Dear All, With Polaris 1.3, SigV4 auth support was added for federated catalogs, which is great. I've been trying to use this to federate Polaris to Amazon S3 Tables, but wasn't able to make it fully work. Metadata operations like listing namespaces and loading tables work fine through federation, but credential vending breaks because S3 Tables uses a different IAM action namespace (s3tables:) and ARN format than standard S3. The existing session policy logic hardcodes s3: actions, so the policy intersection ends up empty and clients get ACCESS_DENIED on data access.
I've put together a directional first-cut draft PR that adds S3 Tables credential vending support. The approach auto-detects S3 Tables catalogs from the signingName in the SigV4 connection config, so no additional user configuration is needed beyond what's already required for federation. This is very much a starting point, and there's more work needed around integration testing, documentation, and code cleanup. I'd really appreciate the community's input on whether the overall direction makes sense, and any help or feedback from folks who have context on the credential vending flow would be wonderful. Looking forward to the discussion! Links: Draft PR: https://github.com/apache/polaris/pull/4052 Related Issue: https://github.com/apache/polaris/issues/577 Best, Aritra Gupta
