GitHub user RB-ETArch added a comment to the discussion: Security Concern: Vended Credentials — Credential Delegation Violation & Workload Identity Binding
On the bucket policy workaround — yes, IP address or VPC conditions on the bucket policy could help, but our compute consumers span on-premises, AWS, and Azure. At that scale we would hit bucket policy size limits and the maintenance overhead becomes unmanageable. On importing logs into SIEM for anomaly detection — yes, this is already part of our plan. However this is inherently reactive. It helps us detect and respond after the fact, but does not prevent unauthorized token use in the first place, which we are trying to address. Trusted Identity Propagation looks promising as a potential bridge here. Thank you for sharing the link. I will learn more about it and report back here if it can help close the gap. GitHub link: https://github.com/apache/polaris/discussions/3972#discussioncomment-16090450 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected]
