Hi Reginald, Just a rough sketch:
* AwsCredentialsStorageIntegration is currently able to take an AwsCredentialsProvider * AwsCredentialsStorageIntegration can use AwsStorageConfigurationInfo to decide how exactly to obtain storage credentials. It should be possible to add settings there to switch to AssumeRoleWithWebIdentity * However, currently AwsCredentialsProvider is hard-wired to static credentials [1] * StorageAccessConfigProvider is request-scoped, so in principle it should be able to feed the authenticated principal's credentials into the storage integration code. However, this needs a bit of code archeology... There will be some rough edges there :) If you're willing to explore this path in the code, I think that's where a connection to the API user could be made. [1] https://github.com/apache/polaris/blob/20febdaede19fb7c46e120652fdd1a262c2138e4/runtime/service/src/main/java/org/apache/polaris/service/storage/StorageConfiguration.java#L89 Cheers, Dmitri. On Thu, Nov 20, 2025 at 2:32 PM Arsenault, Reginald P. via dev < [email protected]> wrote: > UNCLASSIFIED / NON CLASSIFI? > > Hi! As per our findings in [2], we are looking to enable connectivity with > our on-prem S3 storage appliance, which requires changes to how Polaris > connects to S3. Currently, the way Polaris connects to S3 does not work for > our on-prem S3 instance because of the way it expects to connect to the STS > server (i.e. without any specific authentication). > We propose enhancing the AwsCredentialsStorageIntegration to support a > more flexible authorization mechanism: > > * Goal: We want the ability to pass the requesting user's identity > (likely a token) to the STS. This would allow the STS to make fine-grained > decisions on what the user can and cannot do based on their specific > identity. > * Proposed Implementation: We believe this functionality can be > achieved by adding an option within AwsCredentialsStorageIntegration [1] to > connect using the AssumeRoleWithWebIdentity flow. > We would greatly appreciate some guidance on the following changes before > we begin development: > > 1. What is the recommended or existing mechanism within Polaris for > capturing and passing along an authenticated user's identity token to the > AwsCredentialsStorageIntegration component, so we can pass it to the STS? I > could be wrong, but I believe the token that gets passed to STS doesn't > need to be scoped for the STS, so it could just be whatever token is given > to Polaris by the user. > 2. How should we best modify the AwsCredentialsStorageIntegration class > and configuration to be able to handle both the existing AssumeRole use > case and the new AssumeRoleWithWebIdentity use case? > Any pointers or suggestions on the best place to inject the user token and > manage the configuration switch would be helpful. > > [1] > https://github.com/apache/polaris/blob/main/polaris-core/src/main/java/org/apache/polaris/core/storage/aws/AwsCredentialsStorageIntegration.java#L107 > [2] https://github.com/apache/polaris/issues/3038 >
