GitHub user dimas-b added a comment to the discussion: Security Concern: Vended Credentials — Credential Delegation Violation & Workload Identity Binding
> Is there a pattern where Polaris authorizes the compute engine, but the > engine then fetches its own STS token directly using its own workload identity Certainly. Just configure the Engine to _not_ ask for vended credentials (and optionally disable STS in the Polaris catalog). > Does such a pattern conflict with the current Iceberg REST spec or Polaris’s > security model? I do not think so. GitHub link: https://github.com/apache/polaris/discussions/3972#discussioncomment-16086253 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected]
