fivetran-ashokborra commented on code in PR #1424:
URL: https://github.com/apache/polaris/pull/1424#discussion_r2236336779
##########
polaris-core/src/main/java/org/apache/polaris/core/storage/aws/AwsCredentialsStorageIntegration.java:
##########
@@ -198,7 +206,32 @@ private IamPolicy policyString(
bucketGetLocationStatementBuilder
.values()
.forEach(statementBuilder ->
policyBuilder.addStatement(statementBuilder.build()));
- return
policyBuilder.addStatement(allowGetObjectStatementBuilder.build()).build();
+
+ policyBuilder.addStatement(allowGetObjectStatementBuilder.build());
+
+ if (isKMSSupported(callContext)) {
+ policyBuilder.addStatement(
+ IamStatement.builder()
+ .effect(IamEffect.ALLOW)
+ .addAction("kms:GenerateDataKey")
+ .addAction("kms:Decrypt")
+ .addAction("kms:DescribeKey")
+ .addResource("arn:aws:kms:" + region + ":" + awsAccountId +
":key/*")
Review Comment:
I feel that may beat the purpose. Here we are trying to access S3 by using
session IAM policy. Retrieving the KMS key would need building the client with
AssumeRole request.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
