netapp-acheng commented on issue #3440:
URL: https://github.com/apache/polaris/issues/3440#issuecomment-3770666737
I redo the test and the issue partially resolved.
Here is summary of test.
Create table and insert data to the table, Polaris correctly uses the STS
temporary credentials with AssumeRole Action.
However, insert data still failing. It is back to original issue re the
AssumeRole Policy with kms related action even when KMS is not cofigured for
the catalog.
Before the pr-3445 fix, during Iceberg write commit (e.g. Spark INSERT
INTO), Polaris sent this AssumeRole request:
{ "Effect": "Allow", "Action": [ "kms:GenerateDataKeyWithoutPlaintext",
"kms:DescribeKey", "kms:Decrypt", "kms:GenerateDataKey" ], "Resource":
"arn:aws:kms:us-east-1:123456789101112:key/*" }
=================================
With your latest change in pr-3445 today, it removed some kms related
actions but below 2 actions still remain.
during Iceberg write commit (e.g. Spark INSERT INTO), Polaris sent this
AssumeRole request:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:DescribeKey",
"kms:Decrypt"
],
"Resource": "arn:aws:kms:us-east-1:123456789101112:key/*"
}
Expected solution summary:
Polaris should omit all KMS actions (kms:*) when:
• allowedKmsKeys is empty ([]), or
• KMS integration is not configured
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
