Re: [PR] Spec: Add SigV4 Auth Support for Catalog Federation [polaris]

Mon, 05 May 2025 15:42:01 -0700 


XJDKC commented on code in PR #1506:
URL: https://github.com/apache/polaris/pull/1506#discussion_r2074310561


##########
spec/polaris-management-service.yml:
##########
@@ -938,6 +940,40 @@ components:
           format: password
           description: Bearer token (input-only)
 
+    SigV4AuthenticationParameters:
+      type: object
+      description: AWS Signature Version 4 authentication
+      allOf:
+        - $ref: '#/components/schemas/AuthenticationParameters'
+      properties:
+        roleArn:
+          type: string
+          description: The aws IAM role arn assumed by polaris userArn when 
signing requests
+          example: 
"arn:aws:iam::123456789001:role/role-that-has-remote-catalog-access"
+        roleSessionName:
+          type: string
+          description: The role session name to be used by the SigV4 protocol 
for signing requests
+          example: "polaris-remote-catalog-access"
+        externalId:
+          type: string
+          description: An optional external id used to establish a trust 
relationship with AWS in the trust policy
+          example: "external-id-1234"
+        signingRegion:
+          type: string
+          description: Region to be used by the SigV4 protocol for signing 
requests
+          example: "us-west-2"
+        signingName:
+          type: string
+          description: The service name to be used by the SigV4 protocol for 
signing requests, the default signing name is "execute-api" is if not provided
+          example: "glue"
+        userArn:
+          type: string
+          description: The aws user arn used to assume the aws role, this 
represents the polaris service itself
+          example: "arn:aws:iam::123456789001:user/polaris-service-user"

Review Comment:
   > the trust policy does not have to be based on a "user" ARN, it could be 
based on a "role" ARN too.
   
   Yes, you are right. But the fact is, we can't create long-lived creds for an 
IAM role. This is the model of AWS IAM service.
   
   So if polaris wants to assume a user-privided role from a polaris service 
role, before that, polaris needs to get a temp creds for that polaris service 
role. But then how do we get those initial creds? By assuming that polaris 
service role from another set of long-lived credentials? That gets a bit weird 
and kind of defeats the purpose. 🙂



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to