Thanks for raising this, Dmitri! For non-STS use cases, some users may be more comfortable without credential vending. They could configure the storage credentials at the engines side. Can we first confirm that vending raw credentials are really users asking for?
If that's the case, raw credential vending should be at least optional, which could be guarded by feature flags. And I didn't see much difference between option 1 and option 2. Both provide raw credentials and need rotation. Either way is fine with me. Yufei On Wed, Jul 30, 2025 at 3:24 PM Dmitri Bourlatchkov <di...@apache.org> wrote: > Hi All, > > Recent conversations [1] [2] about non-AWS S3 storage brought up user needs > for operating with S3-compatible storage that does not have STS. > > Remote request signing can be used to support those use cases, but it is a > considerable development effort to add to Polaris, plus it has different > performance characteristics than vended credentials. > > I propose two short-term options to support users of non-STS S3 storage. > > 1) Add a configuration option to vend the same credentials that Polaris has > to clients. > > While this may (rightly) be considered suboptimal from the security > perspective, this option does give users a choice to operate clients > without explicitly configuring storage credentials for them. Polaris > Servers still control the rotation of those credentials. > > 2) Add secondary plain credentials for vending to clients. Polaris itself > will use one key/secret pair. Clients will be issued another key/secret > pair. Rotation of the client credentials should be possible to implement > too. > > WDYT? > > [1] https://github.com/apache/polaris/issues/1530#issuecomment-3137374380 > [2] https://github.com/apache/polaris/issues/2207 > > Thanks, > Dmitri. >
