Hi Fabio, Ashok and All, Apologies if I'm missing something obvious, but the two WIP KMS PRs [1424] [2802] appear to be dealing only with AWS policies on the vended credential session. They do not appear to deal with client configuration (in LoadTable responses).
As far as I understand, Iceberg clients need certain FileIO properties to be set in order to utilize KMS. I'd imagine that Polaris ought to provide these FileIO properties in LoadTable responses in addition to granting privileges for KMS access to the vended (session) credentials. In other words, the decision whether to use KMS rests with Polaris (we can discuss how to configure that). If that is enabled, clients should not need any extra configuration, they should get complete and usable configuration + credentials from Polaris. WDYT? [1424] https://github.com/apache/polaris/pull/1424 [2802] https://github.com/apache/polaris/pull/2802 Thanks, Dmitri. On Mon, Oct 13, 2025 at 3:50 AM Rizzo Cascio, Fabio <[email protected]> wrote: > Hi guys, > > I have created a new PR to be able to use a kms key for the S3 bucket, it > is mandatory for me to use any S3 storage and hopefully a good addition for > other people that want to use it. > > PR link: https://github.com/apache/polaris/pull/2802 > > Thanks > > Fabio > > This message is confidential and subject to terms at: > https://www.jpmorgan.com/emaildisclaimer including on confidential, > privileged or legal entity information, malicious content and monitoring of > electronic messages. If you are not the intended recipient, please delete > this message and notify the sender immediately. Any unauthorized use is > strictly prohibited. >
