GitHub user netapp-acheng created a discussion: assumerole inline policy
kms:GenerateDataKey
I am testing Polaris with on premise S3 compatible storage. I understand I can
use --no-sts option to create catalog without AWS Assumerole. I want to
create a Polaris catalog with AWS AssumeRole.
This is the catalog details:
{
"type": "INTERNAL",
"name": "sts_catalog",
"properties": {
"default-base-location": "s3://sts-polaris"
},
"createTimestamp": 1766095794668,
"lastUpdateTimestamp": 1766095794668,
"entityVersion": 1,
"storageConfigInfo": {
"roleArn": "arn:aws:iam::123456789101112:role/assumerole",
**"allowedKmsKeys": [],**
"region": "us-east-1",
"endpoint": "https://sgdemo.example.com";,
"stsEndpoint": "https://sgdemo.example.com";,
"stsUnavailable": false,
"pathStyleAccess": false,
"storageType": "S3",
"allowedLocations": [
"s3://sts-polaris"
]
}
When attempted to create a table in this catalog, I got this error:
"<ErrorResponse
xmlns="https://sts.amazonaws.com/doc/2011-06-15/";><Error><Type>Sender</Type><Code>MalformedPolicyDocument</Code><Message>Invalid
action:
kms:GenerateDataKeyWithoutPlaintext</Message></Error><RequestId>1766170445858521</RequestId></ErrorResponse>"
Turning Polaris log debug on, I saw it sent a AssumeRole request with inline
policy
{ "Effect": "Allow", "Action": [
"kms:GenerateDataKeyWithoutPlaintext", "kms:DescribeKey",
"kms:Decrypt", "kms:GenerateDataKey" ], "Resource":
"arn:aws:kms:us-east-1:123456789101112:key/*" }
Is there any option to skip the above inline policy as the s3 compatible
storage I am testing does not support encryption using kms key. Or I must use
--no-sts when creating the catalog?
Thank you.
GitHub link: https://github.com/apache/polaris/discussions/3434
----
This is an automatically sent email for [email protected].
To unsubscribe, please send an email to: [email protected]
