GitHub user RB-ETArch added a comment to the discussion: Security Concern: Vended Credentials — Credential Delegation Violation & Workload Identity Binding
Thank you for the suggestion. I am thinking, when the compute engine fetches its own STS token directly after being authorized by Polaris, not sure if it will receive sub-scoped credentials locked to the specific table file paths as defined in the Iceberg metadata or if it will get broader access to the entire bucket. The per-path scoping that Polaris currently applies during credential vending is important to us and want to make sure that is preserved in this approach. Will test and report back. GitHub link: https://github.com/apache/polaris/discussions/3972#discussioncomment-16090502 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected]
