This is an automated email from the ASF dual-hosted git repository. yzou pushed a commit to branch yzou-credential-vending-specs in repository https://gitbox.apache.org/repos/asf/polaris.git
commit 5ff9588dd6ea2936f098fc27aa27958dffa4565d Author: Yun Zou <[email protected]> AuthorDate: Wed Feb 18 12:12:26 2026 -0800 add change --- api/polaris-catalog-service/build.gradle.kts | 1 + spec/polaris-catalog-apis/generic-tables-api.yaml | 55 +++++++++++++++++++++++ 2 files changed, 56 insertions(+) diff --git a/api/polaris-catalog-service/build.gradle.kts b/api/polaris-catalog-service/build.gradle.kts index 59a65b22d4..810b134421 100644 --- a/api/polaris-catalog-service/build.gradle.kts +++ b/api/polaris-catalog-service/build.gradle.kts @@ -31,6 +31,7 @@ val genericTableModels = "LoadGenericTableResponse", "ListGenericTablesResponse", "GenericTable", + "StorageCredential", ) val policyManagementModels = diff --git a/spec/polaris-catalog-apis/generic-tables-api.yaml b/spec/polaris-catalog-apis/generic-tables-api.yaml index 6377c8f99c..35f04b0d80 100644 --- a/spec/polaris-catalog-apis/generic-tables-api.yaml +++ b/spec/polaris-catalog-apis/generic-tables-api.yaml @@ -244,6 +244,12 @@ components: properties: table: $ref: '#/components/schemas/GenericTable' + storage-credentials: + type: array + description: Credentials for ADLS / GCS / S3 to access the table. + items: + $ref: '#/components/schemas/StorageCredential' + ListGenericTablesResponse: type: object @@ -256,6 +262,55 @@ components: items: $ref: '../iceberg-rest-catalog-open-api.yaml#/components/schemas/TableIdentifier' + + StorageCredential: + type: object + required: + - prefix + - config + properties: + prefix: + type: string + description: Indicates a storage location prefix where the credential is relevant. Clients should choose the most + specific prefix (by selecting the longest prefix) if several credentials of the same type are available. + config: + type: object + description: | + Credential configurations for AWS S3, GCP GCS, and Azure ADLS are supported. The following outlines + the currently supported configuration options: + + ## AWS Configurations + + The following configurations should be respected when working with tables stored in AWS S3 + - `s3.access-key-id`: id for credentials that provide access to the data in S3 + - `s3.secret-access-key`: secret for credentials that provide access to data in S3 + - `s3.session-token`: if present, this value should be used for as the session token + - `s3.session-token-expires-at-ms`: the time the aws session token expires, in milliseconds + Extra properties: + - `s3.endpoint`: the S3 endpoint to use for requests + - `s3.path-style-access`: whether to use S3 path style access + - `client.region`: region to configure client for making requests to AWS + - `client.refresh-credentials-endpoint`: the endpoint to load vended credentials for a table from the catalog + + ## GCP Configurations + + The following configurations should be respected when working with tables stored in GCP GCS + - `gcs.oauth2.token`: the gcs scoped access token + - `gcs.oauth2.token-expires-at`: the time the gcs access token expires, in milliseconds + Extra properties: + - `gcs.oauth2.refresh-credentials-endpoint`: the endpoint to load vended credentials for a table from the catalog + + # AZURE Configuration + + The following configurations should be respected when working with tables stored in AZURE ADLS + - `adls.sas-token.<hostname>`: an azure shared access signature token + - `adls.sas-token-expires-at-ms.<hostname>`: the expiration time for the access token, in milliseconds + Extra properties: + - `adls.refresh-credentials-endpoint`: the endpoint to load vended credentials for a table from the catalog + + additionalProperties: + type: string + responses: LoadGenericTableResponse:
