netapp-acheng opened a new issue, #3440: URL: https://github.com/apache/polaris/issues/3440
### Describe the bug I asked the question in https://github.com/apache/polaris/discussions/3434 and Dmitri B suggested me to report it as a bug. When creating a Polaris S3 catalog that uses STS/AssumeRole against a non‑AWS S3‑compatible platform, table creation fails with: Invalid action: kms:GenerateDataKeyWithoutPlaintext Debug logs show that Polaris generates an inline STS policy that: Contains KMS actions (e.g., kms:DescribeKey, kms:Decrypt, kms:GenerateDataKey, kms:GenerateDataKeyWithoutPlaintext) even when KMS is not configured for the catalog (i.e., allowedKmsKeys is empty). This appears to be a bug: if KMS is not configured, the IAM policy should not include KMS permissions. Polaris Version Server: 1.4.0-incubating-SNAPSHOT (local build under test) CLI: matching snapshot Quarkus: 3.28.2 Environment Catalog type: INTERNAL Storage type: S3 Endpoint: https://sgdemo.example.com Region: us-east-1 (dummy value for S3‑compatible) STS endpoint: https://sgdemo.example.com Auth: STS/AssumeRole Note: Creating catalog and tables work with --no-sts option in this same environment ### To Reproduce Start Polaris server and authenticate the CLI. Create an S3 catalog with STS enabled: ./polaris --host localhost --port 8181 --realm POLARIS --client-id root --client-secret <password> catalogs create sts_catalog --type INTERNAL --storage-type s3 --default-base-location s3://sts-polaris --endpoint https://sgdemo.example.com --region us-east-1 --allowed-location s3://sts-polaris --sts-endpoint https://sgdemo.example.com \ --role-arn arn:aws:iam::<account-id>:role/assumerole The catalog created: { "type": "INTERNAL", "name": "sts_catalog", "properties": { "default-base-location": "s3://sts-polaris" }, "createTimestamp": 1766095794668, "lastUpdateTimestamp": 1766095794668, "entityVersion": 1, "storageConfigInfo": { "roleArn": "arn:aws:iam::123456789101112:role/assumerole", "allowedKmsKeys": [], "region": "us-east-1", "endpoint": "https://sgdemo.example.com/";, "stsEndpoint": "https://sgdemo.example.com/";, "stsUnavailable": false, "pathStyleAccess": false, "storageType": "S3", "allowedLocations": [ "s3://sts-polaris" ] } When attempted to create a table in this catalog, got this error: "SenderMalformedPolicyDocumentInvalid action: kms:GenerateDataKeyWithoutPlaintext1766170445858521" Polaris debug on, I saw it sent a AssumeRole request with inline policy { "Effect": "Allow", "Action": [ "kms:GenerateDataKeyWithoutPlaintext", "kms:DescribeKey", "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "arn:aws:kms:us-east-1:123456789101112:key/*" } ### Actual Behavior Polaris debug log shows it a AssumeRole request with inline policy { "Effect": "Allow", "Action": [ "kms:GenerateDataKeyWithoutPlaintext", "kms:DescribeKey", "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "arn:aws:kms:us-east-1:123456789101112:key/*" } Blocks table creation when using STS with S3‑compatible platforms lacking support for kms:GenerateDataKeyWithoutPlaintext. Creates unnecessary coupling to KMS even when KMS is not configured for the catalog. ### Expected Behavior If the catalog does not configure KMS (no allowedKmsKeys / no KMS settings), the generated STS inline policy should not include any kms:* actions. For S3‑compatible deployments, generated policies should avoid non‑portable KMS actions (or gate them strictly behind explicit KMS configuration), to prevent hard failures. ### Additional context _No response_ ### System information Linux: Debian 12 Polaris Version Server: 1.4.0-incubating-SNAPSHOT (local build under test) CLI: matching snapshot Quarkus: 3.28.2 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
