Re: [I] STS inline policy includes KMS actions even when KMS is not configured [polaris]

Mon, 19 Jan 2026 19:44:31 -0800 


MonkeyCanCode commented on issue #3440:
URL: https://github.com/apache/polaris/issues/3440#issuecomment-3770899731

   hi @netapp-acheng, that is very good to know as that states the previous two 
fixes are fixing the issues you are facing. Now back to the above, the current 
code base is using following:
   ```
       boolean isAwsS3 = region != null && accountId != null;
   
       // Nothing to do if no keys are configured and not AWS S3
       if (!hasCurrentKey && !hasAllowedKeys && !isAwsS3) {
         return;
       }
   
       IamStatement.Builder allowKms = buildBaseKmsStatement(canWrite);
   
       if (hasCurrentKey) {
         addKmsKeyResource(kmsKeyArn, allowKms);
       }
   
       if (hasAllowedKeys) {
         addAllowedKmsKeyResources(allowedKmsKeys, allowKms);
       }
   ```
   
   with above snippet and what you shared above, this is telling me u are not 
getting the first return clause and landed on the following statement which is 
what is adding the RO IAM policy:
   ```
   IamStatement.Builder allowKms = buildBaseKmsStatement(canWrite);
   ```
   
   This means, you must have region and account id set (with current code base, 
we only do no KMS policy if keys are not being configured and not an AWS S3. 
This is done with prior code which is outside the scope of two fixes I added:
   ```
       // Only add wildcard KMS access for read-only operations on AWS S3 when 
no specific keys are
       // configured. This does not apply to services like Minio where region 
and accountId are not
       // available.
   ```
   
   The current code is not expected region and accountid to be set when using 
non-AWS S3-compatible storage. Do you mind check if this can be remove from 
your end? If case if we need to relax this check, we may need more discussion 
on this with the dev team as well as the original contributor for this code 
snippet. Also, as @dimas-b pointed out, the two fixes I added belongs to two 
different problems which I will need to split them into different PRs before we 
can merge them. @dimas-b what do you think? Should we relax the check?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to