Very exciting change. A couple of questions/suggestions: 1. Ideally, the IAM policy statement should have the encryption context set so that the key can only be used to en/decrypt files under the specific table path. 2. The structure suggests that all tables under the catalog will use the same KMS key for encryption. Should we support overriding the key at the table level? The S3FileIOProperties class in Iceberg defines the s3.sse.key property at the table-level so each table can specify its own KMS key. Can we allow for that override, if present?
Mike On Mon, Oct 13, 2025 at 7:27 AM Jean-Baptiste Onofré <[email protected]> wrote: > Hi Fabio > > Thanks for the PR ! We will take a look on it. > > Regards > JB > > On Mon, Oct 13, 2025 at 9:50 AM Rizzo Cascio, Fabio > <[email protected]> wrote: > > > > Hi guys, > > > > I have created a new PR to be able to use a kms key for the S3 bucket, > it is mandatory for me to use any S3 storage and hopefully a good addition > for other people that want to use it. > > > > PR link: https://github.com/apache/polaris/pull/2802 > > > > Thanks > > > > Fabio > > > > This message is confidential and subject to terms at: > https://www.jpmorgan.com/emaildisclaimer including on confidential, > privileged or legal entity information, malicious content and monitoring of > electronic messages. If you are not the intended recipient, please delete > this message and notify the sender immediately. Any unauthorized use is > strictly prohibited. >
