XJDKC commented on code in PR #1506:
URL: https://github.com/apache/polaris/pull/1506#discussion_r2074278158
##########
spec/polaris-management-service.yml:
##########
@@ -938,6 +940,40 @@ components:
format: password
description: Bearer token (input-only)
+ SigV4AuthenticationParameters:
+ type: object
+ description: AWS Signature Version 4 authentication
+ allOf:
+ - $ref: '#/components/schemas/AuthenticationParameters'
+ properties:
+ roleArn:
+ type: string
+ description: The aws IAM role arn assumed by polaris userArn when
signing requests
+ example:
"arn:aws:iam::123456789001:role/role-that-has-remote-catalog-access"
+ roleSessionName:
+ type: string
+ description: The role session name to be used by the SigV4 protocol
for signing requests
+ example: "polaris-remote-catalog-access"
+ externalId:
+ type: string
+ description: An optional external id used to establish a trust
relationship with AWS in the trust policy
+ example: "external-id-1234"
+ signingRegion:
+ type: string
+ description: Region to be used by the SigV4 protocol for signing
requests
+ example: "us-west-2"
+ signingName:
+ type: string
+ description: The service name to be used by the SigV4 protocol for
signing requests, the default signing name is "execute-api" is if not provided
+ example: "glue"
+ userArn:
+ type: string
+ description: The aws user arn used to assume the aws role, this
represents the polaris service itself
+ example: "arn:aws:iam::123456789001:user/polaris-service-user"
Review Comment:
This property is used to expose the Polaris service's `userArn` to Polaris
users, so they can update the trust relationship of their IAM role to allow
Polaris to assume the role they’ve provided.
AWS doc for editing trust relationships: [Editing the trust relationship for
an IAM
role](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/edit_trust.html)
From the user's perspective, the flow looks like this:
1. Create a Polaris Catalog entity that includes a connection config
specifying their IAM roles.
2. Polaris injects its IAM user ARN into the connection config.
3. Users call the getCatalog API to retrieve catalog details, including the
Polaris service identity (userArn).
4. Users update the trust relationship on their IAM roles, allowing Polaris
to assume those roles.
* For storage config: the IAM role needs permissions to access the
bucket.
* For connection config: the IAM role needs permissions to access their
catalog (e.g., Glue).
5. Polaris assumes the IAM role and gets temporary credentials with the
role's permissions.
6. Polaris uses those temporary credentials to sign and send requests to the
Glue Catalog (or other catalog service).
Storage config also has this property.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
