dimas-b commented on code in PR #3327:
URL: https://github.com/apache/polaris/pull/3327#discussion_r2653359655
##########
polaris-core/src/main/java/org/apache/polaris/core/storage/aws/AwsCredentialsStorageIntegration.java:
##########
@@ -366,4 +388,67 @@ private static String arnPrefixForPartition(String
awsPartition) {
}
return path;
}
+
+ /**
+ * Builds a list of AWS STS session tags from the credential vending context
and principal name.
+ * These tags will appear in CloudTrail events for correlation purposes.
+ *
+ * @param principalName the name of the principal requesting credentials
+ * @param context the credential vending context containing catalog,
namespace, table, and roles
+ * @return a list of STS Tags to attach to the AssumeRole request
+ */
+ private List<Tag> buildSessionTags(String principalName,
CredentialVendingContext context) {
+ List<Tag> tags = new ArrayList<>();
+
+ // Always include all tags with "unknown" placeholder for missing values
+ // This ensures consistent tag presence in CloudTrail for correlation
+ tags.add(
+ Tag.builder()
+ .key(CredentialVendingContext.TAG_KEY_PRINCIPAL)
+ .value(truncateTagValue(principalName))
+ .build());
+ tags.add(
+ Tag.builder()
+ .key(CredentialVendingContext.TAG_KEY_CATALOG)
+ .value(truncateTagValue(context.catalogName().orElse(null)))
Review Comment:
Thanks for the explanation! I did miss the conversion to `unknown` in
`truncateTagValue` :facepalm: but the new code is clear on that aspect :+1:
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
