XJDKC commented on code in PR #1506:
URL: https://github.com/apache/polaris/pull/1506#discussion_r2074310561
##########
spec/polaris-management-service.yml:
##########
@@ -938,6 +940,40 @@ components:
format: password
description: Bearer token (input-only)
+ SigV4AuthenticationParameters:
+ type: object
+ description: AWS Signature Version 4 authentication
+ allOf:
+ - $ref: '#/components/schemas/AuthenticationParameters'
+ properties:
+ roleArn:
+ type: string
+ description: The aws IAM role arn assumed by polaris userArn when
signing requests
+ example:
"arn:aws:iam::123456789001:role/role-that-has-remote-catalog-access"
+ roleSessionName:
+ type: string
+ description: The role session name to be used by the SigV4 protocol
for signing requests
+ example: "polaris-remote-catalog-access"
+ externalId:
+ type: string
+ description: An optional external id used to establish a trust
relationship with AWS in the trust policy
+ example: "external-id-1234"
+ signingRegion:
+ type: string
+ description: Region to be used by the SigV4 protocol for signing
requests
+ example: "us-west-2"
+ signingName:
+ type: string
+ description: The service name to be used by the SigV4 protocol for
signing requests, the default signing name is "execute-api" is if not provided
+ example: "glue"
+ userArn:
+ type: string
+ description: The aws user arn used to assume the aws role, this
represents the polaris service itself
+ example: "arn:aws:iam::123456789001:user/polaris-service-user"
Review Comment:
> the trust policy does not have to be based on a "user" ARN, it could be
based on a "role" ARN too.
Yes, you are right.
@adnanhemani also made a similar point, for EC2 instance, it's possible that
the credentials won't be long-lived user credentials and issued from the Amazon
EC2 metadata service.
See
https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/credentials-chain.html
> 5. Amazon ECS container credentials
The SDK uses the
[ContainerCredentialsProvider](https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/auth/credentials/ContainerCredentialsProvider.html)
class to load temporary credentials from the following environment variables:
AWS_CONTAINER_CREDENTIALS_RELATIVE_URI or AWS_CONTAINER_CREDENTIALS_FULL_URI
AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE or AWS_CONTAINER_AUTHORIZATION_TOKEN
> 6. Amazon EC2 instance IAM role-provided credentials
The SDK uses the
[InstanceProfileCredentialsProvider](https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/auth/credentials/InstanceProfileCredentialsProvider.html)
class to load temporary credentials from the Amazon EC2 metadata service.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
