Re: [PR] Spec: Add SigV4 Auth Support for Catalog Federation [polaris]

Fri, 02 May 2025 10:29:40 -0700 


singhpk234 commented on code in PR #1506:
URL: https://github.com/apache/polaris/pull/1506#discussion_r2071919321


##########
spec/polaris-management-service.yml:
##########
@@ -938,6 +940,34 @@ components:
           format: password
           description: Bearer token (input-only)
 
+    SigV4AuthenticationParameters:
+      type: object
+      description: AWS Signature Version 4 authentication
+      allOf:
+        - $ref: '#/components/schemas/AuthenticationParameters'
+      properties:
+        roleArn:
+          type: string
+          description: The aws IAM role arn assume when signing requests

Review Comment:
   [optional] would it be better to add few words on who is assuming this role 
? just for readability



##########
spec/polaris-management-service.yml:
##########
@@ -938,6 +940,34 @@ components:
           format: password
           description: Bearer token (input-only)
 
+    SigV4AuthenticationParameters:

Review Comment:
   should we also add an optional role-session-name for tracking this STS 
assume role ? 



##########
spec/polaris-management-service.yml:
##########
@@ -938,6 +940,34 @@ components:
           format: password
           description: Bearer token (input-only)
 
+    SigV4AuthenticationParameters:
+      type: object
+      description: AWS Signature Version 4 authentication
+      allOf:
+        - $ref: '#/components/schemas/AuthenticationParameters'
+      properties:
+        roleArn:
+          type: string
+          description: The aws IAM role arn assume when signing requests
+          example: 
"arn:aws:iam::123456789001:role/role-that-has-remote-catalog-access"
+        externalId:
+          type: string
+          description: An optional external id used to establish a trust 
relationship with AWS in the trust policy
+        signingRegion:
+          type: string
+          description: Region to be used by the SigV4 protocol for signing 
requests

Review Comment:
   does this region needs to be same as that of Polaris is running is Sigv4 
suffciient for cross region or we need SigV4A ?



##########
spec/polaris-management-service.yml:
##########
@@ -938,6 +940,34 @@ components:
           format: password
           description: Bearer token (input-only)
 
+    SigV4AuthenticationParameters:

Review Comment:
   Side note how do infer STS endpoint ? do we just rely on SDK ? 
   asking because there is a seperate FIPS endpoint for some of the regions 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to