Hi All, Recent conversations [1] [2] about non-AWS S3 storage brought up user needs for operating with S3-compatible storage that does not have STS.
Remote request signing can be used to support those use cases, but it is a considerable development effort to add to Polaris, plus it has different performance characteristics than vended credentials. I propose two short-term options to support users of non-STS S3 storage. 1) Add a configuration option to vend the same credentials that Polaris has to clients. While this may (rightly) be considered suboptimal from the security perspective, this option does give users a choice to operate clients without explicitly configuring storage credentials for them. Polaris Servers still control the rotation of those credentials. 2) Add secondary plain credentials for vending to clients. Polaris itself will use one key/secret pair. Clients will be issued another key/secret pair. Rotation of the client credentials should be possible to implement too. WDYT? [1] https://github.com/apache/polaris/issues/1530#issuecomment-3137374380 [2] https://github.com/apache/polaris/issues/2207 Thanks, Dmitri.
