[I] Polaris attempts credential vending despite stsUnavailable=true with NetApp S3-compatible storage [polaris]

[via GitHub]

gaocho opened a new issue, #3742:
URL: https://github.com/apache/polaris/issues/3742

   ### Describe the bug
   
   Polaris continues to vend temporary credentials for S3-compatible storage 
(NetApp S3) despite `stsUnavailable=true` in the catalog's `storageConfigInfo`. 
This results in `ForbiddenException: The AWS Access Key Id you provided does 
not exist` errors when attempting to create tables via Spark.
   
   The error shows randomly generated access keys instead of using the static 
credentials configured in catalog properties.
   
   ### To Reproduce
   
   1. Start Polaris 1.3.0 with PostgreSQL backend
   2. Create catalog via REST API with `stsUnavailable: true` and NetApp S3 
endpoint in `storageConfigInfo`
   3. Add static S3 credentials to catalog properties (`s3.access-key-id`, 
`s3.secret-access-key`)
   4. Attempt to create table from Spark: `spark.sql("CREATE TABLE 
polaris.test.table1 (id INT) USING iceberg")`
   5. Observe error: "The AWS Access Key Id you provided does not exist"
   
   ### Actual Behavior
   
   Error: ForbiddenException: The AWS Access Key Id you provided does not exist 
(Service: S3, Status Code: 403)
   
   Polaris vends temporary credentials (visible as random access keys in error) 
instead of passing through the static credentials from catalog properties.
   
   ### Expected Behavior
   
   With `stsUnavailable: true`, Polaris should pass through static credentials 
from catalog properties without attempting credential vending, allowing direct 
connection to NetApp S3.
   
   ### Additional context
   
   - AWS CLI confirms credentials are valid with NetApp S3
   - Catalog config verified with correct endpoint, pathStyleAccess: true, 
stsUnavailable: true
   - Tried multiple configuration flags to disable credential vending (all 
unsuccessful)
   - Related to discussion in #3640 
   
   Below is the output from the catalog list:
   {
     "type": "INTERNAL",
     "name": "netapp_iceberg",
     "properties": {
       "default-base-location": "s3://iceberg/warehouse",
       "s3.access-key-id": "[REDACTED]",
       "s3.secret-access-key": "[REDACTED]"
     },
     "createTimestamp": 1770668019530,
     "lastUpdateTimestamp": 1770820744747,
     "entityVersion": 2,
     "storageConfigInfo": {
       "storageType": "S3",
       "allowedLocations": ["s3://iceberg/warehouse"],
       "endpoint": "https://my_netapp_endpoint";,
       "stsUnavailable": true,
       "pathStyleAccess": true
     }
   }
   
   ### System information
   
   OS: Linux
   Polaris Catalog Version: 1.3.0-incubating
   Object storage & setup: NetApp S3 (S3-compatible), endpoint: 
https://my_netapp_endpoint
   
   <img width="1241" height="713" alt="Image" 
src="https://github.com/user-attachments/assets/e2fce6f8-4a73-4a67-a88c-e77818393189";
 />


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@polaris.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org