GitHub user RB-ETArch added a comment to the discussion: Security Concern: Vended Credentials — Credential Delegation Violation & Workload Identity Binding
I completely agree that STS is industry-standard practice. No disagreement there. However, we want to clarify the specific concern we are raising, as it is a subtle but important distinction. The Token Broker pattern assumes: Client → requests token from Broker → Broker issues token → Client uses token What happens in Polaris is slightly different: Polaris → requests token from STS → STS issues token to Polaris → Polaris hands token to Spark → Spark uses token Polaris is the Requestor. But it is not the Consumer. Spark is. We are not questioning STS, ephemeral tokens, or dynamic scoping — all of that is solid. The concern is specifically that S3 has no way to verify that the entity presenting the token is the same entity that requested it from STS. The token was issued to Polaris. Spark is the one showing up at S3. GitHub link: https://github.com/apache/polaris/discussions/3972#discussioncomment-16090423 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected]
