Hi All, My understanding is the Iceberg clients will use table config (from loadTable responses) in order to initialize FileIO.
I propose for Polaris to provide KMS config entries in that section of IRC responses. On the server side I propose to put KMS config into AwsStorageConfigInfo, which is the primary source of data for AwsCredentialsStorageIntegration, which produced AccessConfig, which is later used to make IRC responses. That should cover the majority of use cases, I hope. To support table-level KMS config, I think it might be preferable to use Polaris Entity properties for that as opposed to table Metadata properties. >From my POV we need to consider that Polaris must be able to load table's files (specifically metadata files) using only Polaris data. WDYT? Thanks, Dmitri. On Tue, Oct 21, 2025 at 4:15 AM Rizzo Cascio, Fabio <[email protected]> wrote: > Hi Dmitri, > > This is what I was saying in my other email. Anyway I’m gonna update my PR > with the changes I have made to get it working, the project won’t build > because I haven’t update the tests etc, I just want to show my changes and > see if we can agree on a direction before I make all the changes. > > Thanks > > Fabio > > > > > From: Dmitri Bourlatchkov <[email protected]> > Date: Monday, 20 October 2025 at 17:38 > To: [email protected] <[email protected]> > Subject: [EXTERNAL]Re: KMS Key addition for s3 > > Hi Fabio, Ashok and All, > > Apologies if I'm missing something obvious, but the two WIP KMS PRs [1424] > [2802] appear to be dealing only with AWS policies on the vended credential > session. They do not appear to deal with client configuration (in LoadTable > responses). > > As far as I understand, Iceberg clients need certain FileIO properties to > be set in order to utilize KMS. > > I'd imagine that Polaris ought to provide these FileIO properties in > LoadTable responses in addition to granting privileges for KMS access to > the vended (session) credentials. > > In other words, the decision whether to use KMS rests with Polaris (we can > discuss how to configure that). If that is enabled, clients should not need > any extra configuration, they should get complete and usable > configuration + credentials from Polaris. > > WDYT? > > [1424] https://github.com/apache/polaris/pull/1424 > [2802] https://github.com/apache/polaris/pull/2802 > > Thanks, > Dmitri. > > > On Mon, Oct 13, 2025 at 3:50 AM Rizzo Cascio, Fabio > <[email protected]> wrote: > > > Hi guys, > > > > I have created a new PR to be able to use a kms key for the S3 bucket, it > > is mandatory for me to use any S3 storage and hopefully a good addition > for > > other people that want to use it. > > > > PR link: https://github.com/apache/polaris/pull/2802 > > > > Thanks > > > > Fabio > > > > This message is confidential and subject to terms at: > > https://www.jpmorgan.com/emaildisclaimer including on confidential, > > privileged or legal entity information, malicious content and monitoring > of > > electronic messages. If you are not the intended recipient, please delete > > this message and notify the sender immediately. Any unauthorized use is > > strictly prohibited. > > > > This message is confidential and subject to terms at: > https://www.jpmorgan.com/emaildisclaimer including on confidential, > privileged or legal entity information, malicious content and monitoring of > electronic messages. If you are not the intended recipient, please delete > this message and notify the sender immediately. Any unauthorized use is > strictly prohibited. >
