GitHub user adnanhemani added a comment to the discussion: Security Concern: Vended Credentials — Credential Delegation Violation & Workload Identity Binding
> This is the case with anything that is not AWS. This was a long time a > problem in AWS. You may be able to integrate Trusted Identity Propagation for > custom applications > (https://docs.aws.amazon.com/singlesignon/latest/userguide/trustedidentitypropagation-integrations.html) > to achieve this. As someone who's worked on Trusted Identity Propagation (TIP) in a "past life", it is beyond complicated for non-AWS services (complicated for internal AWS services as well 😅) to integrate with. But I also don't think this "solves" the problem cleanly. Amazon S3 (at least as of when I was last working on it in early 2025) does not understand "identity-enhanced credentials" (which are vended by TIP). The best way around this is to set up Amazon S3 Access Grants and then maintain another set of authZ policies there (S3 Access Grants is also not free btw) - S3 Access Grants will then exchange the "identity-enhanced credentials" for a set of credentials that can talk to S3. Keeping aside the additional roundtrips to AWS you are making on a per-file basis (costing both time and money), we're still not resolving the attack vectors that are listed in the original post. GitHub link: https://github.com/apache/polaris/discussions/3972#discussioncomment-16204235 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected]
