Hi Fabio, Yes, I glimpsed that from your email. Sorry if my post caused confusion. I just wanted to reply to the top email as what I'm proposing seems to be a key feature for KMS support.
Would you be able to validate whether sending KMS FileIO properties to clients from LoadTable responses work in practice (e.g. in Spark)? I believe this can be done by adding KMS properties as "extra" properties to AccessConfig. Thanks, Dmitri. On Tue, Oct 21, 2025 at 4:15 AM Rizzo Cascio, Fabio <[email protected]> wrote: > Hi Dmitri, > > This is what I was saying in my other email. Anyway I’m gonna update my PR > with the changes I have made to get it working, the project won’t build > because I haven’t update the tests etc, I just want to show my changes and > see if we can agree on a direction before I make all the changes. > > Thanks > > Fabio > > > > > From: Dmitri Bourlatchkov <[email protected]> > Date: Monday, 20 October 2025 at 17:38 > To: [email protected] <[email protected]> > Subject: [EXTERNAL]Re: KMS Key addition for s3 > > Hi Fabio, Ashok and All, > > Apologies if I'm missing something obvious, but the two WIP KMS PRs [1424] > [2802] appear to be dealing only with AWS policies on the vended credential > session. They do not appear to deal with client configuration (in LoadTable > responses). > > As far as I understand, Iceberg clients need certain FileIO properties to > be set in order to utilize KMS. > > I'd imagine that Polaris ought to provide these FileIO properties in > LoadTable responses in addition to granting privileges for KMS access to > the vended (session) credentials. > > In other words, the decision whether to use KMS rests with Polaris (we can > discuss how to configure that). If that is enabled, clients should not need > any extra configuration, they should get complete and usable > configuration + credentials from Polaris. > > WDYT? > > [1424] https://github.com/apache/polaris/pull/1424 > [2802] https://github.com/apache/polaris/pull/2802 > > Thanks, > Dmitri. > > > On Mon, Oct 13, 2025 at 3:50 AM Rizzo Cascio, Fabio > <[email protected]> wrote: > > > Hi guys, > > > > I have created a new PR to be able to use a kms key for the S3 bucket, it > > is mandatory for me to use any S3 storage and hopefully a good addition > for > > other people that want to use it. > > > > PR link: https://github.com/apache/polaris/pull/2802 > > > > Thanks > > > > Fabio > > > > This message is confidential and subject to terms at: > > https://www.jpmorgan.com/emaildisclaimer including on confidential, > > privileged or legal entity information, malicious content and monitoring > of > > electronic messages. If you are not the intended recipient, please delete > > this message and notify the sender immediately. Any unauthorized use is > > strictly prohibited. > > > > This message is confidential and subject to terms at: > https://www.jpmorgan.com/emaildisclaimer including on confidential, > privileged or legal entity information, malicious content and monitoring of > electronic messages. If you are not the intended recipient, please delete > this message and notify the sender immediately. Any unauthorized use is > strictly prohibited. >
