear the tag was intentionally set vs. accidentally omitted
Cons:
* Slightly more data in CloudTrail events
* "unknown" values might be confusing
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
